Skip top navigation Skip to content

Print   Email  Share

EEOC INFORMATION SECURITY PROGRAM

TABLE OF CONTENTS

  1. SUBJECT
  2. PURPOSE
  3. EFFECTIVE DATE
  4. ORIGINATOR
  5. EEOC INFORMATION SECURITY POLICY
  6. RESPONSIBILITIES
    1. Agency Chair
    2. Chief Information Officer
    3. Senior Agency Official for Privacy
    4. Chief Security Officer and Information Security Officers
    5. Chief Human Capital Officer
    6. Office of Field Programs Director and General Counsel
    7. System Sponsors
    8. External Website Sponsors
    9. District Office Directors
    10. All Headquarters and Field Office Directors
    11. Security Points of Contact
    12. System Users
  7. AUTHORIZATION OF PROCESSING
  8. SYSTEM SECURITY PLANS
  9. PRIVACY IMPACT ASSESSMENTS
  10. TRAINING
  11. CONTINGENCY AND DISASTER RECOVERY PLANNING
  12. INCIDENT RESPONSE
  13. REFERENCES
  14. DEFINITIONS
  15. LIST OF APPENDICES
  16. OBSOLETE DATA

MANAGEMENT PROGRAMS
INFORMATION TECHNOLOGY

  1. SUBJECT. EQUAL EMPLOYMENT OPPORTUNITY COMMISSION (EEOC) INFORMATION SECURITY PROGRAM
  2. PURPOSE.

    This Order provides policies, standards, procedures and methods related to EEOC's Information Security Program, as required by the Federal Information Security Management Act of 2002 (FISMA) and Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources. It explains in greater detail EEOC's Information Security Program, which is described in general terms in Appendix C of EEOC Order 370.002, EEOC Security Plan. This Order also serves as a handbook for the implementation of EEOC's Information Security Program and policy.

  3. EFFECTIVE DATE. June 2011
  4. ORIGINATOR. Office of Information Technology (OIT)
  5. EEOC INFORMATION SECURITY POLICY.

    The protection of EEOC's information and its information technology resources is critical to the performance of its mission. EEOC employees, contractors, contingent workers, and other users of EEOC information and information systems who control and use the Agency's information resources are responsible for the care, custody and protection of those resources.

    The primary program elements for implementing EEOC's information security program are: 1) development and update of plans and processes for provision of adequate information security for networks, facilities, and systems or groups of information systems, and 2) development and implementation of appropriate rules of behavior for the users of those networks, facilities, and systems.

    Statutory Basis

    The strategic importance of EEOC information requires that the integrity, availability, and confidentiality of sensitive information be protected. While new technologies have helped to make corporate information more accessible to users, the government and industry are faced with many new challenges. Additional safeguards are required to protect the Agency and individuals from the possibility of unauthorized disclosures of information, unauthorized penetration of the Agency's information systems, and from any potential loss or destruction of corporate information and information systems.

    FISMA requires that agencies comply with the National Institute of Standards and Technology (NIST) security standards, identify and provide information security protections commensurate with the risk and magnitude of potential harm, ensure that information security is addressed throughout the life cycle of each agency information system, provide plans and procedures to ensure continuity of operations for major information systems, and conduct and report on annual security program reviews.

    OMB Circular A-130 requires that agencies implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in major applications and general support systems.

    Title VII of the Civil Rights Act of 1964, the Privacy Act of 1974, the Procurement Integrity Act of 1988, and the Confidential Information Protection and Statistical Efficiency Act of 2002 address other requirements to protect Federal information.

  6. RESPONSIBILITIES.

    The Order is based on the fundamental premise that those who create, control and use information are the ones responsible for its care, custody and protection. EEOC employee, contractors, contingent workers, and other users of EEOC information and information systems responsibilities for Information System security, and procedures for assigning those responsibilities, are defined below in compliance with FISMA, NIST, and OMB Circular A-130.

    1. The Chair has primary responsibility for managing the agency's information resources and establishing an Information Security Program, as well as for ensuring that the agency develops and implements appropriate information security policies and procedures. The Chair accomplishes these objectives through the delegations set forth in this Order.
    2. The Director, Office of Information Technology (OIT), as the EEOC's Chief Information Officer (CIO), is responsible for:

      (1) Establishing an information security program for EEOC, including related policies and procedures and control techniques as required by FISMA; identifying networks, facilities, and information systems or groups of systems which require planning for provision of adequate security; and providing appropriate information security awareness training for all agency employees, contractors and other users of EEOC information and information systems;

      (2) Developing the Agency's information security program related budget, providing overall direction and guidance on implementation of information security, deciding and recommending the level of financial resources and technical support required for information security safeguards, and ensuring the integration of security into the Agency's capital planning and investment control processes;

      (3) Overseeing the conduct of security risk assessments and the development and implementation of security plans for the Agency's major information systems, networks and facilities;

      (4) Ensuring that information security-related training and technical support are provided to the Office Directors, IT Specialists, Security Points of Contacts (SPOCs), and users of EEOC's major information systems;

      (5) Providing feedback regarding oversight of information security-related activities to HQ Offices and to the Office of Field Programs (OFP);

      (6) Overseeing the development and issuance of EEOC information security policies and procedures;

      (7) Ensuring the development and testing of contingency and continuity of operations plans for major information systems; and

      (8) Responding to requests for information from OMB, the General Accounting Office, and Congressional oversight and appropriations committees designated in FISMA, regarding EEOC's compliance with the Paperwork Reduction Act of 1995, OMB Circular A-130, the Federal Information Security Management Act of 2002, and related statutes.

    3. The agency's Legal Counsel has been designated as EEOC's Senior Agency Official for Privacy (SAOP); and is responsible for:

      (1) Ensuring the agency's compliance with federal laws, regulations, and policies relating to information privacy;

      (2) Participating in all agency information privacy compliance activities and in assessing the impact of technology on the privacy of personal information;

      (3) Assuming a central policy-making role in the agency's development and evaluation of legislative, regulatory and other policy proposals that implicate information privacy;

      (4) Conducting reviews of agency policies and processes, and taking corrective action as appropriate to ensure the agency has adequate safeguards to prevent the misuse or unauthorized use of, or access to, personally identifiable information (PII);

      (5) Ensuring the agency's information privacy policies and procedures are comprehensive and up to date;

      (6) Reminding agency employees and contractors of their responsibilities for safeguarding PII, the rules for acquiring and using such information, the penalties for violating these rules, as well as ensuring they receive appropriate training; and

      (7) Preparing the Senior Agency Official for Privacy section of EEOC's FISMA annual report to OMB, as well as responding to requests for information as appropriate.

    4. The EEOC Chief Security Officer (CSO) and Information Security Officers (ISOs) are responsible for:

      (1) Serving as the Senior Technical Advisor to EEOC management on all areas of Information Security;

      (2) Recommending courses of action and policies to senior management that allow EEOC to securely meet its organizational goals;

      (3) Monitoring and recording the security performance of EEOC information systems and reporting the status to management and to other government agencies that collect security data, such as US-CERT, as required; and

      (4) Assuming responsibilities related to the implementation and oversight of EEOC's Information Security Program, as delegated by the agency CIO.

    5. The Chief Human Capital Officer is responsible for:

      (1) Assuring that all new employees, as part of their orientation package, receive and sign an acknowledgment of receipt of "Information Security Responsibilities of EEOC System Users" (Appendix A), as well as all other EEOC documents referenced in the "Acknowledgment of Receipt" form at the end of Appendix A;

      (2) Ensuring that the personnel management specialists file the employees' signed Acknowledgments in their Official Personnel Files; and

      (3) Working with OIT to facilitate the provision of information security training.

    6. The Director, Office of Field Programs and EEOC General Counsel are responsible for:

      (1) Working with OIT and OHR to facilitate, as requested, the provision of information security training to EEOC's field office personnel; and

      (2) Monitoring security-related activities in the field offices, in conjunction with OIT.

    7. System Sponsors: Headquarters Office Directors who sponsor a system identified as a major information system (see Appendix C) are responsible for:

      (1) Designating a Security Point of Contact (SPOC) for each system that they sponsor;

      (2) Participating in and reviewing vulnerability and risk assessments for the major information systems which they sponsor, with the assistance of the SPOC and lead support from OIT;

      (3) Participating in the development and update of system security plans for major information systems which they sponsor (as described in Paragraph 8 of this Order), with the assistance of the SPOC and lead support from OIT;

      (4) Completing, for each major system which they sponsor, a signed statement accepting the residual risk and authorizing continued processing, and providing a copy of the signed statement to the CIO (as described in Paragraph 7 of this Order);

      (5) Participating in the development and testing of contingency plans and disaster recovery plans for major information systems which they sponsor (as described in Paragraph 11 of this Order), with the assistance of the SPOC and lead support from OIT;

      (6) Working with OIT to identify appropriate on-line training for each SPOC and ensuring that each SPOC successfully completes at least one IT Security related training per fiscal year; and

      (7) Ensuring that their office's designated SPOC performs their responsibilities, as outlined in Section 6.k.

    8. External Website Sponsors: Headquarters Office Directors who sponsor and oversee EEOC's external websites are responsible for:

      (1) Ensuring compliance with agency web site standards for privacy, accessibility, usability, and preservation of government information, as outlined in Sections 207(f)(2) and 208(c) of the E-Government Act of 2002 and OMB Memoranda; and

      (2) Assisting in the preparation of relevant sections of the EEOC's FISMA annual report to OMB, as well as responding to requests for information as appropriate.

    9. District Office Directors are responsible for:

      (1) Designating a single SPOC (typically the office's IT Specialist) for oversight of information security functions within their districts;

      (2) Working with the SPOC and OIT to ensure that an adequate security incident response capability exists for major information systems used within their districts;

      (3) Ensuring that their district complies with system security plans for major information systems used within their district offices;

      (4) Working with OIT to identify appropriate training for each SPOC and ensuring that each SPOC successfully completes at least one IT Security related training per fiscal year; and

      (5) Ensuring that the SPOCs perform their responsibilities, as outlined in Section 6.k.

    10. All Headquarters and District Office Directors are responsible for:

      (1) Ensuring that their employees, contractors, contingent workers, and other users of EEOC information and information systems receive appropriate information security training, including both the general orientation to "Information Security Responsibilities of EEOC System Users"(Appendix A) and more specialized training for systems or system components under their direct jurisdiction, as described in Paragraph 10 of this Order;

      (2) Informing OIT and the Office of the Chief Financial Officer (OCFO) when a theft or loss of any computer, peripheral device or software package is detected;

      (3) Ensuring that all controls recommended by the Agency for compliance with the Federal Manager's Financial Integrity Act, as specified in EEOC Order 195.001, Internal Control Systems, and related supplemental guidance, are in place; and

      (4) Ensuring that their employees, contractors, contingent workers, and other users of EEOC information and information systems, as users of EEOC information systems, perform their responsibilities as outlined in Section 6.l. below.

    11. Security Points of Contact (SPOCs) are responsible for:

      (1) Exercising overall information security oversight for all systems or portions of systems for which they are responsible;

      (2) Developing or assisting in the development of security plans, vulnerability, risk, and threat assessments, and other studies with the guidance and assistance of the Office Director and OIT;

      (3) Developing and testing contingency/continuity plans as directed by the Office Director and/or OIT;

      (4) Reporting to the Office Director and OIT all security incidents that could degrade data or system integrity or compromise the confidentiality of sensitive information;

      (5) Ensuring compliance with the system security plans of major information systems for which they are responsible;

      (6) Ensuring that appropriate password protection is in place and maintained for all such systems, and that the user-IDs and passwords are deleted or changed when system users separate from the office;

      (7) Monitoring anti-virus software deployment within their office's jurisdiction and the successful completion of automated on-line back-ups;

      (8) Ensuring that each office within their district employs uninterruptible power supplies (UPS) for information systems when appropriate; and

      (9) Monitoring the use of software on the Agency's information systems to enforce legitimate use of government information technology resources.

    12. System Users: Users of EEOC information systems are responsible for:

      (1) Following their acknowledged responsibilities as delineated in this Order, and as described in Appendix A, Information Security Responsibilities of EEOC System Users;

      (2) Cooperating with EEOC ISOs and SPOCs; and

      (3) Complying with any additional rules or policies which guide or restrict the use of EEOC's information systems.

  7. AUTHORIZATION OF PROCESSING (CERTIFICATION AND ACCREDITATION).
    1. OMB A-130 requires that all of EEOC's major applications and general support systems (referred to hereafter as major information systems) operate only with the authorization of a responsible management official, following a determination of whether security controls (e.g., management, operational, and technical) are effective in mitigating vulnerabilities and threats to the system. The responsible management official is identified as the Director of the Sponsoring Office, as identified in Appendix C (System Sponsor). OMB Circular A-130 further requires that the management official responsible for the organizational component served by a major information system periodically review a vulnerability/threat assessment completed for that application or system. That individual is then required to decide whether additional controls or safeguards are warranted. An authorization to operate will be issued for the information system if, after an assessment of the results of security certification, the management official deems that the residual risk to EEOC operations, EEOC assets or individuals is acceptable. The information system will be authorized without any major restrictions or limitations on its operation. Authorizing officials should take specific action(s) to decrease or eliminate identified vulnerabilities, where it is cost effective, even though it will not affect the security accreditation decision. Such an authorization must occur every three years, or when a significant revision is made to the system.

      (1) The objectives and requirements of authorizing systems to process are as follows:

      (a) Review system security categorizations against FIPS Publication 199 requirements;

      (b) Ensure all vulnerabilities have been examined and, if appropriate, ensure that cost-effective measures have been taken to correct them;

      (c) Ensure EEOC security requirements are reviewed for major information systems;

      (d) Ensure EEOC-implemented safeguards are examined so that they satisfy the security requirements;

      (e) Ensure any safeguards that do not satisfy the security requirements are reported to the appropriate office; and

      (f) Ensure management approval is obtained to authorize initial or continued operation of major information systems.

      (2) Authorizations-of-processing shall include EEOC information security policy, practices and procedures to assure the following:

      (a) Periodic vulnerability and risk assessments are completed for each system to ensure appropriate security controls are in place. A single risk assessment may be used to review the security controls for multiple IT systems;

      (b) EEOC major information and general support systems are authorized to process;

      (c) EEOC employees understand their roles and responsibilities in the authorization process;

      (d) Compliance with relevant NIST and FIPS guidance for all associated activities; and

      (e) Re-authorization occurs every three years or after there has been a significant change in the system.

    2. Process and Responsibilities. The responsibilities of the Office Director and the SPOC are delineated in Paragraph 6 (Responsibilities) of this Order. The SPOC works with the OIT ISO to evaluate the adequacy of the security controls in meeting the IT security and management control objectives. The Director of the office with overall responsibility and sponsorship for the system signs the authorization letter, thereby accepting the residual risk.
    3. Additional Information and Technical Support. Assistance on authorization-of-processing can be obtained from OIT.
    4. Resources. Additional references on authorizations-of-processing, can be found in the following documents:

      (1) OMB Circular A-130, Management of Federal Information Resources.

      (2) NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.

      (3) NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.

      (4) NIST Special Publication 800-39, Managing Information Security Risk

      (5) NIST Special Publication 800-53 (with revisions), Recommended Security Controls for Federal Information Systems.

      (6) NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Security to Security Categories.

      (7) Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems.

      (8) Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems.

  8. SYSTEM SECURITY PLANS.
    1. OMB Circular A-130 requires EEOC to develop a security plan for major information systems. The plan should define the security requirements of the system and describe the security controls that are in place or planned for meeting those requirements, following the NIST 800.53 format. The plan should also delineate the responsibilities of those individuals who access or operate the system.

      (1) The objectives and requirements of each system security plan are as follows:

      (a) Ensure EEOC users understand and comply with system rules of behavior;

      (b) Ensure appropriate management, technical, and operational controls are in place and tested for the system;

      (c) Ensure users have the least possible rights that enable them to carry out their work functions;

      (d) Ensure that individuals who are authorized to bypass significant technical and operational controls of the system are appropriately screened commensurate with the risk and magnitude of harm they could cause;

      (e) Ensure that the appropriate controls are in place to review user access permissions to assure that privileges are granted on a need-to-know basis;

      (f) Ensure an EEOC incident response capability is in place and implemented;

      (g) Ensure EEOC contingency and disaster recovery plans exist;

      (h) Ensure that cost-effective security products and techniques are appropriately used within the system;

      (i) Ensure there are policies and safeguards for system interconnection and information sharing, which are consistent with the rules of the system and in accordance with the guidance of NIST. This includes written management authorization, based on the acceptance of the risk to the system, prior to connecting with other systems.

      (2) The system security plan shall include EEOC information security policy, practices and procedures to ensure the following:

      (a) Operational, management, and technical controls, security training, and system rules of behavior are implemented and enforced;

      (b) An EEOC employee is assigned to ensure that the system has adequate security;

      (c) The frequency of security plan reviews and updates align with the frequency of the updated risk assessment or security evaluation, which should be commensurate with the acceptable level of risk for the system; and

      (d) Security reviews occur at least every three years and partial reviews occur annually for the most major and vulnerable systems.

    2. Process and Responsibilities. The system sponsoring office, OIT, and the SPOC are responsible for developing, reviewing, updating, and complying with system security plans (as delineated in Paragraph 6 of this Order).
    3. Additional Information and Technical Support. Assistance on developing and implementing security plans can be obtained from OIT. Individuals responsible for designing system security plans should consult NIST Special Publication 800-18, "A Guide for Developing Security Plans for Information Technology Systems" and NIST SP 800.53 (with revisions), "Recommended Security Controls for Federal Information Systems".
  9. PRIVACY IMPACT ASSESSMENTS.
    1. The E-Government Act of 2002, Section 208, and OMB Memoranda outline EEOC's responsibilities regarding protection of the information maintained concerning individuals. This includes conducting and documenting a Privacy Impact Assessment (PIA) for systems which contain personally identifiable information.

      (1) The PIA objectives and requirements are as follows:

    2. (a) Assess new or substantially altered agency information systems that contain PII to determine the risks of collecting, maintaining and disseminating PII, and evaluate protections for handling PII to mitigate potential privacy risks;

      (b) Analyze and describe what information is collected, why it is collected, its intended use, with whom it is shared, what opportunities individuals have to decline to provide information or to consent to particular uses of the information, how individuals grant consent, how the information is secured, and whether a system of records is being created under the Privacy Act; and

      (c) Document management, technical, and operational controls to protect PII and to review access to and use of information systems that contain PII.

    3. Process and Responsibilities. The system sponsoring office is responsible for reviewing systems under development or in major revision to determine if: (1) a PIA is required, or (2) changes being made impact an existing PIA. If required, the system sponsoring office, with participation/assistance from the Office of Information Technology (OIT) and the Office of Legal Counsel (OLC), is responsible for developing, reviewing, updating, and complying with PIA requirements. This includes evaluating changes in business processes or technology outlined within the PIA to ensure compliance. The agency SOP is responsible for final approval of the PIA. Final PIAs will be made publicly available via the EEOC external website and in other formats as necessary to meet accessibility requirements.
    4. Additional Information. Guidance on PIA's can be obtained from the OLC and OIT. Copies of PIAs can be obtained via EEOC's external website, www.eeoc.gov. Clarification and assistance with technological requirements can be obtained from the OIT. Technical guidance can be found in NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information.
  10. TRAINING.
    1. Both OMB Circular A-130 and FISMA require that EEOC system users be appropriately trained regarding how to fulfill their security responsibilities before being allowed access to any system. New EEOC system users shall attend an orientation where they will review and acknowledge receipt of the "Information Security Responsibilities of EEOC System Users" document (Appendix A). EEOC system users shall exemplify behavior consistent with the rules of the system and attend periodic refresher training to have continued access to any system. System users shall also be made aware of available assistance and technical security products and techniques. Such training should include, but not be limited to, the rules of behavior discussed in this Order.

      (1) The objectives and requirements of the IT Security Training Program are as follows:

      (a) Ensure employees, contractors, contingent workers, and other users of EEOC information and information systems are aware of the vulnerabilities of and threats to EEOC information systems and the risks associated with the exploited vulnerabilities;

      (b) Ensure employees, contractors, contingent workers, and other users of EEOC information and information systems are knowledgeable and skilled in applying EEOC information security policies, practices and procedures;

      (c) Ensure new employees, contractors, contingent workers, and other users of EEOC information and information systems attend training as a part of their orientation process; and

      (d) Ensure all employees, contractors, contingent workers, and other users of EEOC information and information systems attend refresher and continuing training as the information system environment, security policy, practices, work or job function changes.

      (2) The IT Security Training Program shall include EEOC information security policies, practices and procedures to ensure the following:

    2. (a) EEOC information security objectives are met;

      (b) Managers and system users are responsible and/or held accountable for their actions;

      (c) Proper information accessibility, handling and storage, including information and system access control procedures, are enforced;

      (d) Physical and environmental hazard protections exist;

      (e) Appropriate response to emergency and disaster situations is executed;

      (f) Threats and vulnerabilities to EEOC information resources are identified; and

      (g) Other security and privacy related matters are considered.

    3. Process and Responsibilities. The roles of OIT, OHR, OLC, and Office Directors are delineated in Paragraph 6 (Responsibilities) of this Order.
    4. Additional Information and Technical Support. Assistance on security training can be obtained by consulting the Nationwide Help Desk. Assistance on privacy training can be obtained by consulting OLC. Technical guidance can be found in NIST SP 800-16, Information Technology Security Training Requirements: A Role and Performance Based Model.
  11. CONTINGENCY AND DISASTER RECOVERY PLANNING.
    1. FISMA, NIST, OMB Circular A-130 require EEOC to assure the continuity of operations of information systems, which support critical agency functions. They require managers of information systems to assure that appropriate contingency and disaster recovery plans are developed, maintained and tested. Federal Emergency Management Agency (FEMA) Federal Protection Circular (FCP) 65 requires Federal agencies to develop Continuity of Operations Plans for Essential Operations, which will support the primary function, establish a chain of command, and delegate authority. FEMA requires safekeeping of essential resources, facilities and records.

      (1) The objectives and requirements of contingency and disaster recovery plans are as follows:

      (a) Ensure that an IT contingency and disaster recovery plan for each major information system, and interconnected system, is prepared;

      (b) Ensure that EEOC system users understand the contingency and disaster recovery process;

      (c) Ensure that contingency and disaster recovery plans enable the continuing service of all major applications or general support systems, including the interconnections between such systems;

      (d) Ensure that contingency and disaster recovery plans are tested periodically (i.e., nondestructive testing) to demonstrate their effectiveness;

      (e) Ensure that emergency checklists exist that contain pertinent information (e.g., location of fire extinguishing equipment, alarm activation and deactivation procedures, and evacuation plans); and

      (f) Ensure contingency and disaster recovery plans are secured in a safe place, and can be located in the event of an emergency or disaster.

      (2) The contingency and disaster recovery planning process shall assure the following:

    2. (a) EEOC information or processing capabilities are protected in a cost-effective manner from loss, misuse, unauthorized access or modification, or system unavailability in the event of an emergency or disaster situation;

      (b) Procedures are in place to enable offices responsible for each major information system to obtain planning and testing assistance from OIT from the outset of each new system and throughout its life cycle; and

      (c) Appropriate response to emergency and disaster situations is executed.

    3. Process and Responsibilities. The roles of the Office Directors with ownership responsibilities for major information systems are delineated in Paragraph 6 (Responsibilities) of this Order. Office Directors, with OIT support and assistance, shall develop, maintain, and test contingency and disaster recovery plans.
    4. Additional Information and Technical Support. Assistance on contingency and disaster recovery planning can be obtained from OIT. Individuals responsible for documenting IT Contingency and Disaster Recovery Plans should consult NIST SP 800-34, Contingency Planning Guide for IT Systems, as revised.
  12. INCIDENT RESPONSE.
    1. OMB A-130 requires that EEOC have a capability to provide response and assistance to users when a security incident occurs in any major information system and to share information concerning common vulnerabilities and threats with other organizations. The Director, OIT, has overall responsibility for developing and operating this capability, and shall share necessary information within EEOC and, where appropriate, with other organizations, consistent with the United States Emergency Readiness Team (US-CERT) coordination, and shall assist EEOC's Legal Counsel and Inspector General in pursuing appropriate legal action, consistent with Department of Justice (DOJ) guidance.

      (1) The objectives and requirements of the incident response capability are as follows:

      (a) Ensure EEOC system users recognize and understand the importance of reporting information security incidents;

      (b) Ensure EEOC system users are aware of the steps and procedures for reporting information security incidents;

      (c) Ensure an incident handling person has been designated and that this person understands his or her role (i.e., determining the significance of the incident, reporting significant incidents to the appropriate individual/office; suggesting patches and fixes);

      (d) Ensure other personnel who oversee systems and networks are notified of security incidents; and

      (e) Ensure all incidents are documented and analyzed for any trends that might escalate into future significant incidents.

      (2) The incident response capability shall include the development and revision of EEOC information security policies, practices and procedures to assure the following:

    2. (a) Security measures (i.e., access controls, anti-virus software, and regular system backups) are in place and implemented to protect against security incidents;

      (b) EEOC system users follow appropriate incident reporting procedures;

      (c) Strong technical, management, and operational security controls are in place and implemented to protect against future security incidents;

      (d) Security incidents are logged for trend analysis; and

      (e) Appropriate patches and fixes are implemented immediately and with approval from OIT management.

    3. Process and Responsibilities. The role of the EEOC user is delineated in Paragraph 6 (Responsibilities) of this Order. The office that experiences a security incident is responsible for reporting the incident to the SPOC, the Nationwide Help Desk, or the Agency's ISO, as appropriate. If necessary, OIT will report the incident to the Office of Inspector General for referral to the Computer Crime and Intellectual Property Section of the Department of Justice's Criminal Division, or to another appropriate investigative agency. If the incident presents a possible threat to other federal agencies, OIT will report the incident to US-CERT.
    4. Additional Information and Technical Support. Technical support and information on incident response can be obtained by consulting the Nationwide Help Desk. Individuals responsible for documenting IT Incident Response Plans should consult NIST SP 800-61, Computer Security Incident Handling Guide.
  13. REFERENCES.

    The Electronic Government Act of 2002, 44 U.S.C. Ch 36, in particular the following Titles:

    • Title II, Federal Management and Promotion of Electronic Government Services
    • Title III, Federal Information Security Management Act of 2002
    • Title V, Confidential Information Protection and Statistical Efficiency Act of 2002

    The Privacy Act of 1974, as amended [5 U.S.C. Section 552a]

    Office of Management and Budget (OMB) Circulars:

    • OMB Circular A-123, Management's Responsibility for Internal Control, December 21, 2004, as revised
    • OMB Circular A-130, Management of Federal Information Resources, November 28, 2000, as revised

    OMB Memoranda:

    • OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
    • OMB M-05-08, Designation of Senior Agency Officials for Privacy
    • OMB M-06-15, Safeguarding Personally Identifiable Information

    Homeland Security Presidential Directive (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection, December 17, 2003

    National Institute of Standards and Technology (NIST) Special Publications (SP):

    • SP 800-12: An Introduction to Computer Security: The NIST Handbook
    • SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems
    • SP 800-16: Information Technology Security Training Requirements: A Role and Performance Based Model
    • SP 800-18: Guide for Developing Security Plans for Federal Information Systems, as revised
    • SP 800-27: Engineering Principles for IT Security, as revised
    • SP 800-30: Risk Management Guide for Information Technology Systems
    • SP 800-34: Contingency Planning Guide for Information Technology Systems, as revised
    • SP 800-37: Guide for the Security Certification and Accreditation of Federal Information Systems
    • SP 800-39: Managing Information Security Risk
    • SP 800-53: Recommended Security Controls for Federal Information Systems, as revised
    • SP 800-53A: Guide for Assessing the Security Controls in Federal Information Systems, as revised
    • SP 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories, as revised
    • SP 800-61 Computer Security Incident Handling Guide
    • SP 800-64, Security Considerations in the System Development Life Cycle, as revised
    • SP 800-115: Technical Guide to Security Testing and Assessment
    • SP 800-122: Guide to Protecting the Confidentiality of PII

    Federal Emergency Management Administration (FEMA), Federal Preparedness Circular (FPC), 65: Federal Executive Branch Continuity of Operations Plan (COOP), as revised June 15, 2004.

    Equal Employment Opportunity Commission (EEOC) Orders:

    • Order 150.001, Disclosure of Information Under the Freedom of Information Act
    • Order 150.003, Privacy Act of 1974, As Amended.
    • Order 150.005, Protection of Privacy
    • Order 192.002, Audit Follow-up Program
    • Order 195.001, Internal Control Systems
    • Order 195.002, EEOC Shutdown Contingency Plan in the Event of Lapsed Appropriations
    • Order 240.006, EEOC Internet Policies and Procedures
    • Order 370.002, EEOC Security Plan
    • Order 510.002, Orientation Program for Employees New to EEOC
  14. DEFINITIONS.

    Access Control. Measures that ensure the resources of an information system can be accessed only by authorized users in authorized ways.

    Application. The use of information resources (information and information technology) to satisfy a specific set of user requirements.

    Asset. Any resource, item or information of value to an organization, which, if compromised in some manner, would result in a loss.

    Authorization-of-Processing. A signed statement authorizing the continued processing and accepting any residual risk of a major application or general support system. This procedure is required by OMB Circular A-130.

    Automated Information Security Program. A program, required by OMB A-130, to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in major applications and general support systems. The Federal Information Security Management Act (FISMA) also requires such assurance for all major information systems.

    Automated Information Systems (AIS). Electronic systems that create, prepare, or manipulate information; includes computers, word processing systems, and other electronic information handling systems, associated equipment and media.

    Computer Abuse. A willful or negligent unauthorized activity that affects the availability, confidentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service and misappropriation.

    Computer Fraud. Computer-related crime, involving deliberate misrepresentation or alteration of data in order to obtain something of value, usually for monetary gain.

    Computer Virus. A computer virus is a self-propagating computer program developed specifically to spread copies of itself to as many computers as possible, in order to perform other malicious and unauthorized actions, such as: causing massive destruction of programs and/or data (e.g., formatting a disk); partial destruction (e.g., erasure or modification of part of a disk); and random havoc (e.g., changing data in memory, or changing keystroke values.) Computer viruses and related threats are generally referred to as malware.

    Contingency Plan. A plan for emergency response, backup procedures, and post-disaster recovery; mostly synonymous with disaster plan, emergency plan and continuity plan.

    General Support System. (OMB A-130) An interconnected set of information resources under the same direct management control, which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. A system can be, for example, a local area network (LAN) including smart terminals that supports a branch office, an agency-wide backbone, a communications network, a departmental information technology center including its operating system and utilities, a tactical radio network, or a shared information processing service organization.

    Hardware. The electrical, electronic, optoelectronic and mechanical equipment used for processing data. It consists of cabinets, racks, transistors, wires, glass fibers, motors, etc.

    Incident Response Capability. An organizational ability to detect and react quickly and efficiently to disruptions in normal processing caused by malicious technical threats. OMB A-130 mandates agencies to provide this capability, which includes sharing information with other agencies about common vulnerabilities.

    Information Security. (FISMA) Protecting information and information systems from unauthorized access, use, disclosure, modification, or destruction in order to provide integrity (which means guarding against improper information modification or destruction, and includes ensuing information nonrepudiation and authenticity), confidentiality (which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information), and availability (which means ensuring timely and reliable access to and use of information).

    Information System. Any equipment or interconnected system of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. This includes computers, ancillary equipment, software, firmware and similar procedures, services and related resources as defined by GSA.

    Loss. A quantitative measure of harm or deprivation due to a threat acting upon a vulnerable system resource.

    Major Application. (OMB A-130) An application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.

    Major Information System. (FISMA) Each agency is required by FISMA to develop and maintain and report on an inventory of major information systems operated by or under the control of such agency. Pending issuance of FISMA guidance by OMB, EEOC has determined that any system identified previously as either a major application or general support system will be considered to be a major information system.

    Piracy. Unauthorized copying of software.

    Risk. The probability that a particular threat will exploit a particular vulnerability of a system.

    Rules. System-specific policy stated as rules of behavior which tells system users what is expected of them and how to actively protect information.

    Safeguard. A protective measure designed to reduce the probability of a loss of an asset.

    Security Point of Contact (SPOC). Individual with primary responsibility for protecting the information contained in one or more major information systems.

    System Sponsor. Within EEOC, the primary organizational element, which originates and uses the information stored and processed in a particular application or information system.

    Threat. Any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, or denial of service.

    US-CERT. The United States Computer Emergency Readiness Team interacts with federal agencies, industry, the research community, state and local governments and others to disseminate reasoned and actionable cyber security information to the public.

    Vulnerability. A weakness in security policy, procedures, personnel, management, administration, hardware, software, physical layout, organization or other factors affecting security that may allow harm to an information processing system.
  15. LIST OF APPENDICES.

    Appendix A - Information Security Responsibilities of EEOC System Users

    Appendix B - Policy on Protecting Information Technology (IT) Security Documents

    Appendix C - Table of EEOC Major Information Systems and Sponsoring Offices

    Appendix D - Requirement for Screen Warning On Externally Connected Systems

  16. OBSOLETE DATA.

    This order supersedes EEOC Order 240.005, EEOC Information Security Program, Change 3, dated May, 2008 and prior releases - which will be removed from reference files and destroyed.

INFORMATION SECURITY RESPONSIBILITIES OF EEOC SYSTEM USERS

It is the responsibility of all EEOC systems users to help ensure the security and integrity of the information contained in the Commission's automated and manual records systems. The Office of Management and Budget (OMB) Circular A-130, the Privacy Act of 1974, and the Federal Information Security Management Act of 2002 all define such information, as well as the technology used to maintain it, as a vital Government asset. Those who control or use this information are responsible for its care, custody and protection. All EEOC system users, whether EEOC employees, contractors, contingent workers, and other users of EEOC information and information systems, are expected to be aware of certain legal rules and policies which must be followed for the purpose of safeguarding such information. Violation of these rules may be grounds for disciplinary action up to and including removal.

  1. Responsibilities Under the Confidentiality Provisions of Laws Enforced by EEOC

    The confidentiality provisions of Title VII of the Civil Rights Act of 1964 and Title I of the Americans with Disabilities Act prohibit the Commission, its officers and employees from disclosing to the public, prior to the institution of a lawsuit, information involving: (a) any charges filed under those Acts, (b) anything said or done during informal efforts to resolve such charges, (c) any reports that employers are required to file with the Commission under those Acts, and (d) any information obtained by the Commission during the investigation of such charges. Violators can be fined not more than $1,000, imprisoned for not more than one year, or disciplined.

  2. Privacy Act Responsibilities

    The Privacy Act of 1974 prohibits any disclosure by an agency officer or employee of information from any system of records about individual persons, unless the disclosure is consented to by the individual to whom the record pertains, is covered by an exception, or would be for a routine use, as defined by the Act. Violation is a criminal misdemeanor subject to a fine of not more than $5,000. The same penalty also applies to any agency officer or employee who maintains a system of records (manual or automated) about individual persons without complying with the Privacy Act notice requirements. The Act also makes it possible for individuals who believe that they are the victims of such illegal disclosures, or who believe that such information, even though properly disclosed, was inaccurate, to sue the agency responsible for such disclosures as well as for any harm, embarrassment or inconvenience which might have been caused by the existence of such inaccurate information.

  3. Procurement Integrity Act Responsibilities

    For those working pursuant to the Procurement Integrity Act, the Act prohibits all disclosures not authorized by the head of the agency or the agency-contracting officer of all proprietary or source selection information during the conduct of a procurement action. The Act provides for civil and criminal penalties, as well as administrative discipline for violation.

  4. Federal Property Management and Office of Government Ethics Responsibilities

    The information resources, including computers and telecommunications equipment, acquired and used by the Agency, are Federal property and are subject to EEOC, OMB, General Services Administration, and Office of Government Ethics regulations on the management and use of Federal property [5 CFR Part 2635 Standards of Ethical Conduct for Employees of the Executive Branch; 41 CFR Ch. 101 - Federal Property Management Regulations]. EEOC has obtained its information technology (IT) equipment for the purpose of performing mission-related work. Any activity which interferes with that purpose violates Federal property regulations. Such activities include using IT equipment for non-governmental commercial business purposes, intentionally spreading computer viruses, the use of Federally funded Internet accounts and services for non-government business, etc. Employees who have not fulfilled their responsibilities under the provisions of these property regulations are subject to administrative disciplinary action.

    Federal employees are permitted limited use of government office equipment for personal, non-commercial needs if the use does not interfere with official business and involves minimal additional expense to the Government. This limited personal use of government office equipment should take place during the employee's non-work time. This privilege may be revoked or limited at any time by the employee's supervisor or by other appropriate agency officials.

  5. Software Licensing Compliance Responsibilities

    Agency employees, contractors, contingent workers, and other users of EEOC information and information systems are prohibited from making unauthorized use or duplication of software acquired by the Government for official business, or from the use of unlicensed software on government equipment which would violate the Federal Copyright statute, and expose EEOC to the possibility of lawsuits from software vendors. System users are to install on EEOC computers only commercial software that has been purchased through the government procurement process and has been determined by the Office of Information Technology (OIT) to be compatible with EEOC's standard desktop configuration requirements. Employees are not allowed to install personally owned software on government computers, unless a specific, written exemption has been authorized by OIT. Detailed procedures for performing the foregoing responsibilities are contained in the March 2, 1999 memorandum entitled "EEOC Copyrighted Software Policy."

  6. Physical Security Responsibilities

    EEOC system users must notify their EEOC supervisor or point of contact of every occurrence of fire, water damage, or other incident which results in damage to information assets. They should be knowledgeable about office fire procedures and where the nearest fire extinguisher is located.

  7. Accountability and Control Responsibilities

    EEOC system users are responsible for ensuring the security of sensitive information and protecting the technology and equipment which supports its information systems as specified in the following:

    1. IT resources (i.e., hardware, software, information, etc.) are Federal property, and must be protected from unauthorized use or theft. The Office Director and the office's designated System Security Officer are responsible for defining and establishing the appropriate levels of control needed to safeguard their office's information systems and IT resources. However, each employee has a personal responsibility to ensure that the information and information resources which they use, manage, and maintain, are properly protected and secured. These responsibilities include the proper use of passwords for accessing local and wide area networks, electronic bulletin boards, web pages, database systems, logging out of unattended information systems and providing appropriate physical security for information systems in their care.
    2. Supervisors and the System Security Officers must be notified of any suspected incident of a breach or unauthorized disclosure of Agency information or any occurrence (e.g., virus attack, fire, water damage, etc.), which results in damage to an Agency information asset.
    3. EEOC system users must take reasonable steps to prevent the loss of application software programs or data belonging to the EEOC. This includes making regular use of EEOC's anti-virus software to scan computers for possible viruses and eradicating them when detected. In addition, system users should scan any storage media (diskettes, tape, etc.) for viruses before copying information onto the Agency's IT resources. This is particularly important for all electronic files downloaded from the Internet, and other external electronic bulletin boards services.
    4. System users must promptly report any hardware or software malfunctions to the individual responsible for maintenance support.
    5. Any system user responsible for administration of an Agency information system will periodically back-up and store, in a secure location, a current copy of application software and copies of system data files. At a minimum, administrators of information systems critical to the accomplishment of the EEOC mission (e.g., charge and litigation information, budget and procurement information, etc.) must create a full backup of all data on a weekly basis, and (in consultation with the Office Director or System Security Officer) should consider making arrangements for off-site storage of the back-ups.
    6. All electronic media (diskettes, disk drives, CD-ROM disks, tapes, etc.) containing sensitive information must be properly secured to prevent any unauthorized access. When disposing of such media, employees must take steps to ensure that any data stored on the media cannot be recovered or read. System users should consider reformatting, degaussing, or overwriting the media to ensure that the information cannot be retrieved.
    7. System users must take appropriate measures to secure paper reports containing sensitive information and properly dispose of these materials through shredding or other appropriate means.
    8. The authorized movement or transfer of equipment, such as computers (both desktop and laptop/notebook), peripheral devices and software, from a government facility must be controlled. A system user who is responsible for any such movement should obtain a property pass from the designated facilities control official before such items are removed from the office. To protect such equipment, a sign-out log, showing specific removal and return dates, should be maintained for all laptop or notebook computers, which are checked out of the office.
    9. All hardware and software, including data files, storage media, manuals and other documentation should be returned to the supervisor or appropriate property officer when an employee is reassigned, transferred, separated, or terminated.
  8. Other EEOC System User Information Security Responsibilities
    1. Exercise reasonable care not to cause a loss of programs or data assigned to or used by another EEOC system user;
    2. Do not tape passwords to desks, walls, or terminals; commit them to memory and do not disclose them;
    3. Exercise reasonable care not to leave terminals or personal computers turned on and unattended in unlocked rooms for long periods of time; use of password-protected screen savers is required.
    4. Take appropriate measures to secure (i.e., protect from unauthorized or illegal disclosure or alteration) and dispose of (i.e., shred) printouts containing sensitive information as defined above;
    5. Follow all of the policies and procedures described in EEOC Order 240.006 (EEOC Internet Policy and Procedures) concerning EEOC system user responsibilities for the use of the Internet, as well as those described in the December 7, 2000 OIT memorandum entitled "Policy on Utilization of EEOC's Electronic Mail Systems."

ACKNOWLEDGMENT OF RECEIPT

updated August, 2014

This will acknowledge that I have received and read a copy of:

(PRINT YOUR NAME HERE)

SIGNATURE

DATE


POLICY ON PROTECTING INFORMATION TECHNOLOGY (IT) SECURITY DOCUMENTS

Security analyses and reviews are done at the Equal Employment Opportunity Commission (EEOC) to comply with various Federal statutes and regulations. At the minimum, these include risk assessments, security plans, authorizations to process, and disaster recovery plans. The very nature of such documents reveals details and vulnerabilities that can be exploited for destructive purposes. The result is that all such documents contain sensitive information, as defined by OMB Circular A-130. Therefore, it is necessary to protect the documents appropriately.

IT Security Documents Should Not Be Shared

IT Security Documents should only be given to employees on a "need to know" basis. The documents may be used to maintain the availability, confidentiality and integrity of the data, or to make revisions. Authorized EEOC system users may also hold the plans for safekeeping and reference. IT Security Documents should be closely held by these system users.

IT Security Documents Should Not Leave the Premises

IT Security Documents should stay in the office unless there is an explicit need to remove them. If a person is working on the documents, they may bring them to another place to work on them. As soon as the work is completed, they must be returned to the office premises. However, if a person is one of those tasked with maintaining the completed documents in a place outside of the office, an exception to this premise is recognized as necessary. Such documents must be returned to the office as soon as the person tasked with safeguarding them is no longer tasked to do so.

IT Security Documents Should Be Destroyed Properly

When IT Security Documents are obsolete, the documents should be destroyed properly. If the document is a hard paper copy, it should be shredded. If it is on another medium, it should be destroyed according to EEOC's accepted method for destroying secure data on that medium.

Inappropriate Handling of IT Security Documents

If these restrictions are not followed, the deviation, situation or incident will be referred to the Information Security Officer. If it is warranted, such matters will be referred to EEOC management for appropriate action.

TABLE OF EEOC MAJOR INFORMATION SYSTEMS AND SPONSORING OFFICES

Name of Major Information System Sponsoring Office
EEO-1 Survey System Office of Research, Information and Planning
Document Management System Office of Information Technology
Integrated Mission System Office of Information Technology

Momentum Financials (through FY 2011)
Financial Cloud Solution (effective FY 2012)

Office of the Chief Financial Officer
Federal Personnel and Payroll System Office of Human Resources
EEOC Data Network Office of Information Technology

SCREEN WARNING REQUIREMENT ON EXTERNALLY CONNECTED SYSTEMS

On all EEOC systems using any external telecommunications, a Screen Warning, similar to the one shown below, should appear prior to the log-on sequence. Public Law 99-474 (Computer Fraud and Abuse Act) requires that a warning message be displayed, notifying unauthorized users that they have accessed a U.S. Government computer system and unauthorized use can be punished by fines or imprisonment. Although the warning does not prevent unauthorized use of the system, it does allow violators to be punished more easily. Failure to notify an unauthorized user that it is a Government system may make prosecution more difficult, regardless of how much damage is done to the system.

If any EEOC office has implemented an externally connected system which does not have the required screen warning, processing should be suspended until the situation is corrected. OIT should be consulted for assistance in this matter.

All EEOC workstations which access the primary EEOC Network display a warning banner upon initial power-on and every time a user logs in. The word "Welcome" is not used in the warning banner because this may imply that anyone is welcome to access the system. The EEOC warning banner states:

EEOC's Computer Systems Important Notice

This is an Equal Employment Opportunity Commission Computer System. This system is intended to support official government business. Any information on this system is subject to recording, copying, reading, or interception by authorized personnel, including the Office of Inspector General. Use of this system constitutes consent to any such action and acknowledgment that there is no reasonable expectation of privacy with respect to any information or communications on this system.

Unauthorized users may be subject to civil and criminal penalties or administrative action for computer fraud or abuse.