Breadcrumb

  1. Home
  2. Privacy
  3. EEOC INFORMATION SECURITY PROGRAM

EEOC INFORMATION SECURITY PROGRAM

TABLE OF CONTENTS

1. SUBJECT
2. PURPOSE
3. EFFECTIVE DATE
4. ORIGINATOR. Office of Information Technology (OIT)
5. EEOC INFORMATION SECURITY POLICY

5.1. ACQUISITION AND MANAGEMENT OF INFORMATION RESOURCES
5.2. PRIVACY
5.3. CYBERSECURITY
5.3.1. GENERAL
5.3.2. SECURITY CATEGORIZATION
5.3.3. PLANS, CONTROLS, AND ASSESSMENTS
5.3.4. AUTHORIZATION TO OPERATE AND CONTINUOUS MONITORING
5.3.5. INCIDENT DETECTION, RESPONSE, RECOVERY
5.3.6. CONTINGENCY PLANNING
5.3.7. AWARENESS AND TRAINING
5.3.8. OTHER SAFEGUARDING MEASURES
5.3.9. NON-FEDERAL ENTITIES

6. RESPONSIBILITIES
7. AUTHORITY AND REFERENCES
8. DEFINITIONS
9. LIST OF APPENDICES
10. OBSOLETE DATA

MANAGEMENT PROGRAMS
INFORMATION TECHNOLOGY

1. SUBJECT

EQUAL EMPLOYMENT OPPORTUNITY COMMISSION (EEOC)

INFORMATION SECURITY PROGRAM

2. PURPOSE

This Order provides policies, principles and standards related to EEOC's Information Security Program, as required by the Federal Information Security Modernization Act of 2014 (FISMA) and Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource.

3. EFFECTIVE DATE.

September 2017

4. ORIGINATOR.

Office of Information Technology (OIT)

5. EEOC INFORMATION SECURITY POLICY

The protection of EEOC's information and its information technology resources is critical to the performance of its mission. EEOC employees, contractors, contingent workers, and other users of EEOC information and information systems who control and use the Agency's information resources are responsible for the care, custody and protection of those resources.

The primary principles of EEOC's information security program are:

  • The EEOC will protect information in a manner commensurate with the risk that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of such information.
  • Protecting an individual's privacy is of utmost importance. The EEOC will consider and protect an individual's privacy throughout the information life cycle.
  • While security and privacy are independent and separate disciplines, they are closely related, and EEOC will take a coordinated approach to identifying and managing security and privacy risks and complying with applicable requirements.

Statutory Basis

The Federal Information System Modernization Act (FISMA) requires that agencies comply with the National Institute of Standards and Technology (NIST) security standards, identify and provide information security protections commensurate with the risk and magnitude of potential harm, ensure that information security is addressed throughout the life cycle of each Agency information system, provide plans and procedures to ensure continuity of operations for major information systems, and conduct and report on annual security program reviews.

OMB Circular A-130 requires that agencies establish policies for the planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources and supporting infrastructure and services. The appendices to A-130 include responsibilities for protecting Federal information resources and managing personally identifiable information (PII).

Title VII of the Civil Rights Act of 1964, the Privacy Act of 1974, the Procurement Integrity Act of 1988, and the Confidential Information Protection and Statistical Efficiency Act of 2002 address other requirements necessary to protect Federal information.

5.1. ACQUISITION AND MANAGEMENT OF INFORMATION RESOURCES

EEOC shall:

  1. Perform information resources management activities in an efficient, effective, economical, secure, and privacy-enhancing manner; focus information resources planning to support the mission; implement an IT investment management process that links to and supports budget formulation and execution; and rethink and restructure the way work is performed before investing in new information systems.
  2. Maintain an inventory of the Agency's major information systems and information holdings at a level of detail that is appropriate for overseeing and managing the information resources. This level of detail will allow EEOC to regularly review its collections of PII and ensure, to the extent reasonably practicable, that such PII is accurate, relevant, timely, and complete; and to allow EEOC to reduce its sensitive PII to the minimum necessary for the proper performance of authorized Agency functions.
  3. Continually facilitate adoption of new and emerging technologies. This includes assessing the inventory of physical and software assets associated with each information system to ensure the maintainability and sustainability of the information resources and infrastructure supporting the system. This also includes identifying duplicative systems, for consolidation from an enterprise perspective. This will allow EEOC to actively determine when significant upgrades, replacements, or disposition is required to effectively support Agency mission or business functions and adequately protect Agency assets.
  4. Consider information security, privacy, records management, public transparency, and supply chain security issues throughout the system development life cycle so that risks are appropriately managed. This includes regularly reviewing and addressing risk regarding processes, people, and technology.

5.2. PRIVACY

EEOC shall:

  1. Limit the creation, collection, use, processing, storage, maintenance, dissemination, and disclosure of PII to that which is legally authorized, relevant, and reasonably deemed necessary for the proper performance of Agency functions.
  2. To the extent reasonably practicable, ensure that PII is accurate, relevant, timely, and complete, and reduce all PII to the minimum necessary for the proper performance of authorized Agency functions.
  3. Take steps to eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to the use of Social Security numbers as a personal identifier.
  4. Conduct privacy impact assessments when appropriate, in accordance with the E-Government Act, and make the privacy impact assessments available to the public, in accordance with OMB policy.
  5. Maintain and post privacy policies on all Agency websites, mobile applications, and other digital services, in accordance with the E-Government Act and OMB policy.

5.3. CYBERSECURITY

EEOC shall:

5.3.1. GENERAL

  1. Implement a risk management framework to guide and inform the categorization of EEOC information systems; the selection, implementation, and assessment of security and privacy controls; the authorization of information systems and common controls; and the continuous monitoring of information systems.
  2. Protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction, to provide for their confidentiality, integrity, and availability.
  3. Implement security and privacy controls, and verify that they are operating as intended. Put procedures in place so that security and privacy controls are monitored and remain effective over time, and that steps are taken to maintain risk at an acceptable level within accepted organizational risk tolerance.
  4. Employ systems security engineering principles, concepts, and techniques during the life cycle of information systems to facilitate the development, deployment, operation, and sustainment of trustworthy and adequately secure systems.

5.3.2. SECURITY CATEGORIZATION

  1. Categorize information and information systems, in accordance with FIPS Publication 199 and NIST SP 800-60, considering potential adverse security and privacy impacts to organizational operations and assets, individuals, other organizations, and the Nation.
  2. Identify authorization boundaries for information systems in accordance with NIST SPs 800-18 and 800-37.

5.3.3. PLANS, CONTROLS, AND ASSESSMENTS

  1. Employ a process to select and implement security controls for information systems and the environments in which those systems operate that satisfies the minimum information security requirements in FIPS Publication 200 and security control baselines in NIST SP 800-53, tailored as appropriate.
  2. Employ a process to select and implement privacy controls for information systems and programs that satisfies applicable privacy requirements in OMB guidance, including, but not limited to: Appendix I of OMB Circular A-130 and OMB Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act.
  3. Implement information system security using sound systems security engineering principles, concepts, methods, practices, and techniques.
  4. Develop and maintain security and privacy plans for information systems to document which security and privacy controls have been selected and how those controls have been implemented.
  5. Designate common controls to provide cost-effective security and privacy capabilities that can be inherited by multiple Agency information systems or programs.
  6. Conduct and document security and privacy control assessments prior to the operation of an information system, and periodically thereafter, consistent with the frequency defined in the Agency information security continuous monitoring (ISCM) strategies and the Agency risk tolerance.
  7. Use Agency plans of action and milestones (POA&Ms) to record and manage the mitigation and remediation of identified weaknesses and deficiencies, not associated with accepted risks, in Agency information systems.

5.3.4. AUTHORIZATION TO OPERATE AND CONTINUOUS MONITORING

  1. Designate a senior official to formally authorize an information system to operate and authorize Agency-designated common controls for use.
  2. Complete an initial authorization to operate for each major information system and all Agency-designated common controls based on a determination of, and explicit acceptance of, the risk to Agency operations and assets, individuals, other organizations, and the Nation.
  3. Transition information systems and common controls to an ongoing authorization process when eligible for such a process and with the formal approval of the respective authorizing officials.
  4. Reauthorize information systems and common controls as needed, on a time- or event-driven basis in accordance with Agency risk tolerance.
  5. Develop and maintain an ISCM program and strategy to address information security risks and requirements across the organizational risk management tiers.

5.3.5. INCIDENT DETECTION, RESPONSE, RECOVERY

  1. Develop and implement incident management policies and procedures, in accordance with OMB policies and NIST guidelines that address incident detection, response, and recovery. This includes developing and implementing appropriate activities to identify the occurrence of an incident; developing and implementing appropriate activities regarding a detected incident; and developing and implementing the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an incident.
  2. Maintain formal incident response capabilities and mechanisms to include notification to affected individuals and adequate training and awareness for employees and contractors on how to report and respond to incidents.
  3. Periodically test incident response procedures to ensure effectiveness of such procedures. Document lessons learned after incident response and update procedures annually.
  4. Document and provide reports on incidents as required by FISMA, OMB policy, DHS binding operational directives, Federal information security incident center guidelines, NIST guidelines, and Agency procedures.

5.3.6. CONTINGENCY PLANNING

  1. Develop and test contingency plans for information systems that identify essential mission and business functions and associated contingency requirements; provide recovery objectives and restoration priorities; address contingency roles and responsibilities; and address maintaining mission essential functions during a disruption, compromise, or failure of information systems.
  2. Provide for the recovery and reconstitution of information systems to a known state after a disruption, compromise, or failure.

5.3.7. AWARENESS AND TRAINING

  1. Develop, maintain, and implement mandatory Agency-wide information security and privacy awareness and training programs for all employees and contractors.
  2. Ensure that the security and privacy awareness and training programs are consistent with applicable policies, standards, and guidelines issued by OMB, NIST, and OPM.
  3. Provide role-based security and privacy training to employees and contractors with assigned security and privacy roles and responsibilities.
  4. Establish rules of behavior, including consequences for violating rules of behavior, for employees and contractors that have access to Federal information or information systems, including those that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII.

5.3.8. OTHER SAFEGUARDING MEASURES

  1. Implement least privilege by only permitting the use of networks, systems, applications, and data, as well as programs, functions, ports, protocols, or services that are necessary in meeting mission or business needs.
  2. Implement least privilege at multiple layers - network, system, application, and data so that users have role-based access to only the information and resources that are necessary for a legitimate purpose.
  3. Implement separation of duties to address the potential for abuse of authorized privileges and help to reduce the risk of malicious activity without collusion.

5.3.9. NON-FEDERAL ENTITIES

  1. Ensure that terms and conditions in contracts and other agreements involving the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of Federal information, incorporate security and privacy requirements and are sufficient to enable agencies to meet Federal and Agency-specific requirements pertaining to the protection of Federal information.

6. RESPONSIBILITIES

The Order is based on the fundamental premise that those who create, control and use information are the ones responsible for its care, custody and protection. Responsibilities for Information System security, and procedures for assigning those responsibilities, are defined below in compliance with FISMA, NIST, and OMB Circular A-130.

  1. Agency Chair: The Chair has primary responsibility for managing the Agency's information resources and establishing an Information Security Program, as well as for ensuring that the Agency develops and implements appropriate information security policies and procedures. The Chair accomplishes these objectives through the delegations set forth in this Order.
  2. Chief Information Officer (CIO): The Director, Office of Information Technology (OIT), as the EEOC's CIO, is responsible for:
    • Establishing an information security program for EEOC, including related policies and procedures and control techniques as required by FISMA; identifying networks, facilities, and information systems or groups of systems which require planning for provision of adequate security; and providing appropriate information security awareness training for all Agency employees, contractors and other users of EEOC information and information systems;
    • Developing the Agency's information security program related budget, providing overall direction and guidance on implementation of information security, deciding and recommending the level of financial resources and technical support required for information security safeguards; and ensuring the integration of security into the Agency's capital planning and investment control processes;
    • Providing feedback regarding oversight of information security-related activities to Headquarter Offices and to the Office of Field Programs (OFP); and
    • Responding to requests for information from OMB, the General Accounting Office, and Congressional oversight and appropriations committees regarding EEOC's compliance with FISMA, OMB Circular A-130, and other related statutes and memoranda.
  3. Senior Agency Official for Privacy (SAOP): The Agency's CIO has been designated as EEOC's SAOP, and, in coordination with the Office of Legal Counsel, is responsible for:
    • Developing, implementing, and maintaining an Agency-wide privacy program to ensure compliance with all applicable statutes, regulations, and policies regarding the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and information systems, developing and evaluating privacy policy, and managing privacy risks at the Agency;
    • Developing and maintaining a Privacy Continuous Monitoring (PCM) strategy and PCM program to maintain ongoing awareness of privacy risks and assess privacy controls at a frequency sufficient to ensure compliance with applicable privacy requirements and manage privacy risks;
    • Reviewing IT capital investment plans and budgetary requests to ensure that privacy requirements and associated privacy controls, as well as any associated costs, are explicitly identified and included, with respect to any IT resources that will be used to create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII;
    • Reviewing and approving, in accordance with NIST FIPS Publication 199 and NIST SP 800-60, the categorization of information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII;
    • Reviewing authorization packages for information systems that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII to ensure compliance with applicable privacy requirements and manage privacy risks, prior to authorizing officials making risk determination and acceptance decisions;
    • Reminding Agency employees and contractors of their responsibilities for safeguarding PII, the rules for acquiring and using such information, the penalties for violating these rules, as well as ensuring they receive appropriate training; and
    • Preparing the Senior Agency Official for Privacy section of EEOC's FISMA annual report to OMB, as well as responding to requests for information as appropriate.
  4. Chief Information Security Officer (CISO): The EEOC CISO is responsible for:
    • Assuming responsibilities related to the implementation and oversight of EEOC's Information Security and Privacy Programs, as delegated by the Agency CIO/SAOP.
    • Overseeing the conduct of security risk assessments and the development and implementation of security plans for the Agency's major information systems, networks and facilities;
    • Overseeing the development and issuance of EEOC information security policies and procedures;
    • Ensuring the development and testing of contingency and continuity of operations plans for major information systems;
    • Ensuring that information security-related training and technical support are provided to the Office Directors, IT Specialists, Security Points of Contacts (SPOCs), and users of EEOC's major information systems;
    • Serving as the Senior Technical Advisor to EEOC management on all areas of Information Security;
    • Recommending courses of action and policies to senior management that allow EEOC to securely meet its organizational goals; and
    • Monitoring and recording the security performance of EEOC information systems and reporting the status to management and to other government agencies that collect security data, such as US-CERT, as required.
  5. Legal Counsel: The EEOC Legal Counsel, in coordination with the Agency SAOP, is responsible for:
    • Developing and evaluating legislative, regulatory, and other policy proposals that have privacy implications;
    • Ensuring that the Agency considers and addresses the privacy implications of all Agency regulations and policies;
    • Publishing System of Records Notices (SORN) and reporting Systems of Records to OMB and Congress in accordance with OMB Circular No. A-108;
    • Ensuring the Agency promulgates rules, in accordance with the rulemaking procedures in 5 U.S.C. § 553, to implement the requirements of the Privacy Act;
    • Managing the completion of Privacy Act review requirements, as outlined in OMB Circular No. A-108;
    • Maintaining the Agency's central resource page dedicated to the privacy program, in coordination with OIT and the Office of Resource, Information, and Planning; and
    • Leading the Agency's evaluation of the privacy implications of legislative proposals, congressional testimony, and other materials pursuant to OMB Circular No. A-19.
  6. Chief Financial Officer (CFO) is responsible for:
    • Ensuring that all acquisitions that involve information technology or the handling of PII are reviewed and approved by the CIO/SAOP in accordance with EEOC Order 360.001, EEOC Acquisition Policies and Procedures;
    • Ensuring that all budget requests that involve information technology or the handling of PII are shared with the CIO/SAOP.
    • As the Agency's Records Officer, develop and monitor compliance with the policies, procedures and standards for managing the records for the EEOC, including the proper destruction of those records, in accordance with EEOC Order 201.001, Records Management, and NARA Guidelines.
  7. Chief Human Capital Officer (CHCO) is responsible for:
    • Assuring that all new employees, as part of their orientation package, receive and review "Information Security Responsibilities of EEOC System Users" (Appendix A); and
    • Working with OIT to facilitate the provision of information security training.
  8. Director, Office of Field Programs and EEOC General Counsel are responsible for:
    • Working with OIT and OCHCO to facilitate, as requested, the provision of information security training to EEOC's field office personnel; and
    • Monitoring security-related activities in the field offices, in conjunction with OIT.
  9. System Sponsors - Headquarters Office Directors who sponsor a system identified as a major information system (see Appendix C) are responsible for:
    • Designating a Security Point of Contact (SPOC) for each system that they sponsor;
    • Participating in and reviewing vulnerability and risk assessments for the major information systems which they sponsor, with the assistance of the SPOC and lead support from OIT;
    • Participating in the development and update of system security plans for major information systems which they sponsor, with the assistance of the SPOC and lead support from OIT;
    • Completing, for each major system which they sponsor, a signed statement accepting the residual risk and authorizing continued processing, and providing a copy of the signed statement to the CIO;
    • Participating in the development and testing of contingency plans and disaster recovery plans for major information systems which they sponsor, with the assistance of the SPOC and lead support from OIT;
    • Working with OIT to identify appropriate on-line training for each SPOC and ensuring that each SPOC successfully completes at least one IT Security related training per fiscal year; and
    • Ensuring that their office's designated SPOC performs their responsibilities, as outlined in Section 6(m) below.
  10. External Website Sponsors: Office Directors who sponsor and oversee EEOC's external websites are responsible for:
    • Ensuring compliance with Section 504 and 508 of the Rehabilitation Act of 1973 (29 U.S.C. sections 794 and 794d, as amended), for accessibility of systems and services;
    • Ensuring compliance with Agency web site standards for privacy, usability, and preservation of government information, as outlined in Sections 207(f)(2) and 208(c) of the E-Government Act of 2002, OMB Circular A-130, and OMB Memoranda; and
    • Assisting in the preparation of relevant sections of the EEOC's FISMA annual report to OMB, as well as responding to requests for information as appropriate.
  11. District Office Directors:
    • Designating a single SPOC - typically the District's IT Specialist, for oversight of information security functions within their district;
    • Working with the SPOC and OIT to ensure that an adequate security incident response capability exists for major information systems used within their district;
    • Ensuring that their district complies with security policy and system security controls for information systems used within their district offices;
    • Working with OIT to identify appropriate training for each SPOC and ensuring that each SPOC successfully completes at least one IT Security related training per fiscal year; and
    • Ensuring that the SPOCs perform their responsibilities, as outlined in Section 6(m) below.
  12. Headquarters and Field Office Directors are responsible for:
    • Authorizing account creation and determining the appropriate level of system access to provide each user by employing the concept of least privilege - providing the minimal level of access required to perform their job functions;
    • Ensuring that new users (to include new employees, interns, contractors, contingent workers, etc.) review "Information Security Responsibilities of EEOC System Users" (Appendix A) and complete security awareness training, available on EEOC's Intranet, inSite, as a part of the on-boarding process;
    • Immediately notifying the EEOC CIO/SAOP, CISO, and the Legal Counsel regarding any potential breach of PII, including as much detailed information as possible;
    • Informing OIT and the OCFO when a theft or loss of any computer, peripheral device or software package is detected;
    • Ensuring that all controls recommended by the Agency for compliance with the Federal Manager's Financial Integrity Act, as specified in EEOC Order 195.001, Internal Control Systems, and related supplemental guidance, are in place; and
    • Ensuring that their employees, contractors, contingent workers, and other users of EEOC information and information systems, as users of EEOC information systems, perform their responsibilities as outlined in Section 6(n) below.
  13. Security Points of Contact (SPOCs) are responsible for:
    • Exercising overall information security oversight for all systems or portions of systems for which they are responsible;
    • Developing or assisting in the development of security plans, vulnerability, risk, and threat assessments, and other studies with the guidance and assistance of the Office Director and OIT;
    • Assisting in the development and testing of contingency/continuity plans as directed by the Office Director and/or OIT;
    • Reporting to the Office Director and OIT all security incidents that could degrade data or system integrity or compromise the confidentiality of sensitive information;
    • Ensuring compliance with the system security plans of major information systems for which they are responsible;
    • Ensuring that account management procedures are followed related to on-boarding and off-boarding users within their office/jurisdiction;
    • Monitoring anti-virus software deployment within their office's jurisdiction and the successful completion of automated on-line back-ups; and
    • Monitoring the use of hardware and software within their office(s) to enforce legitimate use of government information technology resources and effective asset management.
  14. System Users: Users of EEOC information systems are responsible for:
    • Following their acknowledged responsibilities as delineated in this Order, and as described in Appendix A, Information Security Responsibilities of EEOC System Users;
    • Complying with all rules or policies which guide or restrict the use of EEOC's information systems and data;
    • Properly securing sensitive information, per EEOC Protection of Sensitive Information Policy, and immediately reporting any suspected or actual breach of Personally Identifiable Information to management; and
    • Reporting all suspected, actual, or threatened computer security related incidents to the appropriate personnel. Field office staff should report incidents to their supervisor and their SPOC. If the SPOC is unavailable, then staff should contact the Office Director, the OIT Help Desk, or EEOC's Information Security Officers. Headquarters staff should contact their supervisor and the OIT Help Desk directly.

7. AUTHORITY AND REFERENCES.

  • Clinger-Cohen Act (also known as the "Information Technology Management Reform Act of 1996") (40 U.S.C. § 11101-11704);
  • E-Government Act of 2002 (44 U.S.C. Chapters 35 and 36);
  • Federal Information Security Modernization Act of 2014 (44 U.S.C. Chapter 35, Subchapter II);
  • Federal Information Technology Acquisition Reform Act (FITARA) (Pub. L. 113-291);
  • Paperwork Reduction Act (PRA) of 1980, as amended by the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35);
  • Privacy Act of 1974, as amended (5 U.S.C. § 552a);
  • Digital Accountability and Transparency Act of 2014 (Pub. L. 113-101);
  • Electronic Signatures in Global and National Commerce Act (E-Sign) (15 U.S.C. Chapter 96);
  • Government Paperwork Elimination Act of 1998 (44 U.S.C. § 3504);
  • Government Performance and Results Act (GPRA) of 1993, as amended by the Government Performance and Results Modernization Act (GPRA Modernization Act) of 2010 (5 U.S.C. § 306 and 31 U.S.C. §§ 1115 et seq.);
  • Office of Federal Procurement Policy Act (41 U.S.C. Chapter 7);
  • Executive Order 13719, Establishment of the Federal Privacy Council (2016).
  • OMB Circulars and Memoranda, including, but not limited to:
  • National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) and NIST Special Publications (SPs) (e.g. 500, 800, and 1800 series guidelines)
  • Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004.
  • Federal Continuity Directive 1 (FCD 1), Federal Executive Branch National Continuity Program and Requirements, February 2008.
  • Section 504 and 508 of the Rehabilitation Act of 1973 (29 U.S.C. sections 794 and 794d, as amended) - www.section508.gov.

8. DEFINITIONS.

This Order follows the definitions outlined in Section 10, Circular A-130.

9. LIST OF APPENDICES

Appendix A: Information Security Responsibilities of EEOC System Users
Appendix B: Policy on Protecting Information Technology (IT) Security Documents
Appendix C: Table of EEOC Major Information Systems and Sponsoring Offices
Appendix D: Requirement for Screen Warning on Externally Connected Systems

10. OBSOLETE DATA

This order supersedes EEOC Order 240.005, EEOC Information Security Program, Change 4, dated June 2011, and prior releases - which will be removed from reference files and destroyed.

INFORMATION SECURITY RESPONSIBILITIES OF EEOC SYSTEM USERS

It is the responsibility of all EEOC systems users to help ensure the security and integrity of the information contained in the Commission's automated and manual records systems. The Office of Management and Budget (OMB) Circular A-130, the Privacy Act of 1974, and the Federal Information Security Modernization Act of 2014 all define such information, as well as the technology used to maintain it, as a vital Government asset. Those who control or use this information are responsible for its care, custody and protection. All EEOC system users, whether EEOC employees, contractors, contingent workers, and other users of EEOC information and information systems, are expected to be aware of certain legal rules and policies which must be followed for safeguarding such information. Violation of these rules may be grounds for disciplinary action up to and including removal.

1. Responsibilities Under the Confidentiality Provisions of Laws Enforced by EEOC

The confidentiality provisions of Title VII of the Civil Rights Act of 1964 and Title I of the Americans with Disabilities Act prohibit the Commission, its officers and employees from disclosing to the public, prior to the institution of a lawsuit, information involving: (a) any charges filed under those Acts, (b) anything said or done during informal efforts to resolve such charges, (c) any reports that employers are required to file with the Commission under those Acts, and (d) any information obtained by the Commission during the investigation of such charges. Violators can be fined not more than $1,000, imprisoned for not more than one year, or disciplined.

2. Privacy Act Responsibilities

The Privacy Act of 1974 prohibits any disclosure by an Agency officer or employee of information from any system of records about individual persons, unless the disclosure is consented to by the individual to whom the record pertains, is covered by an exception, or would be for a routine use, as defined by the Act. Violation is a criminal misdemeanor subject to a fine of not more than $5,000. The same penalty also applies to any Agency officer or employee who maintains a system of records (manual or automated) about individual persons without complying with the Privacy Act notice requirements. The Act also makes it possible for individuals who believe that they are the victims of such illegal disclosures, or who believe that such information, even though properly disclosed, was inaccurate, to sue the Agency responsible for such disclosures as well as for any harm, embarrassment or inconvenience which might have been caused by the existence of such inaccurate information.

3. Procurement Integrity Act Responsibilities

For those working pursuant to the Procurement Integrity Act, the Act prohibits all disclosures not authorized by the head of the Agency or the Agency-contracting officer of all proprietary or source selection information during the conduct of a procurement action. The Act provides for civil and criminal penalties, as well as administrative discipline for violation.

4. Federal Property Management and Office of Government Ethics Responsibilities

The information resources, including computers and telecommunications equipment, acquired and used by the Agency, are Federal property and are subject to EEOC, OMB, General Services Administration, and Office of Government Ethics regulations on the management and use of Federal property [5 CFR Part 2635 Standards of Ethical Conduct for Employees of the Executive Branch; 41 CFR Ch. 101 - Federal Property Management Regulations]. EEOC has obtained its information technology (IT) equipment for performing mission-related work. Any activity which interferes with that purpose violates Federal property regulations. Such activities include using IT equipment for non-governmental commercial business purposes, intentionally spreading computer viruses, the use of Federally funded Internet accounts and services for non-government business, etc. Employees who have not fulfilled their responsibilities under the provisions of these property regulations are subject to administrative disciplinary action.

Federal employees are permitted limited use of government office equipment for personal, non-commercial needs if the use does not interfere with official business and involves minimal additional expense to the Government. This limited personal use of government office equipment should take place during the employee's non-work time. This privilege may be revoked or limited at any time by the employee's supervisor or by other appropriate Agency officials.

5. Software Licensing Compliance Responsibilities

Agency employees, contractors, contingent workers, and other users of EEOC information and information systems are prohibited from making unauthorized use or duplication of software acquired by the Government for official business, or from the use of unlicensed software on government equipment which would violate the Federal Copyright statute, and expose EEOC to the possibility of lawsuits from software vendors. System users are to install on EEOC computers only commercial software that has been purchased through the government procurement process and has been determined by the Office of Information Technology (OIT) to be compatible with EEOC's standard desktop configuration requirements. Employees are not allowed to install personally owned software on government computers, unless a specific, written exemption has been authorized by OIT.

6. Physical Security Responsibilities

EEOC system users must notify their EEOC supervisor or point of contact of every occurrence of fire, water damage, or other incident which results in damage to information assets. They should be knowledgeable about office fire procedures and where the nearest fire extinguisher is located.

7. Accountability and Control Responsibilities

EEOC system users are responsible for ensuring the security of sensitive information and protecting the technology and equipment which supports its information systems as specified in the following:

  1. IT resources (i.e., hardware, software, information, etc.) are Federal property, and must be protected from unauthorized use or theft. The Office Director, in coordination with the Office of Information Technology, are responsible for defining and establishing the appropriate levels of control needed to safeguard their office's information systems and IT resources. However, each employee has a personal responsibility to ensure that the information and information resources which they use, manage, and maintain, are properly protected and secured. These responsibilities include the proper use of individual logins and passwords for accessing Agency systems and networks, logging out or screen-locking unattended information systems, and providing appropriate physical security for information systems in their care.
  2. Supervisors must be immediately notified of any suspected breach or unauthorized disclosure of Agency information, or any occurrence (e.g., virus attack, fire, water damage, etc.) which results in damage to an Agency information asset.
  3. EEOC system users must take reasonable steps to prevent the loss of application software programs or data belonging to the EEOC. This includes making regular use of EEOC's anti-virus software to scan computers for possible viruses and eradicating them when detected. In addition, system users should scan any storage media (diskettes, tape, etc.) for viruses before copying information onto the Agency's IT resources. This is particularly important for all electronic files downloaded from the Internet, and other external electronic web services.
  4. System users must promptly report any hardware or software malfunctions to the individual responsible for maintenance support.
  5. System users are responsible for backing up any critical business files that are stored on their government workstation. This can be accomplished by backing up the files to government-owned encrypted external media, or copying the files to the appropriate system and/or network locations - e.g., OneDrive, SharePoint, or other designated EEOC data repository.
  6. All electronic media (flash/"thumb" drives, external hard drives, CDs, etc.) containing sensitive information must be properly encrypted and secured to prevent any unauthorized access. When disposing of such media, employees must take steps to ensure that any data stored on the media cannot be recovered or read. System users should consider degaussing or destroying the media to ensure that the information cannot be retrieved.
  7. System users must take appropriate measures to secure paper reports containing sensitive information and properly dispose of these materials through shredding or other appropriate means.
  8. The authorized movement or transfer of equipment, such as computers, peripheral devices and software, from a government facility must be controlled. A system user who is responsible for any such movement should follow the facility's procedures (including obtaining property passes when required), before such items are removed from the office.
  9. All hardware and software, including data files, mobile devices. storage media, manuals and other documentation should be returned to the supervisor or appropriate property officer when an employee is separated or terminated.

8. Other EEOC System User Information Security Responsibilities

  1. Exercise reasonable care not to cause a loss of programs or data assigned to or used by another EEOC system user.
  2. Do not tape passwords to desks, walls, or workstations/keyboards; commit them to memory and do not disclose them. Note that EEOC Help Desk technicians should never need to ask you for your password.
  3. Exercise reasonable care not to leave workstations turned on and unattended in unlocked rooms; screen-locking your workstation when stepping away from it is required.
  4. Take appropriate measures to secure (i.e., protect from unauthorized or illegal disclosure or alteration) and dispose of (i.e., shred) printouts containing sensitive information as defined above.
  5. Comply with all EEOC policies and procedures which guide or restrict the use of EEOC's information systems, services, and data.

POLICY ON PROTECTING INFORMATION TECHNOLOGY (IT)
SECURITY DOCUMENTS

Security analyses and reviews are done at the Equal Employment Opportunity Commission (EEOC) to comply with various Federal statutes and regulations. At the minimum, these include risk assessments, security plans, authorizations to process, and disaster recovery plans. The very nature of such documents reveals details and vulnerabilities that can be exploited for destructive purposes. The result is that all such documents contain sensitive information, as defined by OMB Circular A-130. Therefore, it is necessary to protect the documents appropriately.

IT Security Documents Should Not Be Shared

IT Security Documents should only be given to employees on a "need to know" basis. The documents may be used to maintain the availability, confidentiality and integrity of the data, or to make revisions. Authorized EEOC system users may also hold the plans for safekeeping and reference. IT Security Documents should be closely held by these system users.

IT Security Documents Should Not Leave the Premises

IT Security Documents should stay in the office unless there is an explicit need to remove them. If a person is working on the documents, they may bring them to another place to work on them. As soon as the work is completed, they must be returned to the office premises. However, if a person is one of those tasked with maintaining the completed documents in a place outside of the office, an exception to this premise is recognized as necessary. Such documents must be returned to the office as soon as the person tasked with safeguarding them is no longer tasked to do so.

IT Security Documents Should Be Destroyed Properly

When IT Security Documents are obsolete, the documents should be destroyed properly. If the document is a hard paper copy, it should be shredded. If it is on another medium, it should be destroyed according to EEOC's accepted method for destroying secure data on that medium.

Inappropriate Handling of IT Security Documents

If these restrictions are not followed, the deviation, situation or incident will be referred to the Information Security Officer. If it is warranted, such matters will be referred to EEOC management for appropriate action.

TABLE OF EEOC MAJOR INFORMATION SYSTEMS AND SPONSORING OFFICES

Name of Major Information System

Sponsoring Office

EEO-1 Survey System

Office of Research, Information and Planning

Integrated Mission System

Office of Information Technology

Oracle Federal Financials (OFF)

Office of the Chief Financial Officer

Federal Personnel and Payroll System

Office of Human Resources

EEOC Data Network / General Support System

Office of Information Technology

SCREEN WARNING REQUIREMENT ON EXTERNALLY
CONNECTED SYSTEMS

On all EEOC systems using any external telecommunications, a Screen Warning, similar to the one shown below, should appear prior to the log-on sequence. Public Law 99-474 (Computer Fraud and Abuse Act) requires that a warning message be displayed, notifying unauthorized users that they have accessed a U.S. Government computer system and unauthorized use can be punished by fines or imprisonment. Although the warning does not prevent unauthorized use of the system, it does allow violators to be punished more easily. Failure to notify an unauthorized user that it is a Government system may make prosecution more difficult, regardless of how much damage is done to the system.

If any EEOC office has implemented an externally connected system which does not have the required screen warning, processing should be suspended until the situation is corrected. OIT should be consulted for assistance in this matter.

All EEOC workstations which access the primary EEOC Network display a warning banner upon initial power-on and every time a user logs in. The word "Welcome" is not used in the warning banner because this may imply that anyone is welcome to access the system. The EEOC warning banner states:

EEOC's Computer Systems Important Notice

This is an Equal Employment Opportunity Commission Computer System. This system is intended to support official government business. Any information on this system is subject to recording, copying, reading, or interception by authorized personnel, including the Office of Inspector General. Use of this system constitutes consent to any such action and acknowledgment that there is no reasonable expectation of privacy with respect to any information or communications on this system.

Unauthorized users may be subject to civil and criminal penalties or administrative action for computer fraud or abuse.