Chapter 8 - Information Technology Security For Remote Access
Part 8 - Information Resources Management
- PURPOSE. This chapter establishes the policies and procedures to be followed to ensure Indian Health Service (IHS) Information Technology (IT) resources are appropriately protected when authorizing the remote access of IHS automated information and systems.
- It is the IHS's intent to implement an IT security program that complies with Federal laws, regulations, and directives, and communicates uniform policies for the protection and control of IT resources directly or indirectly relating to the activities of the Agency.
- It is IHS policy, as documented in the "Health and Human Services (HHS) Automated Information Systems Security (AISS) Handbook," to implement an AISS program to ensure that its automated information and systems have a level of security commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of the information or system.
- Telework arrangements requiring remote access to IT resources are powerful tools if implemented correctly. Benefits include the following:
- Employees whose work meets management's criteria for working off-site have greater flexibility and higher morale.
- Managers can effectively manage off-site employees.
- For the public, there is the potential for reduced traffic congestion and environmental pollution.
- While offering potential benefits, remote access to IT resources introduces new risks to the security of IHS's automated information and systems as well as to the privacy of the clients the IHS serves. For example, without appropriate safeguards to protect the integrity of the electronic functions and processes the employee working remotely is to perform, the following security issues could occur:
- Confidential information could be unintentionally disclosed.
- Sensitive data could be altered or deleted.
- Malicious software could be introduced to the user and/or IHS office equipment.
- Systems sign-on identifications and passwords could be intercepted and reused to access systems and data files without authorization.
- Identifying, implementing, and using appropriate safeguards is required if the IHS is to protect the integrity of the electronic processes when accessing IT resources remotely.
- Security concerns exist for users who use remote access techniques to access IHS systems and information at their normal work sites.
- All IT security practices must be viewed as enablers without which telework and other remote access work arrangements could not be allowed.
- Enhanced telecommunications resources allow employees to work at home or in other virtual office environments (e.g., from special telecommuting centers or while on travel), to have access to IHS data for authorized use, and to maintain contact with co-workers and managers while away from their official IHS work site.
- Given the widespread nature of the IT client landscape, an appropriate architecture for secure remote access is dependent on tiered authentication based on risk and vulnerability, and a viable, well-managed Intranet solution.
- SCOPE. This chapter applies to all IHS organizational components including but not limited to Headquarters, Area Offices, and service units conducting business for and on behalf of the IHS through contractual relationships when using IHS IT resources. The policies contained in this chapter apply to all IHS IT activities including the equipment, procedures, and technologies employed in managing these activities. The policy includes teleworking, travel, other off-site locations, and all IHS office locations. Agency officials shall apply this chapter to contractor personnel, interns, externs, and other non-Government employees by incorporating such reference in contracts or memorandums of agreement as conditions for using Government-provided IT resources.
This policy does not apply to telework arrangements when telework does not involve remote access.
- "Standards of Ethical Conduct for Employees of the Executive Branch," 5 Code of Federal Regulations (CFR), 2635A
- "Information Technology Management Reform Act of 1996," Clinger-Cohen Act, Division E, Public Law (P.L.) 104-106
- "Computer Fraud and Abuse Act of 1986," P.L. 99-474
- "Computer Security Act of 1987," P.L. 100-235
- Department of Health and Human Services Information Resources Management (IRM) Policy, "Information Technology Security for Remote Access," HHS-IRM-2000-0005, January 8, 2001
- Department of Health and Human Services, Information Technology Architecture (ITA), developed by HHS ITA Group, Assistant Secretary for Management and Budget, Deputy Assistant Secretary for IRM (April 2000)
- The "HHS Automated Information Systems Security (AISS) Program Handbook," May 1994
- "Implementing Standards of Ethical Conduct for Employees of the Executive Branch," Executive Order 12674 B, Part 1
- Office of Management and Budget Circular No. A-130, "Management of Federal Resources", Appendix III, "Security of Federal Automated Information Resources"
- Presidential Decision Directive 63, "Critical Infrastructure Protection," May 22, 1998
- July 11, 1994, President Clinton Memorandum, "Adopting the National Performance Review Program Recommendation for Expanded Opportunities for Federal Workers to Participate in a Flexible Work Arrangement"
- June 21, 1996, President Clinton Memorandum to Executive Heads of Departments and Agencies, "Implementing Federal Family Friendly Work Arrangements"
- "Privacy Act of 1974," P.L. 93-579
- "Telecommunications Management Policy," 41 CFR, 101-35.201
(1) AISS Automated Information Systems Security
(2) CFR Code of Federal Regulations
(3) CIO Chief Information Officer
(4) HHS Department of Health and Human Services
(5) IHM Indian Health Manual
(6) IHS Indian Health Service
(7) IRM Information Resources Management
(8) IT Information Technology
(9) ITA Information Technology Architecture
(10) ROM Read-Only-Memory
- Authorized Telework. Work performed by an employee away from his or her duty station that requires connectivity for data transmission.
- Firmware. The Read-Only-Memory (ROM)-based software that controls a computer between the time it is turned on and the time the primary operating system takes control of the machine. The firmware's responsibilities include testing and initializing the hardware, determining the hardware configuration, loading (or booting) the operating system, and providing interactive debugging facilities in case of faulty hardware or software.
- Information Technology. Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data or information by the agency. Information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. It does not include any equipment acquired by a Federal contractor incidental to a Federal contract. For purposes of this definition, equipment is "used" by the IHS whether the IHS uses the equipment directly or it is used by a contractor under a contract with the IHS that:
- requires the use of such equipment; or
- requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product.
- Remote Access. Computer access to IHS networks or systems by authorized users accessing IHS automated information and systems from outside the protection of Agency firewalls.
- Remote Access Connections. Resource components required to provide remote access to the IHS networks, e.g., hardware, software, service, and link/signal. Requirements will vary depending on the remote access location and work to be performed.
- Security Incident. An event that may result in or has resulted in the unauthorized access to or disclosure of sensitive or classified information; unauthorized modification or destruction of systems data; reduced, interrupted, or terminated processing capability; malicious logic or virus activity; or the loss, theft, damage, or destruction of any IT resource.
- Telework. Describes a specific computing environment that uses automated information resources over a distance to accomplish work activities. As defined by the National Institute of Standards and Technology, telecommuting (or telework) is the use of telecommunications to create an "office" away from the established (physical) office. The telecommuting office may be an employee's home, a hotel room or conference center, an employee's travel site, or a telecommuting center. The telecommuter's office may or may not have the full computing functionality of the established office depending on the needs of the individual employee.
- Telecommuting Centers. Office units generally located in the outlying edge of the commuting area and often shared by multiple organizations. Each center is equipped with workstations and services to enable an employee to accomplish his or her official duties without commuting to the main duty station.
- POLICY. All IHS organizational components, including Headquarters, Areas, and service units, shall assess the sensitivity and criticality of information and systems to be used or accessed at the remote site and establish appropriate security protections. Before authorizing any telework programs for employees and before an employee may use a computer to remotely access IHS IT resources, security safeguards and procedures should be in place to protect the integrity of the processes either the employee or contractor is expected to perform.
- PROCEDURES. All IHS organizational components shall comply with the following procedures when remote access to IHS IT resources is authorized:
- When accessing sensitive IHS IT resources (except for publicly available Web sites), ensure all electronic communications over the Internet between authorized users and IHS are encrypted. (Refer to applicable standards identified in IHS ITA Plan.)
- Provide authentication through, for example, the use of passwords, personal identification numbers, user identification names, biotechnology (e.g., retina or fingerprint scans, or the use of digital signature or smart tokens technology), etc. (Refer to applicable standards identified in the IHS ITA Plan.)
- Provide periodic training of employees in the use of all equipment, software, and security safeguards.
- Ensure users are aware that the unauthorized or improper use of Government office equipment can result in loss of use or limitations on the use of equipment, disciplinary or adverse actions, criminal penalties, and/or employees being held financially liable for the cost of damages resulting from any unauthorized use.
- Develop a Management/Employee Agreement that, at a minimum, outlines the work the participating employee is authorized to perform, management work expectations, and the data to be used in performing expected duties, as well as the security safeguards and procedures the employee is expected to follow.
- Ensure appropriate encryption, authenticity, non-repudiation, secure storage of files, removal, and non-recovery of temporary files created in processing sensitive data; and virus protection and intrusion detection at the level required by the Agency. If the organizational component is unable to comply, the component shall provide all work station or other necessary equipment (e.g., laptops or personal computers) and software configured to the IHS standard along with any assembly, servicing, and maintenance requirements.
- Establish mechanisms to back up data created and/or stored at the alternate work site. For example, an employee should store files on a shared file server located at the IHS-designated site since servers shall be backed up at least once daily.
- Ensure that e-mail access from any source shall be secure and encrypted, e.g., secure socket layer sessions.
- RESPONSIBILITIES. Information systems security responsibilities and accountability shall be explicit. The responsibilities and accountability of owners, providers, and users of computer systems and data, and other parties concerned with the security of information systems, shall be documented.
- Chief Information Officer. The IHS Chief Information Officer (CIO) is responsible for the following:
- Developing and disseminating information concerning recommended safeguards.
- Developing and disseminating the potential security threats and concerns of remote IHS automated information and systems access.
- Implementing the policies, procedures, and practices to ensure IHS systems, programs, and data are secure and protected from unauthorized access that might lead to the alteration, damage, destruction, or theft of automated resources; or the unintended release of data, and denial of service.
- Ensuring all IHS employees and contractors comply with this policy.
- Information System Security Officers. The IHS Information System Security Officers are responsible for the following:
- Ensuring all IHS personnel in their respective organizations are aware of this policy and incorporating it into telework and remote access briefings and training programs.
- Promptly notifying the IHS CIO of computer security incidents (or suspected incidents) resulting from remote access.
- Ensuring information security notices and advisories are distributed to appropriate IHS personnel and vendor-issued security patches are installed on IHS software expeditiously.
- Supervisors and Managers. Supervisors and managers shall ensure the following:
- An appropriate Management/Employee Agreement is signed by every employee approved for telework.
- Their staff (Federal and contractor resources) have been trained concerning their security responsibilities, including the need to report any computer security incidents (or suspected incidents) when remotely accessing IHS information and systems or when teleworking.
- Employees. Employees shall do the following:
- Report any security incident or suspected incident to management as soon as possible during or after it occurs according to Part 8, Chapter 9, "Establishing an Incident Response Capability," Indian Health Manual (IHM).
- Use IHS provided equipment and software for authorized activities only. Employees are prohibited from using such equipment for private or inappropriate purposes (Refer to Part 8, Chapter 6, "Limited Personal Use of IHS Information Technology Resources," IHM).
- Protect IHS equipment and data from intentional or accidental alteration (including data deletion), theft, or breach of confidentiality by any or all of the following, as appropriate:
- Storing all sensitive data in encrypted form.
- Using and securely storing removable storage media.
- Using physical or cyber locks.
- Placing work stations in secure areas.
- Refraining from sharing passwords or other secure information with other individuals.
- Agreeing to permit periodic inspections of Government-owned IT equipment and software the employee is using to ensure proper maintenance, e.g., to install software updates and security patches. The employee shall be given at least 2 business days advance notice.
- Agree to allow the IHS to install and apply new or enhanced software and hardware. The IHS shall provide at least 2 business days advance notice unless the update is deemed a security emergency.
- Apply required safeguards (refer to 8-8.1I(1), above) to protect Government/Agency records from unauthorized disclosure or damage, and comply with the Privacy Act requirements set forth in the Privacy Act of 1974, P.L. 93-579, codified at Section 552a, Title 5, United States Code.
- Sign and agree to abide by the provisions, requirements, and expectations of the Management/Employee Agreement.
- Chief Information Officer. The IHS Chief Information Officer (CIO) is responsible for the following: