Rules of Behavior

Introduction

Scope and purpose
These Rules of Behavior (ROB) for general users pertain to the use, security, and acceptable level of risk for the PREA Resource Center’s Communities of Practice portal (the portal). The rules highlight that taking personal responsibility for the security of an information system and its data is an essential part of your role as a general user. The intent of the ROB is to acknowledge users’ receipt and understanding of applicable security requirements of various federal and DOJ policies and procedures. 

Who is covered by these rules?
These rules apply to all persons, hereafter referred to as general users, who have access to user accounts that are not privileged on the PREA Resource Center’s information systems. All general users are required to review and provide signature or electronic verification acknowledging compliance with these rules prior to receiving authorization to access the portal. 

What are the penalties for noncompliance?
Non-compliance with these requirements will be enforced through sanctions commensurate with the infraction. Actions may include a verbal or written warning, temporary suspension of system access, or permanent revocation, depending on the severity of the violation. In addition, activities that lead to or cause disclosure of personally identifiable information or other protected data may result in criminal prosecution.

User responsibilities

General

Security: passwords and two-factor authentication

  1. Comply with all relevant laws and use portal information and information systems for lawful, official use, and authorized purposes only.
  2. Read and accept the portal security warning banner that appears when logging onto the portal.
  3. Consent to the monitoring of any content you generate and data relevant to your use of the portal.
  4. Screen-lock or log off your computer when away from your laptop, phone, tablet, or other device used to access the portal.
  5. Do not generate, view, download, store, copy, or transmit offensive or inappropriate information in any medium, including e-mail messages, documents, images, videos, and sound files (e.g., graphic violence, pornography, hateful language, etc.).
  6. Do not use anonymizer sites to bypass the security mechanisms designed to protect the portal from malicious sites or behavior. 
  7. Do not post information on social media or public websites that allows unauthorized users to infer or obtain non-public information (e.g., system account information, personal identifiable information (PII), project status, etc.).
  8. Generally, this portal is not intended for the sharing or exchange of sensitive or protected information. If you nonetheless share or exchange such information on the portal, you agree to protect and safeguard such information commensurate with the sensitivity and value of the data at risk, including encryption of any PII being sent to other portal users.
  9. Protect and safeguard the portal and all information on the portal from unauthorized access; unauthorized or inadvertent modification, disclosure, damage, destruction, loss, theft, denial of service; and improper sanitization or use.
  10. Report any anomalous or unusual behavior, and discovered or suspected security incidents by using the portal support form.
  11. Immediately report lost or stolen passwords or other security issues to the portal support form
  12. Ensure that you complete any required training related to the use of the portal, as provided by the PREA Resource Center.

Security: passwords and two-factor authentication

  1. Change the default password upon receipt from a system administrator. The following password rules are in effect for the portal: each password must be at least eight characters in length; each password must contain at least one capitalized letter, one number, and one special character. Each password must be changed every 90 days; the system will prompt users to complete this task. 
  2. Do not share account passwords with anyone.
  3. Avoid using the same password for multiple accounts.
  4. All users must use the two-factor authentication process in use on the portal. Normally, this will require a user to confirm their identity through the use of a phone and code at the time of login. 

Hardware, software, and applications

  1. Do not attempt to install or update any hardware, software, or applications used by the portal.
  2. Do not attempt to change any configurations or settings of the operating system and security-related software, or circumvent the security controls of the system.
  3. Users should be aware that they will enjoy the full functionality of the Community of Practice systems only so long as they meet the minimum technology requirements, including, but not limited to a current and up-to-date browser; a current and up-to-date operating system; and other up-to-date technology tools that support necessary software applications (e.g., a phone that can receive notifications for two-factor authentication and other security features). Where a user relies on older, unpatched, or out-of-date technologies, the PREA Resource Center cannot guarantee that all functionality or features related to the Community of Practice site or applications will work appropriately for that user. The PREA Resource Center strongly encourages users to access the Community of Practice sites using the Chrome browser (available free of charge here). Other supported browsers include Firefox, Safari, and Edge. Internet Explorer is not supported and generally will not function with the site. 

Personally identifiable information and other sensitive information 

  1. Safeguard against breaches of information involving PII, which refers to information that can be used alone or combined with other information that can distinguish or trace an individual's identity—such as a name, social security number, biometric records, date and place of birth, mother’s maiden name, etc.
  2. Do not share or exchange PII, or sensitive or secret information about any confinement agency or facility practice, structural design, personnel, or persons in custody.