MPRM Group Limited
Code of Conduct
for Classified Computer Users
Introduction
Each user of our Classified Computer system is required to read and sign the Code of Conduct statement. This signed statement shall be maintained by the computer user's Information Technology Department Security Officer (ITDS0) or designee, for the period that the user requires access to classified computing. The ITDS0 shall keep the original, signed Code of Conduct and the user shall be given a copy for his/her records.
Additional MPRM Group User Responsibilities
- Users who handle classified data shall be responsible for knowing and using appropriate procedures with respect to handling their classified computer data. Classified MPRM computers, software, and communications systems protect all data as if it were Classified Secret Restricted Data.
- Users shall report actual or suspected computer security incidents to the user's site ITDS0.
- Users shall be aware that in accordance to DOE orders, LC computers and communications systems are monitored by system administration people for inappropriate activities, such as Waste, Fraud, and Abuse. Such monitoring may include occasional examination of private files by system administrators. Users agreed to these monitoring activities.
MPRM Group
User Agreement to Code of Conduct
for Classified Computer Users
The attached document describes MPRM Group's Computer Use Policy. This policy is binding on all MPRM Group employees, and all MPRM Group contractors using MPRM Group computers.
Each user of a Classified Computer system is required to read and sign the Code of Conduct statement. This signed statement shall be maintained by the computer user's Information Technology Department Security Officer (ITDS0) or designee, for the period that the user requires access to classified computing. The ITDS0 shall keep the original, signed Code of Conduct and the user shall be given a copy for his/her records.
My signature (the user) on this Code of Conduct, acknowledges that I have read the herewith document entitled "MPRM Group Code of Conduct for Classified Computer Users".
________________________________________
Signature / Date
MPRM Group Code of Conduct for
Classified Computer Users
This list of computer use policies and security rules apply to all personnel using MPRM Group computers or networks. Line managers are responsible for implementing these policies and rules in their organization and ensuring that users are aware of their responsibilities. This requirement applies to both classified and unclassified operations. All personnel should retain a copy for reference and audit purposes.
Computers and network systems are inherently insecure. All personnel, and particularly users, are cautioned that in general these technologies are not "private." Therefore users should not expect privacy when using systems or networks. Take appropriate protective measures, protecting sensitive information and applications accordingly. The following represents MPRM Group minimum requirements, your management may have additional requirements. Questions concerning these rules should be addressed to your supervisor, manager, or ISSO.
Computer Use
Computers, software, and communications systems provided by MPRM Group are to be used only for work related purposes (as determined by the responsible manager). The use of this equipment or software for personal or non-work related activity is prohibited. The MPRM Group Incidental Computer User Policy does NOT apply to classified computers.
Protecting a PDS (Protected Distribution System)
All cleared employees are responsible for assisting in the close supervision of the visible components of the PDS and are to report any suspicious activity.
User Accountability
Users are accountable for their actions and may be held liable to administrative or criminal sanctions for any unauthorized actions found to be intentional, malicious, or grossly negligent.
Unauthorized Access
Users are not to access or attempt to access systems or information for which they are not authorized. Users are not to attempt to receive unintended messages or access information by some unauthorized means, such as imitating another system, impersonating another user or other person, misuse of legal user credentials (User IDs, passwords, etc.), or by causing some network component to function incorrectly. Users are not to possess or transfer information for which they are not authorized.
Software License
All software used on MPRM Group computers must be appropriately acquired and used according to the appropriate licensing. This means that any illegally copied software or use is expressly prohibited. Software used on classified systems must be approved (generically or specifically) by the appropriate ISSO.
Passwords and User IDs
A user identifier (name or employee number) known as a User ID and password are required of all users of a multi-user system (two or more users). Passwords are protected commensurate (equal) to the data and system they protect. Passwords must be changed at least every six months. Passwords must be at least six (6) characters long, not found in a dictionary, and cannot be the name of a person, place, or thing. Passwords for classified systems must be machine generated using a method approved by DOE. Passwords must not be shared with any other person, except when necessary with the system Information System Security Officer on your site or by authority of the MPRM Group Computer Security Manager. The password must be changed as soon as possible after an unauthorized exposure or suspected compromise.
Malicious Software
Users must not introduce or use malicious software such as computer viruses, Trojan horses, or worms.
Altering Authorized Access
Users are prohibited from changing access controls to allow themselves or others to perform actions outside their authorized privileges. .
Denial of Service Actions
Users are not allowed to prevent others or other systems from performing authorized functions by actions that deny their access, their communications capability, deliberately suppressing their messages or generating frivolous or unauthorized traffic.
Data Modification or Destruction
Users are prohibited from taking unauthorized actions to intentionally modify, delete information or programs.
Deconstruction of Information or Software
Users are not allowed to reconstruct or recreate information or software for which they are not authorized.
Network Registration
All network users must be registered with their system administrator, ISSO, or as otherwise appropriate to that network's requirements.
Misuse, Abuse, and Criminal Activity
All MPRM Group personnel, organizations, and subcontractors are responsible to address, safeguard against, and report misuse, abuse, and criminal activity. These activities should be reported to the Safeguards and Security (S&S) Department, Investigations Section. The MPRM Group Computer Security Organization initiates and participates in appropriate investigative activities. The following general definitions may be helpful in recognizing reportable issues.
Misuse--Waste (activities that negatively impact system or work performance) of computer time or resources. Examples include activities unrelated to MPRM Group, such as CHATs, shopping, generating personal letters, holiday greetings, party invitations, membership lists or playing games unrelated to the employee's work assignment or responsibilities.
Abuse--Intentional destruction, denial of service or use, unauthorized alteration of software, hardware or information, or intentional circumvention of security rules.
Criminal--Illegal activities including fraud, personal gain, or copyright violations, etc.
Computer Security Assessment Teams
MPRM Group networks, as well as computers, and users, will be assessed by the MPRM Group Computer Security Assessment Teams on a periodic and "for cause" basis.
