Home About TVA Power System Environmental Stewardship River System Economic Development Investor Info Newsroom

Principles & Practices

BUSINESS - PRACTICE 28

Acceptable Use of Information Resources (Rules of Behavior)

WHAT

This practice establishes TVA’s Acceptable Use of Information Resources (Rules of Behavior) Policy.

WHO

This policy applies to TVA employees, contractors, grantees, other federal agencies, state and local governments, industry partners, and others who possess TVA information or who operate, use, or have access to TVA’s information systems. In addition, the policy applies to every information system and network that stores or processes TVA data, and includes hardware, software, media, facilities, and data owned or in the custody of TVA, or operated for TVA by any contractor, federal agency, state and local government, industry partner, or other outside organization even if those systems and networks are located external to TVA. This policy also applies when TVA information is used within equipment that is acquired by a TVA contractor incidental to a TVA contract.

WHY

It is the policy of TVA to implement security controls to protect the confidentiality, integrity, and availability of TVA’s information commensurate with the criticality and sensitivity of the information, and to protect the privacy to which individuals are entitled. TVA shall implement such controls consistent with applicable federal laws and regulations and industry best practices.

HOW

As a TVA employee, contractor, or other person authorized to access TVA information resources, you are required to be aware of, and to comply with the following acceptable use requirements. Information resources include computers, servers, telecommunication devices, and other peripherals that allow users to perform day-to-day business activities, such as the processing, transporting, and sharing of data. It also includes data and the media containing data.

To protect the confidentiality, integrity, and availability of TVA’s information - information in documentary (hard copy) or electronic form and to protect the privacy to which individuals are entitled, the following requirements are established.

I. ALL TVA INFORMATION RESOURCES, INCLUDING HARDWARE, SOFTWARE, PROGRAMS, FILES, PAPER REPORTS, AND DATA, ARE THE SOLE PROPERTY OF TVA.

A. Use of all TVA computer resources assigned, controlled, accessed, and/or maintained are subject to periodic review and audit.

B. Use of TVA information resources may be monitored and recorded (use of TVA information resources indicates consent to monitoring and recording).

C. Unauthorized use of TVA information resources is prohibited and subject to disciplinary action and criminal and civil penalties.

II. POLICY, STANDARDS, AND PROCEDURES TO BE FOLLOWED

A. Use of TVA information resources shall be in accordance with the following TVA policies (all available on InsideNet under Processes and Business Rules).

Business Practice 27, Information Systems Security
Business Practice 29, Information Security
Communications Practice 1, Access to and Protection of Personal Information
Communications Practice 6, Records Management
Communications Practice 7, Accessing and Using TVA Intranet and Electronic Mail Resources
Communications Practice 8, Accessing and Using TVA Corporate Computing Resources
TVA-SPP-12.3, Mobile and Remote Access to TVA’s Information Resources
TVA Business Units may develop and issue policies that are more restrictive than this policy and the policies referenced above, but may not issue any policy that relaxes any of the requirements specified by this policy or those referenced above.

III. YOU MAY BE HELD RESPONSIBLE FOR ALL ACTIONS PERFORMED WITH YOUR PERSONAL USER ID AND PASSWORD

A. With the exception of limited personal use as outlined in Communications Practices 8 and 9, your user ID and password must be used solely for the performance of your official TVA job function.

B. User IDs and passwords are for your individual use only and should not be shared. All shared IDs must be formally approved by the responsible Designated Approving Authority (DAA) in writing (complete and submit Form TVA 20044 per the instructions on the form for DAA approval). In most cases, the responsible DAA will be the Senior Vice President (SVP), Information Services (IS).

C. You must take necessary steps to prevent anyone from gaining knowledge of your password.

1. Your password must meet the following password complexity requirements.

a. Valid characters are A-Z, a-z and 0-9.

b. Must be exactly 8 characters long.

c. Must contain at least one UPPER case and one lower case character.

d. Must contain at least one number.

e. Passwords may not be reused.

f. Your password cannot contain your Windows (network) user name (example: jhdoe) or part of your full name.

g. Your password cannot contain common patterns of letters or numbers like "Abcd1234".

h. Your password cannot be a correctly spelled word of 5 characters or more that would be found in a dictionary. For example, if you wanted to use Obelisk1 as your password an acceptable way to use it would be 0Belisk1, where the number zero is used in place of the letter O.

2. Your password must be changed at least every 90 days.

3. You must not disclose your password to anyone.

D. If your personal user ID and password are utilized without your knowledge, cooperation, or gross negligence, you will not be held accountable for such security breaches.

IV. ACCESS TO INFORMATION RESOURCES MUST BE CONTROLLED.

A. Access only information for which you are authorized, and/or have a need to know, in the performance of your official duties. Do not copy information for which you are not authorized to removable storage media (i.e., CDs, DVDs, tapes, “Thumb drives,” etc.).

B. Do not establish new wired or wireless network local area networks (LANs) or wide area networks (WANs). IS must approve and facilitate the installation of all new wired and wireless networks.

C. Do not connect any computer system (except for TVA-owned laptop systems) or any other network device such as a printer to the TVA network via a LAN connection or onsite wireless connection, or a modem to any TVA standalone or networked computer system without getting approval through the applicable change management process. The applicable change management process will ensure that necessary forms and/or agreements are completed prior to the change being approved. Refer to TVA-SPP-12.3, Mobile and Remote Access to TVA Information Resources for requirements on mobile and remote access to TVA’s network.

D. Do not connect non-TVA-owned devices including “Thumb drives” to TVA-owned computer systems.

E. Do not leave computers logged on and unattended. Log-off, use “lock workstation” feature, or use access control software (i.e., password enabled screensaver) when leaving the workstation unattended.

F. The general public must not be permitted to access TVA’s information resources, except through public websites, public kiosks, and other system specifically designed for public access.

G. To safeguard TVA’s information resources, Form TVA 20042 must be completed for any Vendor requiring access to the Internet to perform a presentation or product demonstration from a Vendor-owned computer system through TVA’s network. Form TVA 20042 specifies the terms the Vendor must agree to prior to such access.

V. YOU ARE RESPONSIBLE FOR THE PROPER USE OF YOUR ASSIGNED INFORMATION RESOURCES.

A. The following activities are strictly prohibited:

1. Peer-to-peer (P2P) file sharing with resources external to TVA’s network - includes, but is not limited to, the following P2P applications.

a. Bittorrent

b. edonkey

c. Gnutella

d. Morpheus

e. Kazaa

f. EMule

g. WinMx

h. Limewire

i. Napster

j. BearShare

2. User changes to security settings - includes but is not limited to, disabling or tampering with installed anti-virus software, intrusion detection software, firewalls, audit trails, or system logs.

3. User installing software including security patches/updates - includes installation of software by individuals other than authorized IS or security administrators. All applications installed for users must be approved, listed on their TVA Functional Applications Profile (FAP), and handled by IS. Approved and tested software and operating systems patches are delivered to employees’ systems through automated deployments or manually installed by IS employees.

4. Other than for personalized backgrounds, storage of non-TVA information on TVA servers and other electronic storage devices - includes storage of non-business related information (pictures, documents, music, or other files).

5. Using TVA information resources to operate a non-TVA-owned business.

6. Knowingly introducing malicious code (i.e., viruses, worms, Trojans, etc.) into any TVA computer system, software, or data storage medium.

7. Attempting to access TVA’s network with a non-TVA owned system or device containing system administration, network administration, hacker, or vulnerability scanning tools.

8. Storing National Security Information (Secret, Top Secret, etc.) on any system not authorized for safeguarding such information including any TVA network resource or on your assigned personal computer (PC).

B. The following activities are strictly prohibited unless approved by the responsible DAA in writing (complete and submit Form TVA 20044 per the instructions on the form for DAA approval). In most cases described below, the responsible DAA will be the SVP, IS.

1. Blogging - includes writing of one occasional author, to the collaboration of a large community of writers and range in scope from individual diaries to arms of political campaigns, media programs, and corporations. Many weblogs enable visitors to leave public comments, which can lead to a community of readers centered around the blog; others are non-interactive.

2. P2P file sharing with resources internal to TVA’s network.

3. Instant Messaging

4. Installing hacker or vulnerability scanning tools on any system or device assigned to you.

C. Unless documented in your job description OR approved by the responsible DAA in writing (complete and submit Form TVA 20044 per the instructions on the form for DAA approval), you are not authorized to have network or system administration tools installed on your assigned system or device.

D. Information must be handled according to the TVA Information Security Policy referenced above.

E. You must use only TVA-approved software as specified on your Functional Application Profile (FAP) and comply with vendor software license agreements.

F. You should back-up all essential data stored on your PC on a regular basis. If a network file share is utilized to maintain your data files, it is automatically backed up by the IS organization.

G. If you have administrator rights on the network or systems critical to the security of the network such as firewalls, intrusion detection/prevention systems, etc., you must not logon with an ID having administrator rights to perform routine work unless the use of the “runas” command is not a viable option for the task or tasks to be performed.

VI. REQUIRED INFORMATION SECURITY TRAINING

A. New employees and contractors must be exposed to basic information security and privacy awareness material prior to being granted access to TVA information systems and required to complete acceptable use training within ten calendar days of gaining such access.

B. Employees and contractors must complete refresher awareness training annually.

C. Identified management and those with significant security and privacy responsibilities must complete specific information security and privacy courses provided for training annually.

VII. INCIDENT REPORTING

If you know that a person, other than yourself, has used or is using your user ID, or if you know of any person violating these acceptable use requirements including those referenced in related policies, you must report the incident or suspected incident immediately to the IT Service Center (ITSC) at 423-751-4357 or itsc@tva.gov.

VIII. COMPLIANCE REQUIREMENT

A. Failure to comply with these requirements may be cause for disciplinary action, up to and including dismissal, consistent with TVA’s Employee Discipline Policy or applicable TVA contract for contractors, grantees, other federal agencies, state and local governments, industry partners, and others.

B. If a user does not complete required acceptable use or awareness training, the user’s network ID shall be disabled and not enabled until the required training is completed.

ROLES

Agency Head - The Agency Head provides oversight for TVA’s Information Security and Privacy Program and ensures that adequate resources are available to support the success of the program.

Chief Information Officer (CIO) - The SVP of IS serves as the agency CIO and is responsible for the organizations’ information system planning, budgeting, investment, performance, and acquisition. As such, the CIO provides advice and assistance to senior agency officials in acquiring the most efficient and effective information system to fit the organization’s enterprise architecture. The CIO is also responsible for managing TVA’s Information Security and Privacy Program, both within TVA and with external business partners and other federal agencies and ensuring compliance with the program.

Designated Approving Authority (DAA) - The DAA is responsible for approving the final categorization of systems as (or part of) general support system or major application and for formally approving (accrediting) the operation of a general support system or major application at an acceptable level of risk.

Information System Owner or Program Manager - The Information System Owner/Program Manager:

· represents programmatic interest during the acquisition process and must be aware of functional system requirements;

· facilitates the development of system-level implementing procedures for necessary security controls; and

· ensures that proper controls are in place to address integrity, confidentiality, and availability of the systems and data they own.

Information System Security Officer (ISSO) - The ISSO is responsible for ensuring the security of an information system throughout its life cycle. The responsibilities include the development and maintenance of the system security plan and ensuring that controls specified in the plan are implemented and maintained.

Inspector General (IG) - The IG is responsible for promoting the efficiency, effectiveness, and integrity of TVA’s Information Security and Privacy Program. This responsibility is accomplished, in part, by performing independent and objective security audits, investigations, and inspections to evaluate compliance of the program to established federal laws, regulations, and accepted best practices. The IG responsibilities may also be met by performing an annual, comprehensive review of the TVA’s Information Security and Privacy Program.

Manager and Equivalents - Each Manager (all levels) or other equivalent is responsible for the security of information and information systems within their business unit or business component. As such, they will have centralized responsibility for the enforcement of this policy within their business unit or business component.

Organization Security Officer (OSO) - The OSO is designated by an organization’s senior officer, serves as the primary point of contact and coordinator with the business unit for all IT security matters, and is responsible for the implementation of TVA’s Information Security and Privacy Program within that organization. The OSO is also responsible for performing periodic reviews to ensure that their organization is adhering to the provisions of the Information Security and Privacy Program.

Senior Agency Information Security Officer (SAISO) - The Senior Manager of Information Services, IT Security serves as the SAISO. The SAISO is responsible for carrying out the CIO information security responsibilities such as developing and maintaining TVA’s Information Security and Privacy Program and ensuring compliance with the program. This individual plays a leading role in introducing an appropriate, structured methodology to help identify, evaluate, and minimize information security risks to an organization. The SAISO:

· serves as the CIO’s principal point of contact for all matters relating to the security of TVA’s systems and information resources;

· develops, establishes, promulgates, maintains, and enforces information security policies, procedures, and standards to ensure the confidentiality, integrity, and availability of TVA’s information resources and to ensure compliance with federal laws and regulations and accepted best practices in information security and privacy;

· facilitates the development of agency-level implementing procedures for security controls;

· monitors, evaluates, and reports to the CIO on the status and adequacy of the Information Security and Privacy Program within TVA;

· provides oversight, guidance, and support to TVA’s information security and privacy personnel; and

· conducts periodic reviews to ensure that TVA is adhering to the provisions of the Information Security and Privacy Program.

Senior Agency Official for Privacy (SAOP) - The SVP of IS serves as the SAOP and is responsible for policies regarding protection, dissemination (information sharing and exchange) and information disclosure to ensure agency compliance with the Privacy Act and privacy provisions of the E-Government Act.

TVA Employee, Contractor, and Other - All TVA employees, contractors, grantees, other federal agencies, state and local governments, industry partners, and others who possess TVA information or who operate, use, or have access to TVA’s information systems are responsible for:

· Complying with this policy and information security-related communications, plans, practices, procedures, and standards issued as part of the Information Security and Privacy Program.

· Completing mandatory security awareness, training, and education commensurate with assigned duties.

Reporting all security and privacy incidents related to TVA information and information systems and violations of this policy (including implementing procedures) to TVA’s ITSC.

TVA Officer - Each TVA Officer is administratively and operationally responsible for overseeing the establishment, maintenance, and enforcement of the Information Security and Privacy Program requirements within their respective business unit.

DEFINITIONS

Availability - The security goal that generates the requirement for protection against:

· Intentional or accidental attempts to (1) perform unauthorized deletion of data or (2) otherwise cause a denial of service or data; and

· Unauthorized use of system resources.

Confidentiality - The security goal that generates the requirement for protection from intentional or accidental attempts to perform unauthorized data reads. Confidentiality covers data in storage, during processing, and in transit.

General Support System (GSS) - An interconnected information resource under the same direct management control that shares common functionality. It normally includes hardware, software, information, data, applications, communications, facilities, and people and provides support for a variety of users and/or applications. Individual applications support different mission-related functions. Individual applications may be from the same or different organizations.

Information - An instance of a specific category of information (e.g., privacy, medical, proprietary, financial, investigative, contractor sensitive, security management) defined by an organization, or in some instances, by a specific law, Executive Order, directive, policy, or regulation.

Information System - A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Integrity - The security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).

Major Application - An application that requires special attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to, or comprise many individual application programs and hardware, software, and telecommunication components. Major applications can be either a major software application or a combination of hardware/software where the only purpose of the system is to support a specific mission-related function.

National Security Information - Information that has been determined pursuant to Executive Order (E.O.) 12958 as amended by E.O. 13292, or any predecessor order, or the Atomic Energy Act of 1954, as amended, to require protection against unauthorized disclosure. and is marked (Secret, Top Secret, etc.) to indicate its classified status when in documentary form. National Security Information is synonymous with Classified Information. NOTE: TVA does not have “Authority to Classify” and will not designate information as National Security Information, however, individuals holding requisite security clearances and having the appropriate need to know may work with information previously designated as National Security Information by an agency having “Authority to Classify” in performing assigned duties.

Network - Communication capability that allows one user or system to connect to another user or system and can be part of a system or a separate system. Examples of networks include LANs or WANs, including public networks such as the Internet.

Risk - The possibility of harm or loss to any software, information, hardware, administrative, physical, communications, or personnel resource within an automated information system or activity.

RESOURCES

Information Services, Enterprise IT Security Training Plan

BUSINESS
PRACTICE 28

Acceptable Use of Information Resources (Rules of Behavior)

Last Revised 03/08