Rules of Behavior
for the use of Third-Party Web Applications made available through the Surveillance Data Platform as Public Services
V1.0March 1, 2016
Purpose
These rules of behavior establish the privacy and information security requirements for the use of Third Party Web Applications (TPWAs) in conjunction with the Surveillance Data Platform (SDP). These rules of behavior were developed to ensure that CDC and its confidential information and technologies are not compromised, as well as protecting general CDC interests and services from risks associated with the use of TPWAs while allowing for the increased efficiencies and cost savings that come with appropriate use of third party services.
Scope
These rules of behavior apply to federal employees, contractors, and all external SDP users who will access TPWAs from the SDP directly or use them with non-sensitive data obtained from the SDP. All engagement with TPWAs related to the SDP will be governed by these rules of behavior.
Ownership
The Office of Public Health Scientific Services (OPHSS) assigns two stewards in charge of rules and policy compliance: a Business Steward and a Technical Steward. The business and security stewards are responsible for establishing policy and providing approval, while the technical steward fulfills requests from SDP users. Users requesting access to TPWAs that have not been approved yet need to assign a main and a backup point of contact (POC) with the business steward, as well as provide a justification to the security steward.
The security steward is responsible for the security of the SDP and its impact on the CDC network and compliance with CDC security policies. All users, including POCs, are responsible for adherence to this policy and associated processes. Where there is not a rule of behavior that provides explicit guidance, users must do their best to safeguard CDC and its network and services from security risks.
Rules of Behavior
All new users of the SDP must read and acknowledge these rules before using any of the approved TPWAs. This acknowledgment must be completed annually, and establishes agreement from part of the user to adhere to these rules.
I understand that I must complete security awareness and records management training annually in order to comply with the latest security and records management policies.
I understand that I must also follow the Rules of Behavior for use of HHS Information Resources.
I understand that I must not use, share, or store any kind of sensitive data (health status, provision or payment of healthcare, PII, etc.) with TPWAs under ANY circumstance.
I will not knowingly conceal, falsify or remove information.
I understand that I can only use non-sensitive and/or publicly available data in TPWAs.
I understand that all passwords I create to set up TPWA accounts need to comply with CDC’s password policy.
I understand that the steward reserves the right to moderate all SDP-related data at any time.
I understand my responsibilities to protect systems and data as specified by CDC policies.
Enforcement
Users looking to use TPWAs as potential services of the SDP that are unable to follow these rules of behavior will not have authorization to do so. Any users that violate these rules of behavior or CDC security policies may be subject to action, up to and including revoking access to TPWAs as part of the SDP. Technical and security stewards has the right to enforce these rules of behavior based on violations at any time.
Points of Contact
Business Steward- Brian Lee, CDC\OPHSS, brian.lee@cdc.gov,
Technical Steward: Yaremis Sola, CDC\OPHSS, ysola@cdc.gov,
References
Policy for Managing the Use of Third-Party Websites and Applications http://www.hhs.gov/ocio/policy/policy2013_0001.html
Rules of Behavior for Use of HHS Information Resources http://www.hhs.gov/ocio/policy/hhs-rob.html
Add Comment