Assessment, Cleanup & Redevelopment Exchange System (ACRES)
Rules of Behavior
The Assessment, Cleanup & Redevelopment Exchange System (ACRES) serves the EPA Office of Brownfields and Land Revitalization (OBLR) as a production analytical system to track information and measure performance of the Brownfield grants/pilots under the Brownfields Program. All ACRES users share the responsibility and accountability for maintaining the confidentiality, integrity and accessibility of ACRES and the data it contains. Users must agree to follow the system rules as a condition for access to ACRES, as stipulated under the Federal Information Security Management Act of 2002, Public Law 107-347 and the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III.
General ACRES Rules of Behavior
The Rules of Behavior apply equally to ACRES users in HQ, at EPA contractor facilities, and in regional facilities. The users receiving the rules of behavior document will be required to sign off their agreement to the Rules of Behavior. Failure to adhere to the rules listed in this document may result in one or more of the following administrative or legal actions:
- Suspension of access privileges.
- Oral reprimand.
- Written reprimand.
- Position suspension or removal.
Specific rules of behavior which apply to all ACRES users are:
- Notify the appropriate personnel of security incidents immediately. If in doubt, contact the ACRES U.S. EPA OSWER/OBLR System Owner/Application Manager.
- Notify the appropriate ACRES contacts when staff have terminated or changed positions to have their access to ACRES terminated. If you are a HQ user or Regional Data Coordinator, contact OBLR. If you are an ACRES Contractor user, contact the ACRES SRA Security Officer. If you are a Regional user other than the Regional Data Coordinator, contact the Regional ACRES Data Coordinator. Inform these contacts that you wish to be removed from the ACRES users list when access to ACRES is no longer needed Regional Data Coordinators should contact OBLR to ensure all accounts are modified or terminated, as appropriate.
- Do not use ACRES information in way that would adversely affect public confidence in the integrity of EPA.
- Do not attempt to perform actions or processing for which you do not have authorization. Actions related to ACRES are tracked in Oracle log files.
- Do not use ACRES information for private gain.
- Do not use your system privileges to obtain data files or run ACRES for anyone who is not authorized to do so.
- Maintain security by correctly using established security mechanisms and practices when accessing the ACRES application as well as the EPA LAN.
- Log out and turn off your PC when you leave the facility.
- Follow all virus protection procedures as set forth in the Local Area Network Security Policies and Procedures Manual. Know how to use virus scanning software and do not use disks from other machines without first scanning them.
- Protect computers used to access ACRES from hazards such as food, drink, smoke, water, and excessive heat.
- Follow all ID and password terms and conditions for accessing ACRES through WAM. Refer to the following URL for the specific steps in the creation and maintenance of a WAM/ACRES user ID and password: WAM Privacy and Security Notice. These terms and conditions include
- Using 8 characters or more in WAM password.
- Using a mix of alpha and numeric characters - do not use easily guessed passwords (e.g., family names, birthdays, sports teams names, or words that can be found in the dictionary).
- Protecting your WAM password. This includes not divulging your password to any other individual; not storing it in an unprotected location; and not allowing it to be written into computer scripts to achieve automated login.
Protect both the integrity and quality of information. Information integrity can be corrupted through intentional alteration or accidental damage.
- Attend ACRES user training. Take appropriate training before using ACRES to learn how to correctly enter data.
- Review the quality of information as it is collected, generated, and used to make sure it is accurate, complete, and up-to-date.
- Use protective measures to ensure against accidental loss of information integrity.
- Prevent unauthorized changes, damage, destruction or tampering with information.
- Do not manipulate information inappropriately.
- Create only authorized records.
- Be alert to unauthorized attempts to use your user IDs and passwords; report unauthorized attempts to a security official.
- Use a password on your screen saver.
- Do not ask anyone for their password.
- Do not use someone else’s user ID and password.
- If your password becomes known to anyone, change it immediately via the methods established by WAM.
- Participate in security training as required. All ACRES users with TSSMS accounts (or planned to have TSSMS accounts for ACRES use) must complete have completed the annual EPA Mandatory IT Security Awareness Training.
- Read security information available to ACRES manuals, electronic mail, log in messages, and other sources.
- Follow all procedures and comply with all written policies related to ACRES security.
- Maintain up-to-date knowledge of ACRES requirements.
Security violations usually consist of every day waste and negligence. Left unchecked, such violations can create a serious problem that requires costly emergency corrective action. It is easy for users to become complacent if they have never experienced the devastating results of a serious security breach. Nevertheless it is each user’s responsibility to report any form of security violation, whether it is waste, fraud, abuse, or unethical behavior.
- Report security vulnerabilities and violations as quickly as possible to proper authorities (e.g., your Regional Data Coordinator, the ACRES Contractor Team, or the ACRES U.S. EPA OSWER/OBLR System Owner/Application Manager) so that corrective action can be taken.
- Report vulnerabilities and violations to the ACRES Data Coordinator in the Regions and the ACRES team in HQ.
- Take reasonable action immediately upon discovering a violation to prevent additional damage, such as logging out of the application.
- Cooperate willingly with official action plans for dealing with security violations.
The ‘ACRES User Rules of Behavior’ also apply to users in special circumstances. The rules are meant to provide extra guidance focused on especially high responsibility for information security. These users include: work at home and other remote users, managers, and privileged users which include those with special access privileges for system development and administration.
Work-at-Home and Other Remote Users
Remote users must establish security standards at their workplace sufficient to protect hardware, software, and information. A higher level of responsibility for information security lies with remote users for two major reasons: 1) the user works unobserved and 2) the work environment falls outside the protection of a secure EPA or contractor facility. Remote users must take the initiative to understand issues related to their work environments. This means staying abreast of EPA policies concerning work-at-home.
- Ensure that adequate security provisions are implemented in your remote work environment.
- Have only those resources you really need and have authority to use.
- Establish a thorough understanding and agreement with your supervisor as to what your security responsibilities are.
- Protect enforcement sensitive information from disclosure. (Note: at this time ACRES does not contain enforcement sensitive information – but in the future, ACRES may be connected with/share enforcement sensitive information with other EPA applications).
- Establish security at an appropriate level for the equipment and information in your possession - ensure that enforcement sensitive data that is downloaded is secure, and that dial-in access is secure.
- Adhere to all provisions of employer/employee agreements related to off-site work.
- Accept access to agency systems at the minimum level necessary to perform your job.
- Be alert for anomalies and vulnerabilities, reporting these to proper officials and seeking advice when necessary.
- Use special measures to protect information and access capabilities across dial-up lines.
- Avoid uploading and downloading sensitive information.
Managers must serve as leaders in information security by establishing a climate of awareness, ethical standards, and responsibility. Managers must keep their knowledge of security issues and policies up-to-date so that they can counsel employees. High morale contributes to a good security program. When there is open communication and a good relationship between employees and managers, fewer security violations will occur; those that do are easier to rectify. Managers must be alert to vulnerabilities and violations within their organizations. They must be aware of employees with personal problems, such as substance abuse, financial difficulties, or poor relationships with co-workers. When these problems exist, fraud, waste and negligence are more likely to occur. Managers must set up their organizational structure and procedures so that everyone is accountable for his/her actions. Even more important is the manager’s responsibility to instill an ethical sense of accountability in his/her employees.
- Emphasize information security as a priority issue with employees.
- Encourage employees to take advantage of ACRES training and materials.
- Ensure that ACRES application and support systems users have the appropriate training.
- Establish means of detecting thefts and abuses of information resources.
- Be alert to threats to and vulnerabilities of information and information systems, including personal and morale problems.
- Initiate action to rectify security vulnerabilities and violations.
- Record, investigate, and resolve all security violations in addition to reporting them to appropriate security officials.
- Plan and carry out actions to reduce damage from security incidents.
- When an employee terminates or changes status, take the following actions:
- Notify OBLR, SRA security personnel, and regional system administrators to ensure their ACRES accounts are inactivated and WAM/ACRES accounts are terminated.
- With friendly termination, follow an orderly process that guarantees continued availability of the employee’s information.
- Find out where the former employee stored information and how to access it.
- Counsel terminating employee on non-disclosure of enforcement sensitive information. Remind the employee of his/her duty to protect enforcement sensitive information from unauthorized disclosure. (Note: at this time ACRES does not contain enforcement sensitive information – but in the future, ACRES may be connected with/share enforcement sensitive information with other EPA applications).
- Serve as a leader by setting an example in applying principles.
- Be alert for employees with personal problems such as low morale.
- Establish separation of duties.
- Ensure employees get adequate and appropriate training to conduct their functions.
- Implement ACRES rules of behavior, ensuring ACRES users have read and understand the rules.
- Remind the employee of his/her duty to protect sensitive information from unauthorized disclosure.
Privileged users include: system administrators, and those who have access to change control parameters for software, data base administrators, those who control user passwords and access levels, and troubleshooters/system maintenance personnel. Privileged users must make an effort to notice the threats to and vulnerabilities of ACRES, calling these to the attention of management and working to develop effective countermeasures. System developers must adhere to sound development practices in the development process. Software must be designed and programmed to perform accurately according to user requirements.
- Use special access privileges only when they are needed to carry out a specific system function.
- Never use special privileges for personal business, gain, or entertainment.
- Use precautionary procedures and technical measures to protect your privileged account from fraudulent use.
- Develop software to perform as specified by user requirements.
- Do not add functions not requested by users.
- Watch for unauthorized use of information resources, including the presence of unauthorized software and data.
- Alert the appropriate personnel when a system goes down or experiences problems.
- Assist with recovery activities.
- Obtain documentation and direction on how to perform tasks.
- Follow ACRES procedures and plans.
- Recommend security controls for securing the ACRES application and data.
- Do not use programs for non-work purposes.
- Help train users on appropriate use and security of system.
- Watch for cases where the same individual has responsibility for several functions (such as data entry, analysis, and output); this could be an opportunity for abuse.
- Watch for unscheduled or unauthorized programs running on a recurring basis.
- Track all security incidents occurring within your area of responsibility.
- Take action to reduce damage due to security violations.
- Follow all EPA and NCC standards and procedures.
- Ensure that the ACRES application documentation related to your task is complete and/or up-to-date.
- Test application, technical, and operational security controls before implementation.
- Notify the appropriate personnel of security violations immediately.
- Follow rules defined for general LAN users and ACRES application users.
- Do not attempt to modify code unless you have authorization to do so.
- Follow all EPA standards and procedures, including the EPA Hardware and Software Standards; and Design and Development Guidance. EPA policies for configuration management must be followed at all times.
- Ensure that the ACRES application documentation related to your task is complete and\or up-to-date.
- System Administrators will use the system administrator's account only when the job task being performed requires system administrator access.
- System Administrators will not establish access to ACRES for any new user unless authorized to do so.
- Contractors requiring access to ACRES may only be issued an ID upon approval by a manager. The contractors should be provided access to only those specific resources required to perform the task they are contracted to perform.
- Contractors are required to sign non-disclosure agreements (these are available from the System Administrators in the Regions and the ACRES team in HQ).
ACRES System Manager Rules of Behavior:
System managers must consider the information security implications inherent to the PC platform when storing and processing sensitive information on PCs. In addition, confidentially-sensitive data must not reside on systems to be used as public access systems unless access controls can be guaranteed. The following specific rules apply to all ACRES system managers:
- Recommend and apply security mechanisms to enforce ACRES information security policies.
- Ensure that ACRES application documentation is complete and up-to-date.
- Ensure that the application and data are backed up as defined in the ACRES Security Plan and NCC Contingency Plan. Be prepared for an emergency.
- Be prepared for an emergency. Know where the monthly backups are stored.
- Follow rules defined for ACRES application users. Do not attempt to view, change, or delete data unless you are authorized to do so. Complete only those tasks for which you are responsible.
- Conduct ongoing security reviews of the ACRES application to ensure adherence to security policy. Review application audit trails weekly. Notify the appropriate personnel of security policy violations immediately.
- Provide ACRES application passwords. Do not provide access to the application to anyone not authorized for access.
- Ensure that no one person has sole access to or control over confidentially sensitive ACRES information and processing resources.
Security Agreement for Users Requesting Access to ACRES Data
I have read the ACRES user rules. I understand that in violating these rules, I may lose system access privileges, face disciplinary procedures or even legal consequences. I agree to follow the ACRES security rules as outlined above.
 These rules will not be distributed to grantees in grantee facilities, due to the nature of the trusted login provided by WAM and the inability for grantees to access other users' data with a write capability.
 Frank Gardner (Gardner.Frank@epa.gov)
 As of 3/15/2013. ACRES-Tech(firstname.lastname@example.org)