Assessment, Cleanup & Redevelopment Exchange System (ACRES)
Rules of Behavior

The Assessment, Cleanup & Redevelopment Exchange System (ACRES) serves the EPA Office of Brownfields and Land Revitalization (OBLR) as a production analytical system to track information and measure performance of the Brownfield grants/pilots under the Brownfields Program. All ACRES users share the responsibility and accountability for maintaining the confidentiality, integrity and accessibility of ACRES and the data it contains. Users must agree to follow the system rules as a condition for access to ACRES, as stipulated under the Federal Information Security Management Act of 2002, Public Law 107-347 and the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III.

General ACRES Rules of Behavior
The Rules of Behavior apply equally to ACRES users in HQ, at EPA contractor facilities, and in regional facilities. The users receiving the rules of behavior document[1] will be required to sign off their agreement to the Rules of Behavior. Failure to adhere to the rules listed in this document may result in one or more of the following administrative or legal actions:

Specific rules of behavior which apply to all ACRES users are:

Protect both the integrity and quality of information. Information integrity can be corrupted through intentional alteration or accidental damage.

Security violations usually consist of every day waste and negligence. Left unchecked, such violations can create a serious problem that requires costly emergency corrective action. It is easy for users to become complacent if they have never experienced the devastating results of a serious security breach. Nevertheless it is each user’s responsibility to report any form of security violation, whether it is waste, fraud, abuse, or unethical behavior.

The ‘ACRES User Rules of Behavior’ also apply to users in special circumstances. The rules are meant to provide extra guidance focused on especially high responsibility for information security. These users include: work at home and other remote users, managers, and privileged users which include those with special access privileges for system development and administration.

Work-at-Home and Other Remote Users
Remote users must establish security standards at their workplace sufficient to protect hardware, software, and information. A higher level of responsibility for information security lies with remote users for two major reasons: 1) the user works unobserved and 2) the work environment falls outside the protection of a secure EPA or contractor facility. Remote users must take the initiative to understand issues related to their work environments. This means staying abreast of EPA policies concerning work-at-home.

Managers must serve as leaders in information security by establishing a climate of awareness, ethical standards, and responsibility. Managers must keep their knowledge of security issues and policies up-to-date so that they can counsel employees. High morale contributes to a good security program. When there is open communication and a good relationship between employees and managers, fewer security violations will occur; those that do are easier to rectify. Managers must be alert to vulnerabilities and violations within their organizations. They must be aware of employees with personal problems, such as substance abuse, financial difficulties, or poor relationships with co-workers. When these problems exist, fraud, waste and negligence are more likely to occur. Managers must set up their organizational structure and procedures so that everyone is accountable for his/her actions. Even more important is the manager’s responsibility to instill an ethical sense of accountability in his/her employees.

Privileged Users:
Privileged users include: system administrators, and those who have access to change control parameters for software, data base administrators, those who control user passwords and access levels, and troubleshooters/system maintenance personnel. Privileged users must make an effort to notice the threats to and vulnerabilities of ACRES, calling these to the attention of management and working to develop effective countermeasures. System developers must adhere to sound development practices in the development process. Software must be designed and programmed to perform accurately according to user requirements.

ACRES System Manager Rules of Behavior:

System managers must consider the information security implications inherent to the PC platform when storing and processing sensitive information on PCs. In addition, confidentially-sensitive data must not reside on systems to be used as public access systems unless access controls can be guaranteed. The following specific rules apply to all ACRES system managers:

Security Agreement for Users Requesting Access to ACRES Data

I have read the ACRES user rules. I understand that in violating these rules, I may lose system access privileges, face disciplinary procedures or even legal consequences. I agree to follow the ACRES security rules as outlined above.

[1] These rules will not be distributed to grantees in grantee facilities, due to the nature of the trusted login provided by WAM and the inability for grantees to access other users' data with a write capability.

[2] Frank Gardner (

[3] As of 3/15/2013. ACRES-Tech(