TCN Cybersecurity Policy – The Corps Network

Introduction

What is the Purpose of the Cybersecurity Policy?

The intent of the TCN Cybersecurity Policy is to provide guidance for all TCN employees, contractors, interns/temporary employees, and Subgrantees concerning information and personal security. Everyone plays a major role in preventing security vulnerabilities that can lead to system compromises and hinder our mission or facilitate unauthorized disclosure of sensitive information. An individual’s actions can affect the security of TCN information and information technology (IT) systems. Knowledgeable users are the foundation of a successful Cybersecurity program.

Who is Covered by the Rules of Behavior?

The Rules of Behavior extend to all TCN employees, contractors, interns, temporary employees, Subgrantees, and volunteers using TCN’s IT systems or accessing TCN information under formally established agreements. Users must be fully aware of, and abide by TCN Cybersecurity policies.

What is Sensitive Information?

Sensitive information contains data that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. Protection of sensitive information may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for business/proprietary considerations. Some examples of sensitive information include the following: medical, procurement, budget, system/application vulnerability, and personally identifiable information (PII). Sensitive information must be protected against loss, disclosure, or alteration because of the risk and magnitude of harm that could result.

What is Personally Identifiable Information (PII)?

The term PII refers to any data field that could potentially identify a specific individual, either by itself or when combined or linked to other identifiable information. PII must be protected from disclosure. The following are examples of PII:

Name and at least one other piece of information that links back to one specific person
Mother’s maiden name
Social Security Number
Passport number
Date of birth
Driver’s license number
Place of birth
Taxpayer identification number
Fingerprints
Bank account information
Non-business phone numbers, emails, and addresses
Credit card numbers.
Photos

PII includes any other information that is linked or linkable to an individual’s identity, such as:
Medical, Financial, Educational, Employment

User Rules of Behavior

PII – Access Restrictions and Protections

I will access PII only as needed to complete authorized TCN work.
I will ensure there is no unauthorized sharing of either verbal or written PII, (e.g., in response to links in emails, queries on websites, questions asked).
I will not save PII to non-TCN equipment including when accessing PII via the TCN virtual private network (VPN), mobile devices, or any other means.
I will ensure that written or verbal PII is disclosed only to recipients who have a need to know, and are authorized to handle and process it.
I will minimize the collection and use of PII in performance of my official duties.
I will not attempt to gain unauthorized access to systems or information (including PII).
I will use Secure File Transfer (available via TCN’s Dropbox), rather than email, for distributing documentation with PII to recipients outside of the TCN network; (i.e., recipients with an email address not ending with ‘@thecorpsnetwork.org’).
I understand that I may share PII or other sensitive information with people outside the TCN network only when:◦ The information is needed to complete official AmeriCorps business
◦ The information is sent using Secure File Transfer or is retained in an authorized TCN Dropbox account using controlled access privileges.

◦ The information is needed to complete official AmeriCorps business

◦ The information is sent using Secure File Transfer or is retained in an authorized TCN Dropbox account using controlled access privileges.

I will protect PII on my mobile devices. I understand that I must not send to or store TCN sensitive information or PII on non-TCN Furnished Equipment devices (e.g. personal smartphones, tablets, etc.).
I will immediately remove the hard copy from the machine after the print job is complete.
I will immediately dispose of hard copy that has PII or other sensitive information when it is no longer needed;
I will not disclose any PII contained in any system of records, except as authorized by applicable laws, regulations, or TCN/CNCS policies.

Access to the TCN/AmeriCorps System

I understand that I will be held accountable for my actions while accessing TCN/AmeriCorps systems.
I understand that I am only authorized access to systems required to perform my official duties.

Acceptable Use

I understand TCN resources such as email, instant messaging, SharePoint, texting, photos, or any other communication methods should not be used for inappropriate or illegal activities; including but not limited to the following:
◦ Sexually explicit/oriented content or anything that is in violation of sexual harassment or hostile workplace laws
◦ Ethnic, racial, sexist, or other offensive comments
◦ Fraud or gambling
◦ Illegal weapons, terrorist activities, or the planning or commission of any crime
I understand that accessing such prohibited activities through intermediary accounts (e.g., personal email or home Internet service providers) does not affect the prohibition. If I am using an employer computer or accessing a TCN/AmeriCorps network, I may not engage in prohibited activities at any time.
I will refrain from engaging in inappropriate IT activity (e.g., accessing peer-to-peer (P2P) music/file sharing sites; clicking on questionable hyperlinks in email or unfamiliar websites; visiting questionable websites) that could increase the exposure of the TCN network and all of its users to viruses and malware from malicious sites.
I will periodically review the My SPAM Report, quarantined email, and other sources provided to monitor the security status of my TCN emails.

Passwords and Other Access Control Measures

I will not use account credentials that belong to someone else.
I understand that I am responsible for all activity that occurs under my TCN user account.
I will choose strong passwords and take the necessary precautions to protect my account.
I will change my passwords (to other strong passwords) at least as often as required.
I will protect passwords and access numbers from disclosure.
I will not store passwords in an unsecure manner or on unencrypted devices.
I will not share my access with or disclose my account passwords to anyone. I will immediately report attempts to obtain this information (e.g., phone call, phishing1 email)

Information Protection (electronic and hardcopy data)

I will lock the session on my workstation or laptop computer whenever I step away.
I will abide by this Cybersecurity Policy when accessing TCN information systems in any manner (via VPN, personal computer, any TCN wireless service, etc.).
I will protect all PII from unauthorized disclosure, modification, or destruction.
I will use my official TCN email account and other TCN-approved communications options (e.g. Skype) to transact agency business. (See items under Records Retention below.)
I will store electronic files containing sensitive information or PII data in properly secured folders that only allow access to those with a need to know. I will not store or distribute sensitive information or PII data on unapproved systems.
I will ensure that all hard/soft copy of PII are stored in a secured location for a length of time in accordance with the approved TCN record retention schedule(s); then disposed of properly.

TCN Furnished Equipment and Telework

I understand these Rules of Behavior apply when working offsite.
I will take precautions to protect TCN property and secure information and information resources in my possession from unauthorized disclosure, theft, destruction, or misuse.
I will dispose of media (hard copy and electronic) using approved means of destruction.
When teleworking, I will follow security practices that are equivalent to those required of me at my primary workplace.
I understand that laptops, mobile, tablets and small items are subject to theft and I will protect them to the best of my ability.
I will immediately report the theft or loss of any IT-related asset to TCN.

Incident Reporting

Evidence of an incident may be as subtle as a device acting erratically; therefore, I will report any unusual behavior immediately.
I will promptly report any suspected incidents or actual violations of TCN/AmeriCorps security and/or privacy policies via email to the AmeriCorps Team or phone call (202-737-6272).

Records Retention

I understand my obligation to retain records as defined by the TCN Records Management policy. A record is defined as any material, physical or electronic, made or received by you in connection with the transaction of public business. Records reflect the transaction of agency business by documenting agency functions, policies, decisions, procedures, and/or transactions. Transacting agency business generally does not include logistical, scheduling, or administrative communications.
I will use my official TCN email account and other TCN approved communications options only to transact agency business. I will not routinely use any unofficial electronic messaging account (i.e., your personal email account or any text message account) to transact agency business, and never send sensitive information or PII via any unofficial electronic messaging account.

Penalties for Noncompliance

Users who do not comply with the Cybersecurity Policy are subject to penalties that may be imposed under federal law. These penalties include the following:

Written reprimands
Reimbursement to TCN/CNCS for unauthorized charges
Suspension of system privileges
Temporary suspension from duty
Removal from current position
Termination of employment
Criminal prosecution

I have reviewed, understand and agree to adhere to this policy:

Printed Name of AmeriCorps Program Staff

Title

Signature Date

Date

Return this signed document to TCN with your Subgrantee Agreement.

Grievance Procedures

The Corps Network is very committed to the quality of service experience each member receives. Every attempt should be made to assist members in settling problems related to their AmeriCorps service experience or residential life. In most cases, issues are resolved informally using the following Informal Resolution Procedure.

Informal Resolution Procedure – modify this per your Corps Policy

First, attempt to settle the problem with the other party on a one-to-one basis.
If this attempt is unsuccessful, attempt to settle the problem by involving your Leader/appropriate program staff.
If involving your Leader/appropriate program staff is unsuccessful, attempt to solve the problem by working with your direct supervisor.
If this attempt is unsuccessful, address the issue with the Corps/Program Director.

Be sure to document this process in writing (i.e. source of complaint, was there a verbal warning, was there a follow-up in writing, actions taken to rectify the situation, etc.) and keep a copy in the member’s file. This will be crucial if the member decides to dispute any “charges” and take further action.

Formal Resolution Procedure – per the AmeriCorps Regulations

In the event that informal efforts to resolve disputes are unsuccessful, AmeriCorps members, labor unions and other interested individuals may seek resolution through the following grievance procedures.
These procedures are not limited to any subject matter but may include such issues as assignments, evaluations, suspensions, or release for cause; and issues related to non-selection of members, displacement of employees of sponsor organizations or duplication of activities by AmeriCorps.

In accordance with 42 U.S.C. 12636 and implementing regulations at 45 C.F.R. 2540.230, the following grievance procedures have been established to deal with grievances from participants, labor organizations, and other interested individuals.

Alternative Dispute Resolution (ADR)

The member may seek resolution through ADR such as mediation or facilitation. This must be initiated within 45 calendar days from the date of the alleged occurrence. At the initial session of the dispute resolution proceedings, the party must be advised in writing of his or her right to file a grievance and right to arbitration. If the matter is resolved, and a written agreement is reached, the party will agree to forego filing a grievance in the matter under consideration.

If the member chooses to proceed with the ADR, the process must be aided by a neutral party who, with respect to an issue in controversy, functions specifically to aid the parties in resolving the matter through a mutually achieved and acceptable written agreement. The neutral party may not compel a resolution. Proceedings before the neutral party must be informal, and the rules of evidence will not apply. With the exception of a written and agreed upon dispute resolution agreement, the proceeding must be confidential.

Grievance Procedure for Unresolved Complaints

If the matter is not resolved within 30 calendar days from the date the informal dispute resolution process began, the neutral party must again inform the aggrieving party of his or her right to file a formal grievance. In the event an aggrieving party files a grievance, the neutral may not participate in the formal complaint process. In addition, no communication or proceedings of the informal dispute resolution process may be referred to or introduced into evidence at the grievance and arbitration hearing. Any decision by the neutral party is advisory and is not binding unless both parties agree.

Except for a grievance that alleges fraud or criminal activity, a grievance must be made no later than one year after the date of the alleged occurrence. If a hearing is held on a grievance, it must be conducted no later than 30 calendar days after the filing of such grievance. A decision on any such grievance must be made no later than 60 calendar days after the filing of the grievance.

Binding Arbitration

If there is an adverse decision against the party who filed the grievance, or 60 calendar days after the filing of a grievance no decision has been reached, the filing party may submit the grievance to binding arbitration before a qualified arbitrator who is jointly selected and independent of the interested parties.

If the parties cannot agree on an arbitrator within 15 calendar days after receiving a request from one of the grievance parties, the Corporations Chief Executive Officer will appoint an arbitrator from a list of qualified arbitrators.

An arbitration proceeding must be held no later than 45 calendar days after the request for arbitration, or, if the arbitrator is appointed by the Chief Executive Officer, the proceeding must occur no later than 30 calendar days after the arbitrator’s appointment.

A decision must be made by the arbitrator no later than 30 calendar days after the date the arbitration proceeding begins.

The cost of the arbitration proceeding must be divided evenly between the parties to the arbitration. If, however, a participant, labor organization, or other interested individual prevails under a binding arbitration proceeding, the State or local applicant that is a party to the grievance must pay the total cost of the proceeding and the attorney’s fees of the prevailing party.

If a grievance is filed regarding a proposed placement of a participant in a program that receives assistance under this chapter, such placement must not be made unless the placement is consistent with the resolution of the grievance.

Remedies for a grievance filed under a procedure established by a recipient of Corporation assistance may include—

Prohibition of a placement of a participant; and
In grievance cases where there is a violation of non-duplication or non-displacement requirements and the employer of the displaced employee is the recipient of Corporation assistance—
Reinstatement of the employee to the position he or she held prior to the displacement;
Payment of lost wages and benefits;
Re-establishment of other relevant terms, conditions and privileges of employment; and
Any other equitable relief that is necessary to correct any violation of the non-duplication or non-displacement requirements or to make the displaced employee whole.

The Corporation may suspend or terminate payments for assistance under this chapter.

A suit to enforce arbitration awards may be brought in any Federal district court having jurisdiction over the parties without regard to the amount in controversy or the parties’ citizenship.

To Contest a Proposed Action or a Reviewing Official’s Decision to Uphold the Proposed Action

Your written response must include specific facts that contradict the statements made in the notice of proposed action. A general statement of denial is insufficient to raise a dispute over the facts material to the proposed action. Your response should also include copies of any documents that support your argument.

If the Corporation’s reviewing official concludes that the proposed action, in full or in part, should still be implemented, you will have an opportunity to request an additional proceeding. A Corporation program director or designee will conduct a review of the complete record, including such additional relevant documents you submit. If deemed appropriate, such as where there are material facts in genuine dispute, the program director or designee may conduct a telephonic or in person meeting. If a meeting is conducted, it will be recorded and you will be provided a copy of the recording. The program director or designee will issue a decision within 30 days of the conclusion of the review of the record or meeting. The decision of the program director or designee is final and cannot be appealed further within the agency.