Privacy and Security
Why Security Is Important For Everyone!
All users of the Veterans
Information Portal should be aware that any system can potentially
contain valuable and sometimes sensitive government and/or personal
information, which must be protected to prevent disclosure,
unauthorized changes, and loss. Each part of a system can introduce
vulnerabilities to the whole, so protection must be consistent in
order to be effective. On a larger scale, since these resources are
typically connected to VA and other sensitive government networks
(e.g., Social Security Administration, Internal Revenue Service,
Department of Defense), any system compromise is a potential threat on
a grand scale to the Federal Government.
User Information and Contacts
This site provides you with the
following information when you are granted authorized user privileges
on the Veterans Information Portal. After that, it is your
responsibility to stay up-to-date on key personnel and phone numbers
to assist you in using the Veterans Information Portal.
Your unique personal identifier
(User ID) on the system. Your User ID will be used to control your
access to parts of the system and for auditing your activities on the
Your password on the system. The
system will ask for your password to authenticate your identify,
before granting you access. You may get a temporary password; if you
do, the system will ask you for a new one the first time you log on.
You should also be notified of any requirements for password length,
content, duration, etc.
Password: ********* Do not write
this down. ************
Your Access Privileges
Your access privileges may be
limited to a specific list of areas, programs, and applications.
Veterans Information Portal System Administrator
Phone number: Department of
Veterans Affairs Facility Locator and Directory
Loan Guaranty Program
Who to Call for IS Security Problems
You should know who this is and
the preferred contact method.
Phone number: Department of
Veterans Affairs Facility Locator and Directory
Loan Guaranty Program
The Veterans Information Portal Environment General Information
All users of the Veterans
Information Portal and Associated applications must read and abide by
these Rules of Behavior.
Users will process only data that
pertains to authorized and official business as set by the Department
of Veterans Affairs and the Veterans Benefits Administration.
Sensitive Data Considerations
Unclassified but sensitive
information on all VA IS resources should be protected as For Official
Use Only (FOUO).
The following categories are examples of information
that is normally FOUO:
- Personal information subject to the Privacy Act of 1974,
including Social Security Number and benefits information. � Reports
that disclose security vulnerabilities.
- Information that could
result in physical risk to individuals.
- All output that contains
FOUO information should be so marked or labeled by the user who
generated the material, and then stored or transmitted with
appropriate protection. The designation "For Official Use Only" should
be marked, stamped or permanently affixed to the top and bottom of the
outside of the front and back covers (if any), on the title page and
on all pages of documents or information requiring such control. All
diskettes or other magnetic media containing sensitive information
should be similarly labeled and stored in locked containers (e.g.,
desks, filing cabinets, etc.).
- Sensitive documents that are no
longer needed should be shredded.
- Magnetic media (e.g., diskettes
and hard drives) that have been used to store sensitive information
may contain information even after the files are deleted. The
information may be recoverable, even if a normal directory listing of
the medium says it is empty. Before discarding magnetic media, users
should do one of the following:
- Degauss (erase all magnetic patterns
on) the media.
- Destroy the magnetic medium physically (open the
plastic floppy disk casing, remove the disk, and shred it).
- Use an
approved software program to completely delete all files on the medium
and overwrite them with ones and zeroes.
- If you need assistance in
disposing of magnetic media, please email firstname.lastname@example.org and you will
be directed to the appropriate information security personnel.
Do not share your password or
accept another user's password if offered. Sharing passwords defeats
the system's user identification and authentication mechanisms. In
addition to sharing access privileges, participants share liability
for any unauthorized behavior traced to the shared User ID and
password. Your password should be
something you can easily remember.
Your password should not be
something that another can guess. Do not use the name of your spouse,
pets, or children, or words found in a dictionary. Single-word
passwords are susceptible to being guessed by software routines that
check every word in the dictionary.
VIP Help Desk assistants have no
way to look up your password. If you forget it, use the Lost Password
Function Located on the Login Page.
The system will prompt you to
change your password every 90 days.
A new password cannot be one you
have used recently.
If there is a reason, you may
change your password before the end of 90 days. If there is a
compelling reason to change the existing password before the end of
the three-day period (such as a suspected compromise), please use the
Change Password function on the Login Page.
Users will be locked out of the
system after three (3) consecutive incorrect password entries and will
be required to use the Lost Password function to unlock and/or receive
a temporary password. You may also contact email@example.com.
Passwords are case sensitive.
Users should not attempt to enter a password with the "caps lock" key
enabled and should not cut and paste.
This site uses electronic mail
that is intended for official and authorized purposes only. Electronic
mail from this site exercises common sense, good judgment, and
propriety in communicating with users for a variety of reasons. The
presumption is that any email sent by the system automatically or by
VA systems administrators in a support will only be done so in an
authorized manner as prescribed by supervisors.
In no case will the personal use
of government resources be allowed to interfere or pose a hazard to
the security of government data or resources, or reflect adversely on
the VA or the Federal Government. The VA may revoke the privilege of
authorized use at any time for any perceived misuse of government
The following are prohibited uses
of the Veterans Information Portal:
- Possessing or distributing child pornography is a federal
- Anyone caught submitting child pornography through a government
Information System will be prosecuted.
- VA does not recognize any
legitimate reason for the use of pornography of any sort.
- Accessing any pornographic material through this site is considered fraud,
waste, and abuse of government resources and will be reported to the
- VA Information System Security Manager (ISSM) and ISO.
transmitting, storing, or distributing offensive material (e.g.,
racist literature, material, or symbols).
- Viewing, damaging,
deleting, or interfering with the functioning of any system or any
other person's files or communications.
- Attempting to circumvent or
disable any Internet security or auditing system.
- This includes
disabling virus detection mechanisms and modifying or altering the
operating system of the hardware used to connect to this site.
Transmission of Data Over the Internet
Transmission of data over the
Internet requires the use of appropriate safeguards. Sensitive and
"FOUO" information must not be transmitted over the Internet unless
appropriate safeguards (e.g., encryption) have been implemented.
Specific requirements are as follows: FOUO
and Sensitive Unclassified Information, as defined in the Computer
Security Act of 1987, should be encrypted using an NSA-approved Type 1
or Type 2 cryptosystem or a National Institute of Standards and
Technology (NIST) approved Type 3 cryptosystem before transmitting
material over the Internet.
Occasionally, users need to call
upon administrators at various levels in order to obtain services or
meet requirements for a specific task. Some routine occasions are
When you start a new job, or your
job description changes, email firstname.lastname@example.org for access requirements
When you need to obtain
registration information, or change or terminate your access, email
email@example.com for access requirements and parameters.
When you need other access
privileges in order to do your job, email firstname.lastname@example.org or contact
your VA Regional Office or Regional Loan Center.
When you find that your access to
VA resources is beyond what you need to do your job, email
email@example.com or contact your VA Regional Office or Regional Loan
All Veterans Information Portal
users are held strictly accountable for their actions while on the
system. User activity may be monitored and system activity audited to
detect unauthorized behavior. Unauthorized activity may result in a
warning, reprimand, loss of access, formal disciplinary action, or
even legal action (such as a fine or imprisonment).
Unauthorized activities include:
- Entering unauthorized, inaccurate, or false information.
not delete or manipulate information inappropriately.
- Using data for
which you have not been granted authorization.
- Do not explore data or
IS capabilities that are not related to your job or attempt to access
information which you do not have authority to access.
- If you have any
questions about the limits of you authorization, consult your
supervisor for clarification.
- Retrieving information for someone who
does not have access to it himself/herself, except as specifically
authorized by Access Role and User Type � Storing or processing
classified national security information from a VA system. If, for any
reason, classified information is introduced to a VA system, notify
- Leaving your computer logged in to the Veterans
Information Portal, but unprotected. Log-off your workstation whenever
you are away from the immediate work area, unless a screen saver
feature with a password enabled is properly invoked.
Your Role In Protecting the Veterans Information Portal Resources
Ensure that unauthorized personnel
cannot view any data that is visible on the workstation monitor
Invoke an appropriate level of
protection whenever you leave your workstation unattended. For short
periods, (visiting the restroom, or retrieving output from a printer
that is out of sight of your workstation) you may use a
password-protected screen saver feature. When you will be away from
your workstation for longer periods of time (such as when going to
another floor or leaving the building), log-off the workstation. The
following guidelines will be followed when using the screen saver
Only screen savers provided with
the system (e.g., Microsoft Windows) should be used. No other screen
savers are to be installed.
The user must invoke the password
option for the screen saver. The user will generate the password
The user will ensure that the
screen saver activates before leaving the workstation unattended. This
must be done, because there are conditions in a session that will
delay or preclude the screen saver from activating (the print pop-up
is present on the screen, data exchanges are occurring between server
and workstations, etc.).
Ensure printouts are retrieved as
soon as possible. Output should not be left unattended for any longer
than is necessary.
Protect your equipment
(workstation, diskettes, etc.) from physical damage.
Safeguard VA resources against
abuse or unauthorized use.
Scan all disks for viruses before
use, especially if they are received from external sources.
Discontinue use of any VA IS resources that show indications of being
infected by a virus and immediately report any incidents to
Report any security incidents or
suspected security incidents, including computer virus infections, to
your IT Department. The term "security incident" includes any event
that may result in the disclosure of sensitive information to
unauthorized individuals, or that result in unauthorized access,
modification or destruction of system data, loss of system processing
capability, or loss or theft of any computer system media.
Challenge any unauthorized
personnel in your work area.
Rules of Behavior / VIP Administrators |
These Rules of Behavior apply to all VA information systems.
- In addition to compliance with the Rules of Behavior that apply to all users, designated administrators are responsible for:
- Verifying the adequacy and authenticity of a new user's request before authorizing the creation of his/her new user account.
- Becoming thoroughly familiar with and complying in all respects with the requirements of the VA IS Rules of Behavior.
- Supporting and providing assistance to users in the performance of their duties and responsibilities relating to the security of the VA systems.
- Managing the deletion of user accounts.
- For any questions related to the Veterans information Portal, please draft an email with you full name, address, and phone number and send it to firstname.lastname@example.org address to the Security Administrator. All requests will be processed.