Privacy and Security

Why Security Is Important For Everyone!
All users of the Veterans Information Portal should be aware that any system can potentially contain valuable and sometimes sensitive government and/or personal information, which must be protected to prevent disclosure, unauthorized changes, and loss. Each part of a system can introduce vulnerabilities to the whole, so protection must be consistent in order to be effective. On a larger scale, since these resources are typically connected to VA and other sensitive government networks (e.g., Social Security Administration, Internal Revenue Service, Department of Defense), any system compromise is a potential threat on a grand scale to the Federal Government.
User Information and Contacts
This site provides you with the following information when you are granted authorized user privileges on the Veterans Information Portal. After that, it is your responsibility to stay up-to-date on key personnel and phone numbers to assist you in using the Veterans Information Portal.
Your unique personal identifier (User ID) on the system. Your User ID will be used to control your access to parts of the system and for auditing your activities on the system.
User ID: ______________________________
Your password on the system. The system will ask for your password to authenticate your identify, before granting you access. You may get a temporary password; if you do, the system will ask you for a new one the first time you log on. You should also be notified of any requirements for password length, content, duration, etc.
Password: ********* Do not write this down. ************
Your Access Privileges
Your access privileges may be limited to a specific list of areas, programs, and applications.
Veterans Information Portal System Administrator
System Administrator: VIP.VBACO@VA.GOV
Phone number: Department of Veterans Affairs Facility Locator and Directory http://www1.va.gov/directory/guide/map.asp
Loan Guaranty Program Participants: http://www.vba.va.gov/benefits/ROcontacts.htm
Who to Call for IS Security Problems
You should know who this is and the preferred contact method.
System Administrator: VIP@VBA.VA.GOV
Phone number: Department of Veterans Affairs Facility Locator and Directory http://www1.va.gov/directory/guide/map.asp
Loan Guaranty Program Participants: http://www.vba.va.gov/benefits/ROcontacts.htm
The Veterans Information Portal Environment General Information
All users of the Veterans Information Portal and Associated applications must read and abide by these Rules of Behavior.
Users will process only data that pertains to authorized and official business as set by the Department of Veterans Affairs and the Veterans Benefits Administration.
Sensitive Data Considerations
Unclassified but sensitive information on all VA IS resources should be protected as For Official Use Only (FOUO).
    The following categories are examples of information that is normally FOUO:
  • Personal information subject to the Privacy Act of 1974, including Social Security Number and benefits information. Reports that disclose security vulnerabilities.
  • Information that could result in physical risk to individuals.
  • All output that contains FOUO information should be so marked or labeled by the user who generated the material, and then stored or transmitted with appropriate protection. The designation "For Official Use Only" should be marked, stamped or permanently affixed to the top and bottom of the outside of the front and back covers (if any), on the title page and on all pages of documents or information requiring such control. All diskettes or other magnetic media containing sensitive information should be similarly labeled and stored in locked containers (e.g., desks, filing cabinets, etc.).
  • Sensitive documents that are no longer needed should be shredded.
  • Magnetic media (e.g., diskettes and hard drives) that have been used to store sensitive information may contain information even after the files are deleted. The information may be recoverable, even if a normal directory listing of the medium says it is empty. Before discarding magnetic media, users should do one of the following:
  • Degauss (erase all magnetic patterns on) the media.
  • Destroy the magnetic medium physically (open the plastic floppy disk casing, remove the disk, and shred it).
  • Use an approved software program to completely delete all files on the medium and overwrite them with ones and zeroes.
  • If you need assistance in disposing of magnetic media, please email vip.vbaco@va.gov and you will be directed to the appropriate information security personnel.
Passwords
Do not share your password or accept another user's password if offered. Sharing passwords defeats the system's user identification and authentication mechanisms. In addition to sharing access privileges, participants share liability for any unauthorized behavior traced to the shared User ID and password. Your password should be something you can easily remember.
Your password should not be something that another can guess. Do not use the name of your spouse, pets, or children, or words found in a dictionary. Single-word passwords are susceptible to being guessed by software routines that check every word in the dictionary.
VIP Help Desk assistants have no way to look up your password. If you forget it, use the Lost Password Function Located on the Login Page.
The system will prompt you to change your password every 90 days.
A new password cannot be one you have used recently.
If there is a reason, you may change your password before the end of 90 days. If there is a compelling reason to change the existing password before the end of the three-day period (such as a suspected compromise), please use the Change Password function on the Login Page.
Users will be locked out of the system after three (3) consecutive incorrect password entries and will be required to use the Lost Password function to unlock and/or receive a temporary password. You may also contact vip.vbaco@va.gov.
Passwords are case sensitive. Users should not attempt to enter a password with the "caps lock" key enabled and should not cut and paste.
Electronic Mail
This site uses electronic mail that is intended for official and authorized purposes only. Electronic mail from this site exercises common sense, good judgment, and propriety in communicating with users for a variety of reasons. The presumption is that any email sent by the system automatically or by VA systems administrators in a support will only be done so in an authorized manner as prescribed by supervisors.
General Policy
In no case will the personal use of government resources be allowed to interfere or pose a hazard to the security of government data or resources, or reflect adversely on the VA or the Federal Government. The VA may revoke the privilege of authorized use at any time for any perceived misuse of government resources.
Prohibited Uses
    The following are prohibited uses of the Veterans Information Portal:
  • Possessing or distributing child pornography is a federal crime.
  • Anyone caught submitting child pornography through a government Information System will be prosecuted.
  • VA does not recognize any legitimate reason for the use of pornography of any sort.
  • Accessing any pornographic material through this site is considered fraud, waste, and abuse of government resources and will be reported to the
  • VA Information System Security Manager (ISSM) and ISO. Accessing, transmitting, storing, or distributing offensive material (e.g., racist literature, material, or symbols).
  • Viewing, damaging, deleting, or interfering with the functioning of any system or any other person's files or communications.
  • Attempting to circumvent or disable any Internet security or auditing system.
  • This includes disabling virus detection mechanisms and modifying or altering the operating system of the hardware used to connect to this site.


Transmission of Data Over the Internet
Transmission of data over the Internet requires the use of appropriate safeguards. Sensitive and "FOUO" information must not be transmitted over the Internet unless appropriate safeguards (e.g., encryption) have been implemented. Specific requirements are as follows: FOUO and Sensitive Unclassified Information, as defined in the Computer Security Act of 1987, should be encrypted using an NSA-approved Type 1 or Type 2 cryptosystem or a National Institute of Standards and Technology (NIST) approved Type 3 cryptosystem before transmitting material over the Internet.
Interacting With Administrators
Occasionally, users need to call upon administrators at various levels in order to obtain services or meet requirements for a specific task. Some routine occasions are listed below.
When you start a new job, or your job description changes, email vip.vbaco@va.gov for access requirements and parameters.
When you need to obtain registration information, or change or terminate your access, email vip.vbaco@va.gov for access requirements and parameters.
When you need other access privileges in order to do your job, email vip.vbaco@va.gov or contact your VA Regional Office or Regional Loan Center.
When you find that your access to VA resources is beyond what you need to do your job, email vip.vbaco@va.gov or contact your VA Regional Office or Regional Loan Center.
Unauthorized Activities
All Veterans Information Portal users are held strictly accountable for their actions while on the system. User activity may be monitored and system activity audited to detect unauthorized behavior. Unauthorized activity may result in a warning, reprimand, loss of access, formal disciplinary action, or even legal action (such as a fine or imprisonment).
    Unauthorized activities include:
  • Entering unauthorized, inaccurate, or false information.
  • Do not delete or manipulate information inappropriately.
  • Using data for which you have not been granted authorization.
  • Do not explore data or IS capabilities that are not related to your job or attempt to access information which you do not have authority to access.
  • If you have any questions about the limits of you authorization, consult your supervisor for clarification.
  • Retrieving information for someone who does not have access to it himself/herself, except as specifically authorized by Access Role and User Type Storing or processing classified national security information from a VA system. If, for any reason, classified information is introduced to a VA system, notify vip.vbaco@va.gov.
  • Leaving your computer logged in to the Veterans Information Portal, but unprotected. Log-off your workstation whenever you are away from the immediate work area, unless a screen saver feature with a password enabled is properly invoked.

Your Role In Protecting the Veterans Information Portal Resources
Ensure that unauthorized personnel cannot view any data that is visible on the workstation monitor screen.
Invoke an appropriate level of protection whenever you leave your workstation unattended. For short periods, (visiting the restroom, or retrieving output from a printer that is out of sight of your workstation) you may use a password-protected screen saver feature. When you will be away from your workstation for longer periods of time (such as when going to another floor or leaving the building), log-off the workstation. The following guidelines will be followed when using the screen saver option:
Only screen savers provided with the system (e.g., Microsoft Windows) should be used. No other screen savers are to be installed.
The user must invoke the password option for the screen saver. The user will generate the password created.
The user will ensure that the screen saver activates before leaving the workstation unattended. This must be done, because there are conditions in a session that will delay or preclude the screen saver from activating (the print pop-up is present on the screen, data exchanges are occurring between server and workstations, etc.).
Ensure printouts are retrieved as soon as possible. Output should not be left unattended for any longer than is necessary.
Protect your equipment (workstation, diskettes, etc.) from physical damage.
Safeguard VA resources against abuse or unauthorized use.
Scan all disks for viruses before use, especially if they are received from external sources. Discontinue use of any VA IS resources that show indications of being infected by a virus and immediately report any incidents to vip.vbaco@va.gov.
Report any security incidents or suspected security incidents, including computer virus infections, to your IT Department. The term "security incident" includes any event that may result in the disclosure of sensitive information to unauthorized individuals, or that result in unauthorized access, modification or destruction of system data, loss of system processing capability, or loss or theft of any computer system media.
Challenge any unauthorized personnel in your work area.
Rules of Behavior / VIP Administrators
Administrators
These Rules of Behavior apply to all VA information systems.
Application Administrators
    Responsibilities
  • In addition to compliance with the Rules of Behavior that apply to all users, designated administrators are responsible for:
  • Verifying the adequacy and authenticity of a new user's request before authorizing the creation of his/her new user account.
  • Becoming thoroughly familiar with and complying in all respects with the requirements of the VA IS Rules of Behavior.
  • Supporting and providing assistance to users in the performance of their duties and responsibilities relating to the security of the VA systems.
  • Managing the deletion of user accounts.
  • For any questions related to the Veterans information Portal, please draft an email with you full name, address, and phone number and send it to vip.vbaco@va.gov address to the Security Administrator. All requests will be processed.