Technology is now a fact of everyday life. From smart phones to tablets, from laptops to desktop computers, information technology is ubiquitous. Security violations are now far more prevalent with the use of information technology systems. Just as with Handling Protected Information (Guideline K), the use of information systems guideline refers to any sensitive system, not just classified systems. In addition, misuse of information technology systems may be adjudicated under the Personal Conduct guideline (Guideline E) in place of this guideline or simultaneously with it.
Use of Information Technology Systems
The Concern: Noncompliance with rules, procedures, guidelines or regulations pertaining to information technology systems may raise security concerns about an individual’s reliability and trustworthiness, calling into question the willingness or ability to properly protect sensitive systems, networks, and information. Information Technology Systems include all related computer hardware, software, firmware, and data used for the communication, transmission, processing, manipulation, storage, or protection of information.
Conditions that could raise a security concern and may be disqualifying include:
(a) illegal or unauthorized entry into any information technology system or component thereof;
(b) illegal or unauthorized modification, destruction, manipulation or denial of access to information, software, firmware, or hardware in an information technology system;
(c) use of any information technology system to gain unauthorized access to another system or to a compartmented area within the same system;
(d) downloading, storing, or transmitting classified information on or to any unauthorized software, hardware, or information technology system;
(e) unauthorized use of a government or other information technology system;
(f) introduction, removal, or duplication of hardware, firmware, software, or media to or from any information technology system without authorization, when prohibited by rules, procedures, guidelines or regulations.
(g) negligence or lax security habits in handling information technology that persist despite counseling by management;
(h) any misuse of information technology, whether deliberate or negligent, that results in damage to the national security.
Conditions that could mitigate security concerns include:
(a) so much time has elapsed since the behavior happened, or it happened under such unusual circumstances, that it is unlikely to recur or does not cast doubt on the individual’s reliability, trustworthiness, or good judgment;
(b) the misuse was minor and done only in the interest of organizational efficiency and effectiveness, such as letting another person use one’s password or computer when no other timely alternative was readily available;
(c) the conduct was unintentional or inadvertent and was followed by a prompt, good-faith effort to correct the situation and by notification of supervisor.