Version date: 12/22/2021 10:30:27 am
Information System Resources User Security Agreement
I understand that all the client information contained on Kansas Department for Aging and Disability Services (KDADS) computer systems/or any other agency's computer systems to which I have access is confidential. I agree not to copy and/or disclose any information regarding persons who have applied for, have received, or who are receiving public assistance, other benefits or services from KDADS to any unauthorized groups or individual; or to any person for any purpose other than the administration of the KDADS programs using these computer systems.
I also agree to protect all information available to me through interfaces with other agencies, whether the information is on the KDADS computer systems via direct computer access; from hard copy documents; or other means of communication. This includes but is not limited to information from the Internal Revenue Service, the Social Security Administration and the Kansas Departments of Labor, Health and Environment, Revenue and Administration.
I understand and will comply with the applicable requirements of federal and state laws and regulations protecting the confidentiality, integrity and availability of protected health information including, but not limited, to the following laws and their implementing regulations:
- The federal Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA");
- The American Reinvestment Act of 2009, as amended (the "HITECH ACT"); and
- The federal confidentiality law found at 42 U.S.C. 290dd-2, as amended, and its implementing regulations contained in 42 C.F.R. Part 2 governing the confidentiality of alcohol and drug abuse patient records.
I understand that I may only use Information System Resources for those specific functions for which I have been authorized.
I understand that the password(s) I create is or are confidential, may not be shared, and shall be used only by myself. If I suspect anyone else has knowledge of my password, I will report it immediately to my supervisor and to KDADS HELP DESK and will change my password at that time.
I understand whenever I leave my workstation I must sign-off my personal computer or I must invoke a password protected screen saver with a screen lock to prevent unauthorized access by moving the mouse or using the keyboard.
I understand I must change my password(s) at least every 180 days.
I have read this entire document and agree to abide by its terms.
I also understand that any violation of this agreement may result in disciplinary action which may include discharge.
Furthermore, I understand that I may be prosecuted if I knowingly and intentionally use any KDADS' computer systems/or any other agency's computer systems I access for fraudulent or other unlawful purposes.
I further agree to comply with KDADS' security, computer, HIPAA or confidentiality policies, procedures and other requirements, as presently existing, or which may be hereinafter created and/or amended.
I further agree to "encrypt" any emails that are sent outside of the KDADS which may contain protected health information.
Policy: Password Management and Provisions
Where users belong to any Administered KDADS system, their password settings are to meet the following:
- Passwords will be constructed with the following requirements:
- Individually owned
- Kept confidential and not shared with other users
- Changed whenever disclosure has occurred or may have occurred
- Changed significantly (i.e., not a minor variation of the current password)
- Changed at least every 180 days
- Cannot be changed more frequently than once every one (1) day without system administration intervention
- Contain a minimum of 12 and a maximum of 20 characters
- Contain at least one of each of the following: a number, an upper case letter, a lower case letter, and a special character
- Passwords must NOT:
- Be repeated for at least 24 cycles of change
- Include repeating sequences of letters or numbers ( e.g. rrr, 123123)
- Include names of persons, places, or things that can be closely identified with the user (i.e., spouse, children or pet names)
- Include any spaces
- Include the user ID
- Include words that can be found in a dictionary
- Be displayed during the entry process
- Be written down and displayed in an obvious place such as under a keyboard
- Be the same for all systems that the user accesses
- Be stored in any file program, command list, procedure, macro or script where it is susceptible to disclosure or use by anyone other than its owner.
Mobile Device Policy
- The use of mobile and portable computing devices (PDA's, smart phones, cell phones, etc.) will be restricted and may only occur where documented appropriate authorization has first been provided.
- Where possible, the use of these devices will be actively monitored and their access to information systems strictly controlled.
- Data deemed sensitive or confidential to the agency, per agency policy or pursuant to any state or federal statute(s) or regulation(s), will be encrypted while at rest on portable electronic devices.
- Where possible, verified and current encrypted tunnels must be used for all electronic confidential data transmissions.
- Where encrypted tunnels cannot be used for electronic confidential data transmissions, confidential data must be directly encrypted prior to transmission.