Skip to Content Area
Federal Student Aid



Department of Education

eZ-Audit Homepage


EZ-AUDIT SYSTEM RULES OF BEHAVIOR
Statement of Acceptance of User Responsibility


For Official, Approved Use only - The eZ-Audit system is funded by the Government to support various programmatic efforts needed to accomplish the FSA mission. As such, these resources are to be used only for official Government business. Users should remember that when they use the eZ-Audit system, they are acting in their employment capacity on behalf of ED. Unless approved in writing by management, any activity outside that employment capacity, or which could bring harm or embarrassment to ED/FSA must be avoided.

Privacy Expectations - All users are cautioned that, in general computers, networks, and information systems are not 'private.' Users should have no expectation of privacy when using computing resources. E-mail sent via the eZ-Audit system may bear site-specific identifiers in the address (name@ed.gov). As such, regardless of disclaimers, users employing ED/FSA e-mail are representing the site and ED/FSA and must act accordingly.

Monitoring of Computing Resources - Activities on ED/FSA systems and networks are subject to monitoring, recording, and periodic audits to ensure that the resources are functioning properly and to protect against unauthorized use. The System Administrator may access any user’s computer system or data communications and disclose information obtained through such auditing to appropriate third parties, e.g., law enforcement personnel. Use of ED/FSA computing resources implies consent by the user to such monitoring, recording, and auditing.

Violations - It is critical that all users adhere to ED/FSA computer policies and accepted user principles regarding appropriate use. Violations of these principles or policies may lead to disciplinary action, possibly including termination of funding and/or employment. Designated administrators or other authorized personnel will evaluate and determine the degree of violation and appropriate disciplinary action.

Manager/Administrator Responsibilities - Management personnel will lead in applying these user principles. Managers are responsible for implementing these accepted user principles in their organization and will be accountable for ensuring that users are aware of and acknowledge their responsibilities.

Accepted User Principles - Users' access to computing resources indicates a level of trust bestowed upon them by their management and ultimately by ED. Users are responsible for their actions and must be aware of and acknowledge their responsibilities.


At a minimum, all users are responsible for these principles:

Ensuring that the eZ-Audit system is used only for official Government business.

Knowing who their site computer security personnel are and how they can be contacted.

Ensuring that the eZ-Audit system is used in compliance with Title IV program participation agreements and other applicable regulatory requirements to ensure program integrity.

Protecting the information users are processing from access by, or disclosure to, unauthorized personnel.

Immediately reporting all security incidents and potential threats and vulnerabilities involving computing resources to designated computer security personnel.

Protecting authenticators, such as passwords.

Reporting any compromise or suspected compromise of a password to designated computer security personnel.

Accessing only systems, networks, data, control information, and software for which they are authorized.

Ensuring that system media and system outputs are marked according to their sensitivity and are properly controlled and stored.

Knowing required storage sanitizing procedures (e.g., overwriting disks that contain sensitive data prior to reuse).

Avoiding the introduction of malicious code into any computing resource.

Preventing physical damage to the system.

Notifying management before relocating computing resources.

Ensuring that the work area is secured at all times and not duplicated.

Following procedures for signing out sensitive application documentation when removing these documents from the library and ensuring that sensitive information is not removed from the work area.

Not removing equipment or storage media from the work area without prior written authorization from the designated systems administrators, security officer or other authorized personnel.


Responsibilities of ED Internal Users:

Complete and submit your security paperwork.

Attend Security Awareness Training within 30 days of taking a new position.

Mark, control, and store all media properly.

Stay alert to your physical environment; report any abnormal packages, email, or activity immediately.

Request system access through the appropriate administrator.

Change passwords in accordance with instructions, more frequent is better.

Never share or write down passwords (this includes notes underneath your keyboard or on your monitor).

Never leave logged-in systems or notebook PCs unattended / unsecured (log off before leaving your workstation and secure notebook PCs).

Attend system-specific training to learn special security features.

Never load your own software, to include unauthorized Internet downloads. Ask a system administrator to obtain and load new software for you.

Never copy software against the vendor’s license.

Never use an individual modem on a computer connected to the network.

Protect remote access (dial-in) phone numbers and information.

Know what represents a security or privacy breach.

Know the proper security official to whom you should report security incidents.

Report all security breaches to the proper person.

Learn what sensitive information you have access to, and proper information-handling procedures.

Do not send sensitive information via email or voice mail because neither service is private.

Do not send sensitive information via general-use fax equipment.

Know that systems personnel may monitor user activity on FSA systems.

Do not use FSA IT resources for anything but official business.

Clear your work area of sensitive information when you are not there.

Dispose of sensitive information properly.

Review Disaster Recovery, Contingency and/or Continuity of Support Plans that impact you and your assigned information systems and understand your role in the execution of those plans.