Code of Conduct

Code of Conduct in ATVINA is meant to be representative and helpful, but not comprehensive. If a need arises for exceptions to the principles and examples in this Code of Conduct document, approval must be obtained from the CEO, COO, or CIO.

Field Technicians

Technicians must never request or ask a user for their password and must not observe a user entering their password.

Technicians must not open emails or files while troubleshooting an issue unless the user gives specific permission and must examine only the content of emails or files as required to troubleshoot a particular problem.

Remote access to a desktop for support purposes can only occur with the approval of the end-user via a specific desktop prompt.

Quality Engineers, Developers, Project Managers, & Business Analysts

When developing, testing, analyzing, maintaining, or troubleshooting issues in ATVINA's applications, records should be only be interrogated if they are related to the problem being investigated.

When showing examples of pages, files, business flow, or report output in documentation, appropriate measures should be taken to disguise the information to protect the identity of the individual(s) associated with the data.

For purpose of presentation, development, testing, analyzing, maintaining, or troubleshooting, appropriate measures should be taken to disguise the information to protect the identity of the individual(s) associated with the data.

System Engineers, Network Engineers

Data traversing the network must not be monitored except for maintenance, specific diagnostics, and system protection purposes (e.g., virus protection scanning).

Access to log information must only be used for business purposes and as required to support the integrity of systems.

Help Desk Staff

Never ask users for passwords.

Only enable email forwarding to another designation when requested by the mailbox owner.

System Administrators

Data contained in log files and databases should not be disclosed beyond the need of the IT group to develop, maintain, troubleshoot, or perform diagnostics unless under direction from proper ATVINA Leader or legal authorities.

Information about a specific user’s access to networks, systems, databases, or any other computer-based resources must not be disclosed to anyone beyond the owner unless under direction from the proper University or legal authorities or for the purposes of development, testing, maintenance, protection, and support of an IT system.

The casual viewing of any data contained in logs or databases that fall outside of an employee’s job responsibilities is strictly prohibited..

Production Control & Computer Operations

All physical access to ATVINA's IT Data Centers must follow established access management protocols; all requests for access from unauthorized individuals must be referred to a supervisor or manager.

All requests for access to systems must follow established access management protocols; all requests for systems access that fall outside of the specific ones covered by the access management protocol must be referred to a supervisor or manager.

All requests for privileged access to production systems must follow the established procedures for granting such access, including the timely and accurate logging of the request and the timely reverting of privileges upon completion of the work that prompted the request for privileged access.

Security Engineers

ATVINA’s information security professionals adhere to a stringent code of ethics through their certification by the System Security Certification board, which requires that they:

Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to CEO.

When launching an investigation in response to an alert about possible malicious activity (from an automated tool, a user, or a third party), security engineers must act in a responsible and ethical manner, specifically:

Investigate only within the scope that has been identified by the alert and for the identified reason.
Track the malicious activity to an originating machine and contact the owner and their IT support, sharing the information and assisting in a resolution process.

Should an individual decline to participate in the resolution, security engineers must:

Launch an escalation process to obtain management approval prior to further action.
Follow the defined escalation path which includes notice to Department in charge.

When conducting forensics on an acquired computer, security engineers must:

Limit their investigative activities narrowly, working on only relevant information.
Only look at individual personal information if it is required for the investigation.
Keep physical and digital investigation materials (e.g., copy of a hard drive) securely locked.
Maintain a chain of custody for evidence, requiring responsibility and signoff for each step of the pro.