We’ve covered DVD ripping, YouTube usage, and many other things that fall under the adjudicative guideline of misuse of IT systems. Things like watching porn on your government laptop are pretty cut and dry – but other scenarios involving IT systems could be considered a gray area under these criteria (especially for a first-time security clearance applicant), are vague, and subject to interpretation.
A visitor to ClearanceJobsBlog writes:
I have a question about how to answer Section 27 – Use of Information Technology Systems, “In the last seven (7) years have you illegally or without proper authorization accessed or attempted to access any information technology system?”
In January, while on vacation outside the U.S., I realized I forgot to set an automatic reply in my work email that I was out of the office. I logged into my email via my employer’s (a government bureau) email web portal. When I returned to the office, I learned my account had been disabled because it was against my agency policy to login to office email while out of the country. My account access restored once I verified to my employer that it was me who accessed my email account and I did so while traveling.
Do you think this falls under accessed “without proper authorization” any information technology system? If you think I need to answer yes to this question, is it worth addressing the steps I have taken to make sure there is no further incidence? For example, I would never have accessed my email while traveling outside the US if I had known it was against policy. My career is too important to me to risk it over an out of office reply. To avoid any potential future issue: I thoroughly read the applicable policies to make sure I had a clear understanding of when I was authorized to access the account; I stopped accessed my work email via the web portal since the incidence; and I have only accessed my work email via my bureau issued laptop since the incident.
Guideline M: Misuse of IT Systems
Section 27 of the SF- asks if the applicant has “illegally or without proper authorization accessed or attempted to access any information technology system?” This applicant had authorization to access his employer’s email account. Pretty vanilla situation in comparison to some of the examples of use or misuse of IT systems that could get you in trouble, such as illegally altering a software program, introducing malware or creating unauthorized entry points (back doors), using an IT system for fraud/theft, or sending sexually oriented messages.
Checking your work email is an error in standard operating procedures and does not need to be reported, especially if the user’s accounts were restored upon their return to office without a warning, reprimand, or formal counseling requirement for the incident.
To be safe, you can always check with your security office or IT team about the incident – but if you are still employed with this government bureau, they most likely are already aware.
For a full list of the 13 Adjudicative Guidelines, click here.
Evaluating Scenarios of IT Misuse
That’s not to say that failure to follow procedures or protocols won’t get you into trouble. If you make a habit of playing the “well I didn’t know the policy” card, you won’t enjoy the security clearance revocation you could potentially be dealt.
Adjudicators evaluate this criteria is based on the following:
- If it was a knowing and willful rule violation.
- The frequency and extent of rule violation (i.e., an isolated event)
- The amount of potential or actual harm.
- Intent of the conduct and degree of malice (i.e., unintentional)
Conditions that could mitigate security concerns include, as always, the passage of time, or if the incident was followed by a timely effort to correct the situation.
Much about the clearance process resembles the Pirate’s Code: “more what you’d call guidelines than actual rules.” This case-by-case system is meant to consider the whole person, increase process security, and allow the lowest-risk/highest-need candidates to complete the process. However, it also creates a lot of questions for applicants. For this reason, ClearanceJobs maintains ClearanceJobsBlog.com – a forum where clearance seekers can ask the cleared community for advice on their specific security concerns. Ask CJ explores questions posed on the ClearanceJobs Blog forum.