Information Technology - Cyber Issue Date: 12/09/2021

IT-STD-50-1 User Access Agreement & Standard

P RINTED OR OFFLINE V ERSIONS OF THIS DOCUMENT ARE FOR HISTORICAL USE ONLY, UNLESS S UCH V ERSIONS ARE CONTROLLED.

1.0 PURPOSE

This Standard provides the code of conduct to which IT Users must adhere when using GDIT Information
Technology (IT) Systems and Assets1 in support of IT-POL-50 Cyber Security and is supplemented by IT-
HB-50-1A GDIT Employee/Non-Employee Cyber Security Handbook.

2.0 O RGANIZATIONAL UNITS AFFECTED

This Standard applies to all GDIT employees and non-employees who access GDIT IT Systems and Assets,
hereafter referred to as “IT Users”2 .

3.0 AGREEMENT

All IT Users must read and acknowledge the terms listed in this agreement. The agreement is electronically
acknowledged upon completion of the Cyber Security Awareness and Personal Data Privacy Training
within 30 days of accessing GDIT IT systems or assets.

Obligations
I understand that:
• GDIT IT systems and assets are provided for business purposes. I understand that GDIT allows
minimal personal use of GDIT IT systems and assets so long as my personal use does not:
i. conflict with any terms found in GDIT’s policies and guidelines,
ii. interfere with my ability to perform my job responsibilities, or
iii. result in significant costs (e.g., money, time, reduced productivity) incurred by GDIT.
• GDIT has legal ownership of the contents of all files stored on its IT systems and assets as well as
all messages transmitted or received by these systems.
• I have no expectation of privacy when using GDIT IT systems or assets. All communications
(including personal) sent, received or accessed via GDIT IT Systems and Assets are subject to
monitoring and auditing.
• My network account will be disabled if I fail to complete any cyber security training within 30
days of assignment.
• The IT-HB-50-1A GDIT Employee/Non-Employee Cyber Security Handbook contains additional
details about requirements in this agreement.

1
IT Systems and Assets include, but are not limited to, GDIT computing and mobile devices, human capital management and
financial systems, applications and all other forms of Information Technology (IT) that are owned, leased, rented, used, accessed,
created by GDIT, as well as the GDIT and GDIT client information stored or processed therein.
2
“IT Users” are defined as employees and non-employees, who need access to GDIT IT Systems and Assets to perform work on
behalf of GDIT. “Non-employees” include, but are not limited to, GDIT consultants, contractors, sub-contractors, fellows/interns,
vendors, or anyone who is NOT categorized as a GDIT “Employee”.

– 1 of 4 –
This document contains GDIT confidential and proprietary information,
which shall not be used, disclosed, or reproduced for any purpose other than the conduct of GDIT business affairs.
Information Technology - Cyber Issue Date: 12/09/2021

IT-STD-50-1 User Access Agreement & Standard

I agree to:
1. Comply with all GDIT policies and guidelines and protect GDIT, customer and third-party
information.
2. Promptly report any suspicious IT behavior or suspected information system security violations to
my supervisor and to the GDIT Security Operations Center (SOC), through one of the following
mechanisms:
i. DL-SOC@gdit.com
ii. 571-386-3500
3. Report suspicious emails using the “Report Phishing” button in Outlook or by forwarding the
email as an attachment to phish@gdit.com and deleting it from my inbox.
4. Complete all cyber security training within 30 days of training assignment.
5. Comply with the following when accessing GDIT information using non-GDIT IT systems and
assets:
i. When using personal assets to access GDIT information you must keep your systems
current with application software updates and maintain your antivirus software.
ii. Protect and control access to the GDIT information in accordance with GDIT policy and
standards. See the GDIT Employee/Non-Employee Cyber Security Handbook for
additional information.
iii. Delete any GDIT information downloaded to non-GDIT IT resources after finishing work
with the files.
6. Maintain the secrecy and security of my account, access privileges, and password(s) by:
i. Not sharing my account passwords.
ii. Not writing down or storing my passwords in an unencrypted format.
iii. Locking my workstation when I leave it unattended.

Prohibitions
I will not:
1. Abuse or misuse my a ccess privileges, nor will I compromise or damage the system(s) to which I
am granted access.
2. Attempt to access or modify any IT systems or information other than those to which I have been
specifically granted access. Nor will I access, transfer or copy any corporate, client, personnel,
vendor, or any other nonpublic information for any purpose outside of my job duties.
3. Introduce any unauthorized, unlicensed, illegal, malicious, or persona lly owned software or
hardware to the GDIT IT environment.
4. Intentionally visit or view, obtain or disseminate illegal content or content that would be
considered offensive or unacceptable for the workplace as described in HR-POL-320
Unacceptable Workplace Conduct Policy.
5. Access or download pirated movies or software using Web-streaming services (e.g., movies123,
mubi, tubi) on GDIT IT systems or assets.
6. Click on any attachment or link embedded in a suspicious message(s).
7. Access, view, send or store classified information on any unclassified GDIT IT systems or asset.
8. Use non-GDIT (personal) cloud-based storage resources such as Dropbox, iCloud, Google Drive,
Slack, OneDrive, etc., to store, process, or transmit GDIT or client data unless authorized by the
customer and/or GDIT to do so. If authorized, the software must meet acceptable GDIT legal and
security standards including proper licensing. The GDIT provided instance of Microsoft 365,
including OneDrive, is authorized to store GDIT and client data.
9. Use non-GDIT (personal) e-mail accounts such as Gmail, Yahoo, etc., to transmit GDIT or client
data unless authorized by the customer and/or GDIT to do so. If authorized, the software must
meet acceptable legal and security standards for GDIT including proper licensing.

– 2 of 4 –
This document contains GDIT confidential and proprietary information,
which shall not be used, disclosed, or reproduced for any purpose other than the conduct of GDIT business affairs.
Information Technology - Cyber Issue Date: 12/09/2021

IT-STD-50-1 User Access Agreement & Standard

10. Use personal IT assets such as laptops, tablets, etc., to store GDIT or client data unless authorized
to do so. Usage limited to accessing GDIT network via encrypted gateways (i.e., Hosted Virtual
Desktop (HVD), GDIT Connect).
11. Auto-forward any GDIT e-mail to unauthorized e-mail domains. When auto-forwarding is
required for business purposes, a request for auto-forwarding must be submitted through the
Service Desk.
12. Upon termination from GDIT, retain any GDIT or client data or software created, edited, obtained
and/or stored on any device while working for GDIT, unless specifically authorized in my
employment agreement or contract.

4.0 USER ACCESS AGREEMENT ACKNOWLEDGEMENT

I acknowledge that I have read the terms of the User Access Agreement and understand my responsibilities
with respect to my use of the GDIT IT systems and assets. I understand that I may be subject to
disciplinary action, up to and including termination of employment, removal from contract or legal action
for knowingly violating or attempting to violate the information contained in this Agreement.

User’s Name (Print):__________________________User’s GDIT Email address____________________

___________________________________________________________ _____________________
User’s Signature (Digital Signatures are acceptable) Date

5.0 ACRONYMS AND MEANINGS

Acronym Meaning
HVD Hosted Virtual Desktop
IT Information Technology
SOC Security Operations Center

6.0 REFERENCES

IT-POL-50 Cyber Security Policy

IT-HB-50-1A GDIT Employee/Non-Employee Cyber Security Handbook
HR-POL-320 Unacceptable Workplace Conduct Policy

7.0 DOCUMENT APPROVAL / CHANGE HISTORY RECORD

Issue Date Approvals Change Description

12/09/2021 Christopher Plonka, Michael Baker, 2021 Annual Review
Document Owner Document Approver • In Section 3.0 Agreement:
o Under “Obligations” / “I understand
that:”, added “My network account will
be disabled if I fail to complete any
cyber security training within 30 days of
assignment.”

– 3 of 4 –
This document contains GDIT confidential and proprietary information,
which shall not be used, disclosed, or reproduced for any purpose other than the conduct of GDIT business affairs.
Information Technology - Cyber Issue Date: 12/09/2021

IT-STD-50-1 User Access Agreement & Standard

Issue Date Approvals Change Description
o Under “Obligations” / “I agree to:”,
added “Complete all cyber security
training within 30 days of training
assignment.”
o Under “Prohibitions” / “I will not:”,
changed “Microsoft Office365” to
“Microsoft 365” and changed “GDIT
Portal” to “GDIT Connect”
12/21/2020 Christopher Plonka, Michael Baker, 2020 Annual Review: Updated SOC reporting
Cyber & IT Risk CISO, contacts, replaced SPAM mailbox reference with
Mgt, phish mailbox, added human capital
Document Approver
management and financial systems for IT
Document Owner
Systems scope. Updated reference to HR Policy
304 to HR-POL-320.
12/27/2019 Christopher Plonka, Michael Baker, Updates Section 3 – first paragraph and in
Document Owner Document Approver Prohibitions – Numbers 8, 9, 10.
01/01/2019 Christopher Plonka, Michael Baker, Initial release following policy assessment and
Process Owner CISO consolidation. 10/24/2019 – UPDATED Section
3.0, Prohibitions, bullet #8 (Clarified language
about personal drives) and CMID numbers to
normalize based on new numbering.
12/4/2019 Tom Hasman, Michael Baker, Clarified language on personal use of e-mail and
IT Risk Manager CISO licensing requirements.

– 4 of 4 –
This document contains GDIT confidential and proprietary information,
which shall not be used, disclosed, or reproduced for any purpose other than the conduct of GDIT business affairs.