FedRAMP Rules of Behavior for External Users

The following Rules of Behavior establish the responsibilities and expected conduct for all users of our federal environment. They apply to both external privileged users and external non-privileged users, with specific requirements for each role.

• External Privileged Users – Users with administrative or elevated access rights.

• External Non-Privileged Users – Standard users with general access.

As an external privileged user for Tulip, you are required to follow specific Rules of Behavior when interacting with this system.

You must conduct only authorized Tulip-related business while logged into the administrative functional area assigned to you.

You must ensure your level of access to components and networks owned by Tulip is limited to ensure your access is no more than necessary to perform your legitimate tasks and assigned duties. If you believe you are being granted access that you should not have, you must immediately notify Tulip at security@tulip.co.

You must maintain the confidentiality of your authentication credentials such as any passwords or passcodes granted to you. Do not reveal your authentication credentials to anyone; a Tulip employee should never ask you to reveal them.

You must follow proper logon/logoff procedures. You must manually login to your session; do not store your password locally on your system or utilize any automated logon capabilities. You must promptly logout when session access is no longer needed. If a logout function is unavailable, you must close your browser. Never leave your computer unattended while logged into Tulip.

You must report all security incidents or suspected incidents (e.g., lost passwords, lost tokens, improper or suspicious acts) related to Tulip components and networks to Tulip at security@tulip.co.

You must not establish any unauthorized interfaces between systems, networks, and applications owned by Tulip. You must immediately report any potential misconfigurations.

You must acknowledge that your access to systems and networks owned by Tulip is governed by, and subject to, all federal laws, including, but not limited to, the Privacy Act, 5 U.S.C. 552a, if Tulip maintains individual Privacy Act information. Your access to Tulip constitutes your consent to the retrieval and disclosure of the information within the scope of your authorized access, subject to the Privacy Act, and applicable state and federal laws.

You must safeguard all resources for which you are responsible against waste, loss, abuse, unauthorized users, and misappropriation. Thus ensure the confidentiality, integrity, availability and security of all system components commensurate with the CSO requirements for storing, processing, and transmitting all federal data. Commensurate security protocols are followed at all times.

You must not browse, search, or reveal information hosted by Tulip except in accordance with that which is required to perform your legitimate tasks or assigned duties.

You must not retrieve information, or in any other way disclose information, for any person or process who/that does not have authority to access that information.

You must not process U.S. classified national security information on any component of Tulip for any reason.

You must agree to contact the Tulip Chief Information Security Officer at security@tulip.co if you do not understand any of these rules.

You understand that any person who obtains information from a computer connected to the Internet in violation of his or her employer’s computer-use restrictions is in violation of the Computer Fraud and Abuse Act.

As an External Non-Privileged User, you have general user privileges to Tulip and are required to minimally follow the FedRAMP security controls baseline assigned to this CSO, acting in this general capacity.

You must not interact with Tulip in any way other than prescribed by the administrator.

You must not reconfigure hardware, software, or firmware on any Tulip components. You must report this as a finding to Tulip at security@tulip.co if reconfiguration or manipulation is in any way possible.

You must not share information with someone who does not have authority to access that information.

You must not remove computer resources without prior approval.

You must use Tulip for the purposes for which it is intended.

You must not circumvent the security policies configured on your device. If you determine there might be a misconfiguration, you must inform the IT Security Desk immediately.

You must not process U.S. classified national security information on any component of Tulip for any reason.

You must follow all Tulip wireless access policies.

You must ensure both hardcopy and electronic official records (including attachments) are stored and disposed of according to Tulip policies and standards.

You must safeguard all resources for which you are responsible against waste, loss, abuse, unauthorized users, and misappropriation. Thus ensure the confidentiality, integrity, availability and security of all system components commensurate with the CSO requirements for storing, processing, and transmitting all federal data.

You understand that any person who obtains information from a computer connected to the Internet in violation of his or her employer’s computer-use restrictions is in violation of the Computer Fraud and Abuse Act.