Section 27 - Use of Information Technology Systems Questions

I have a questions about how to answer Section 27 - Use of Information Technology Systems, “In the last seven (7) years have you illegally or without proper authorization accessed or attempted to access any information technology system?”

In January, while on vacation outside the US, I realized I forgot to set an automatic reply in my work email that I was out of the office. I logged into my email via my employer’s (a government bureau) email web portal. When I returned to the office, I learned my account had been disabled because it was against my agency policy to login to office email while out of the country. My account access restored once I verified to my employer that it was me who accessed my email account and I did so while traveling?

  1. Do you think this falls under accessed “without proper authorization” any information technology system.
  2. If you think I need to answer yes to this question, is it worth addressing the steps I have take to make sure there is no further incidence. For example, I would never have accessed my email while traveling outside the US if I had know it was against policy. My career is to important to me to risk it over an out of office reply. In order to avoid any potential future issue: I thoroughly read the applicable policies to make sure I had a clear understanding of when I was authorized to access the account; I stopped accessed my work email via the web portal since the incidence; and I have only accessed my work email via my bureau issued laptop since the incident.

Were you given a warning, reprimanded, or counseled for this incident? If not, then it was simply an error in procedural processes and does not need to be reported.

While I don’t think your situation is the sort of thing they have in mind-- I think this question relates to trying to hack into a system-- it may be worth reporting just to avoid any questions if the investigator turns it up on their own.

On the other hand, even though this matter is benign, anything related to computer security is a hot button, and the investigator is more than likely somebody without much background in IT. So it may attract undue attention. And the first form that such attention might take is the question, “what OTHER computer security violations have you had?”

My two cents.