About IMPACT
The following sections provide an overview of IMPACT.
IMPACT accounts are granted for 12 months, after which, users must confirm their interest in continuing the account. The ICC will conduct an annual account verification for each user. Accounts for users who do not log portal activity within the 12-month time frame will be disabled. In addition, any account that does not comply with any access criteria within that 12-month period, including continuous affiliation with the stated organization, will be disabled.

Users who have changed organizations must reapply for an account. Users who change organizations must also submit a new dataset/tool request to regain access to datasets/tools that were in use at their previous organization. Their former organization will also be required to submit a certificate of disposal of any datasets/tools that were delivered to that user before his or her departure.

Researchers whose accounts are disabled but who still have permission to use datasets/tools will be denied access to any datasets that remain undelivered at the time of the deactivation. The appropriate Hosts will be notified of the deactivation.

Researchers who hold expired datasets/tools but have neither extended the term of use nor certified that the data/tool have been destroyed will not be able to obtain other IMPACT data/tools until all requirements for dataset expiration have been met.

Researchers may at any time request a copy of their contact information collected by the ICC.

Applications can be for a user account or access to datasets and tools listed in the Data Catalog. The ICC reviews each application to ensure that it conforms to the submittal criteria, that all requested information has been provided and that all necessary signatures are properly affixed before starting the approval process.

If the application does not meet the submittal criteria, the ICC will return it to the requester, who may then revise it and resubmit.

Account Requests

Account requests are submitted using a form on the portal. Exhibit 1 shows the high-level process, including the international process, for reviewing and approving account requests.

Exhibit 1 High-Level Account Request Process.

IMPACT high-level account request process begins with the reseracher submitting a form and ends when the ICC approves the account.

Applications for accounts on the IMPACT system are reviewed by the ICC and, following a role-specific process and criteria. Applications for accounts default to the researcher role.

The process for each of the account request types is:

Dataset and Tool Requests

Requests may be submitted for each class of data/tool described in the Catalog.

Dataset requests are submitted for access to sub-categories of data using a form on the portal. If a request for access to a sub-category is approved, the researcher may also choose additional datasets in the approved sub-category at a later time without submitting a new dataset request.

Unrestricted (Commercial or Non-Commercial) Data/Tool

Requests for unrestricted or unrestricted non-commercial data and tools are approved when the researcher agrees to the Terms of Use. (Exhibit 2 )

Exhibit 2 High-Level Process for Obtaining Unrestricted (Commercial or Non-Commercial) Data/Tool.

Unrestricte data access allows researchers to request certain data, agree to terms of use and receive approval.

Quasi-restricted (Commercial or Non-Commercial) Data/Tools

Requests for quasi-restricted data/tools follow a path similar to the unrestricted applications but are only released if approved by the Provider. (Exhibit 3

Exhibit 3 High-Level Process for Obtaining Quasi-Restricted or Quasi-Restricted Non-Commercial Datasets.

Quasi-restricted data process is similar to unrestricted access, except that the data provider must approve the request.

Restricted Data/Tools

Restricted data and tool requests are reviewed by the ICC and the relevant provider, which examines whether the requests are logical choices for the proposed research project. (Exhibit 4 ) The ICC and provider do not judge the merits of the research project itself. Requests for additional datasets in an approved sub-category are automatically approved by the ICC.

Restricted data access requires the researcher to sign a memorandum of agreement and other legal documents to obtain the data.

Review and Approval

The review period for a request for all restricted or quasi-restricted data and tool classes is about 72 hours after the application is complete. The complete application will consist of a dataset/tool request form filled out online, a TOU (quasi-restricted) and an MOA (restricted) signed by the applicant.

Applications for any quasi-restricted or restricted datasets and tools may be fully or partially approved or rejected:

  • Providers have the unilateral authority to reject part or all of an application for use of their data/tool.
  • ICC must approve or reject the full request.

The relevant Providers review applications for any quasi-restricted data/tool. The ToU associated with an approved (either full or partial) quasi-restricted request is delivered to the Researcher with the approval email.

The ICC and relevant provider reviews requests for restricted data and tools. The MoA associated with an approved (either full or partial) application for restricted data/tool is executed by the ICC. The ICC notifies all relevant parties of the request decision.

Notifications of any approval are in the form of system emails that direct the parties to log into the portal to retrieve details of the application from the My IMPACT My Requests page.

In cases where the Provider rejects all or part of an application to use their dataset/tool, the ICC will notify the researcher. When a request is rejected, the notification will include the reason(s) for the rejection if it is available. (See also "Rejections") The researcher may then submit a new application for denied datasets/tools that satisfies the provider's concerns.

If all or part of the request is approved, the ICC notifies the researcher and provides contact information for the Data/Tool Host(s), with details of what has been approved. The ICC also notifies the Host(s) of details of the approved request. Access information may be a URL, contact information for a representative of the hosting site, etc.

The ICC will record and track the approval date, the date the researcher received access information from the ICC, and the date that the researcher accessed the datasets from the Host. The ICC will maintain records of all applications and their dispositions.

If a dataset/tool request is rejected, the Researcher will be notified by email and may be given the reason for the rejection, if available. The Researcher may revise the application based on those reasons and reapply for the dataset(s).

After an application for use of datasets/tools is finalized, the researcher has 12 months from the date the ToU is completed or the MoA is executed to access the datasets/tools and use them for the purpose described in the application. The Researcher may request all or part of the datasets in a sub-category; additional datasets from the approved sub-category may be requested at a later date within the 12-month access period. In the case of restricted data, these requests will be approved without ARB review.

Expirations

Thirty (30) days before the expiration of this period, the ICC will email the researcher with a reminder that the expiration is approaching and offer an option to reapply for access to the data/tool.

Researchers may extend the use of the data/too for an additional 12 months past the original expiration date by submitting an extension request from the My IMPACT My Requests page. If no extension is requested, the researcher will be required to dispose of the data/tool within 30 days of the expiration date.

Rejections

Account Request Rejections
# Reason Remediation

1.  

The researcher's organization is not an approved organization.

See also "Organizations"

2.  

The verification email is not received within the required time period.

Initiate another request at a later date.

3. The researcher is not located in a DHS-approved location. See also "DHS-Approved Locations"
Dataset/Tool Request Rejections
# Reason Remediation

1.  

The Memorandum of Agreement is not received within the stated time period.

Initiate another request at a later date.

2.  

The Memorandum of Agreement is incomplete.

Revise the Memorandum of Agreement to include missing or incomplete information.

3.  

The proposed research does not justify a need for the data requested.

- Revise the proposal to reflect research that requires the requested data/tool

OR

- Revise the proposal to include data/tool that is required by the research described

AND

Resubmit

4.  

The Provider did not approve the request.

Data/tool provider rejection of a dataset request is absolute.

5.  

The requester lists persons who will use the datasets outside of an authorized research location.

Requestors must change the research team and/or research location to comply with IMPACT policy to make data available ONLY to approved researchers who are conducting cyber security research in DHS-approved locations, such as the 50 United States and for selected international governments and organizations.

Delivery

The IMPACT system will notify the researcher and the Data/Tool Host(s) when a request has been approved, directing him/her to the appropriate Host to arrange for delivery or transmission of the datasets/tools requested. Both parties will be asked to verify that the items have been received and or delivered.

The ICC will track the delivery status of each dataset/tool request and intercede as needed to ensure the approved request has been fulfilled.

Datasets and tools will be released only to researchers whose requests are approved, either by the ICC for all unrestricted datasets/tools, by the ICC and Data Provider for all quasi-restricted datasets or by the Application Review Board for restricted datasets/tools, indicating they have met all approval criteria.

Data/tool hosts will release requested datasets to the researcher using the transmittal method stipulated in the Data/Tool Catalog. Hosts are responsible for communicating access requirements for the datasets to approved researchers. Hosts must maintain records of all accesses or transmissions of datasets to researchers, and verify to the ICC that the appropriate dataset/tool has been delivered.

At the end of the 12-month access period, the ICC will notify the host if the researcher has reapplied for access or if he/she has properly disposed of the data/tool. Hosts will not release data/tool after the expiration date has passed.

A Data/Tool Host is an organization that provides computing infrastructure to store IMPACT datasets/tools and coordinates the transmission of those items to approved researchers.

The hosting logistics are worked out between the Host and Provider.

A Host must execute an MoA with the ICC in which the Host provides any special terms and conditions for access to, transfer, handling and storage of the data/tool.

A Host lists terms for accessing the respective datasets/tools in the catalog. Methods of access include, but are not limited to:

  • Secure email
  • CD, DVD, disc by mail
  • Secure FTP
  • HTTP/HTTPS
  • Web API
  • Other Remote access.

Hosts are responsible for all of the Provider's data security and access control requirements to the data/tool.

Hosts must confirm delivery of approved datasets/tools via the My IMPACT Requests for My Hosted Datasets/Tools page on the portal.

Data and Tool Providers make datasets and tools that they own or control available to approved researchers through IMPACT.

Providers submit metadata to the data catalog that describe the datasets/tools in authorized categories and sub-categories. Upon review and approval by the ICC, the metadata describing the datasets/tools are made available in the catalog. There is no limit to the number of items that may be submitted in an available category or sub-category. A list of available data and tool categories and sub-categories, and their descriptions, is posted on the portal.

Before metadata can be submitted, a provider must hold a Provider account on the portal and execute a Provider Memorandum of Agreement with the ICC.

Metadata for datasets and tools are submitted through the IMPACT portal, either manually or by bulk upload following an XML schema provided on the portal.

Manual input of dataset/tool information requires filling out a form for each data/tool category and sub-category that is submitted to the catalog.  Multiple listings for a category and sub-category may be uploaded at the same time.

Metadata uploaded to the catalog are reviewed by the ICC before being entered in the catalog. The ICC will make the metadata available after:

  • The ICC has verified it is complete and that the data/tool conforms to the conditions of the MoA.
  • A Data/Tool Host has been designated to host the data/tool and deliver it to approved researchers.

Once the metadata have been made available in the catalog, they can be viewed by researchers. If a provider updates its metadata, the newer information will supersede the earlier listing. If a provider withdraws or otherwise cancels a data/tool category, sub-category or dataset/tool, the ICC will remove the metadata from view in the catalog. Providers are responsible for keeping current the status of the dataset(s)/tool(s) they submit.

Providers review and approve or reject requests for access to their datasets/tools.

Submitting New Datasets and Tools to the Catalog

New or current Providers may offer new datasets/tools to the repository.

The new data/tools are described in a Dataset Submission Form and submitted to the ICC and DHS for consideration. The ICC and DHS, with the help of the IMPACT External Relations Council (PERC), will vet the item to determine if it meets criteria to be included in the repository. The ICC must also determine the category and sub-category of the proposed data/tool.

When the data/tool have been approved for inclusion, the ICC and a new provider will execute an MoA that includes descriptions of the category and sub-category. For established Providers, if these designations are not in the existing MoA, the MoA must be amended. Once the MoA is in place, the category and sub-category will appear in the data catalog and the provider can upload the metadata to the portal using the established schema.

All IMPACT researchers must be affiliated with an organization that is approved by the ICC. Users applying for an account must list an organization, its location and a contact information for an authorized representative who acts as a point of contact (POC) on the online account request form. The POC, on behalf of the organization, confirms that the person has a legitimate need for a IMPACT account.

Organization Review

If an organization has already been approved by the ICC, the account request is submitted for processing subject to the arrival of email verification from the POC. If an organization has not been approved by the ICC, the approval process will follow established acceptance criteria to review the organization. If the organization meets the criteria, it is added to the approved organizations list and the account request is submitted for processing. If the organization is not approved, the requester is notified and the account request is withdrawn.

The ICC may use a number of resources to verify Organizations, including but not limited to:

  • Internet searches: Internet searches start with search engine queries (Google, Yahoo, etc.) but may also include links within an organization's web site and searching on the name(s) of researchers. Results of those searches factor into the approval of the organization. For example, if links within the organization's web site lead to dead ends, broken links or 'under construction' messages, it might indicate the organization is not sufficiently mature.
  • Dunn & Bradstreet and Hoovers database searches: Organization profiles in these databases reveal information about the size and scope of the company, and its standing in the business community. Indicators – or lack thereof – such as ability to pay bills on time, annual revenue, or client lists are helpful in understanding the stability of the company and its legitimacy in the industry.
  • Nationally recognized directories or government databases.
  • Personal reference: Other researchers, professionals or community members who are familiar with the Organization and its leaders can provide a reference for the organization.

An organization must meet at least one of IMPACT's established criteria in order for it to be added to the list of approved organizations.

To be valid, an organization must:

  • Be an established, accredited institution of higher learning, such as a college or university recognized by a governmental entity or accrediting body.
  • Be an established government agency, department or ministry.
  • Be an entity located in an area recognized by the U.S. Department of Homeland Security as an authorized international research location.
  • Be registered as a for-profit or not-for-profit organization with state/provincial or national authorities.

Small organizations

Small organizations, which are defined as having 10 or fewer employees (as verified by Dunn & Bradstreet or national records), may be asked to provide up to three references to the ICC before being considered for approval. References must be from customers, contract holders or business partners who have done business with the organization within the past 12 months. In some instances, the references may be asked to provide answers to the following questions:

  • What is the nature of the organization's business?
  • What is the nature of the research the organization has performed?
  • How long has the reference been associated with the organization?
  • What security measures did the organization implement in performing work for the reference?
  • How did the organization deal with confidential information in performing the work for the reference?

Small organizations also may be asked to provide the ICC with resumes or curricula vitae (CV) of the lead researcher and/or other researchers on the project.

All research and access to IMPACT data must be carried out in DHS-approved locations. The researcher's organization must be located in one of these locations.

Selected countries outside of the United States may be authorized to verify researchers for IMPACT. Each country will have a designated entity or office functioning as a IMPACT Approval Coordinator (IAC). An IAC is responsible for reviewing account requests and verifying the researcher's affiliation with an organization. All IACs are selected and approved by the U.S. Department of Homeland Security (DHS).

When a non-U.S. researcher from an approved location applies for a IMPACT account via the IMPACT portal, the ICC will provide information about the applicant to their IAC. The IAC will vet the organization according to the IMPACT Organization criteria and their own verification protocol.

The IAC will submit a decision to the ICC via the International Account Request page on the portal, at which point the ICC will continue processing the application.

See also "Applications".

The ICC supports the IMPACT data repository in a secure Web-based portal, located at https://www.ImpactCyberTrust.org, which is available to IMPACT users and the public (browsing public pages only). Currently the ICC is managed by Blackfire Technology, Inc.

The portal has a Secure Socket Layer (SSL) certificate to allow data to be encrypted.

Navigation to various sections of the portal will be specific to the role assigned the registered user; a limited number of public pages is available to non-registered users. Roles and responsibilities are spelled out in the Portal Users section.

Use of the portal by Researchers, Data Providers and Data Hosts will be strictly supervised by ICC staff and portal administrators. Account holders may not share their access with other persons and must abide by the site's Rules of Behavior.

IMPACT is committed to protecting your privacy and developing technology that gives you the most powerful and safe online experience. This Statement of Privacy applies to the IMPACT website and governs data collection and usage of that site. By using the IMPACT website, you consent to the data practices described in this statement.

Collection of Your Personal Information

IMPACT collects personally identifiable information, such as your email address, name, home or work address or telephone number.

There is also information about your computer hardware and software that is automatically collected by IMPACT. This information can include: your IP address, user name, browser type, and access times. This information is used by IMPACT for the operation of the service, to maintain quality of the service, and to provide general statistics regarding use of the IMPACT website.

IMPACT encourages you to review the privacy statements of websites that you may choose to link to from IMPACT so that you can understand how those websites collect, use and share your information. IMPACT is not responsible for the privacy statements or other content on websites outside of the IMPACT website.

Use of your Personal Information

IMPACT collects and uses your personal information to operate the IMPACT website and deliver the services you have requested. IMPACT may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered.

IMPACT does not sell, rent or lease data it collects to third parties. IMPACT may share data with Hosts, Providers and review board members of the IMPACT community to help us deliver requested IMPACT services. These parties are prohibited from using your personal information except to provide these requested services, and they are required to maintain the confidentiality of your information.

IMPACT will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal processes served on IMPACT or the site; (b) protect and defend the rights or property of IMPACT; and, (c) act under exigent circumstances to protect the personal safety of users of IMPACT, or the public.

Use of Cookies

The IMPACT website requires the use of non-persistent (session-based) "cookies" during an active session for proper operation of pages for registered IMPACT users during that one session. The purpose of the cookies is to identify a user to the IMPACT web server only when accessing content within the IMPACT domain. IMPACT does not use "ad" cookies to track user activity. IMPACT does not retain any cookie data. You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the IMPACT services.

Security of Your Personal Information

IMPACT secures your personal information from unauthorized access, use or disclosure. IMPACT secures the personally identifiable information you provide on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure.

Changes to this Statement

IMPACT will occasionally update this Statement of Privacy to reflect feedback or changes in operations or policy. IMPACT encourages you to periodically review this Statement to be informed of how IMPACT is protecting your information.

Contact Information

IMPACT welcomes your comments regarding this Statement of Privacy. If you believe that IMPACT has not adhered to this Statement, please contact IMPACT at Contact@ImpactCyberTrust.org. We will use commercially reasonable efforts to promptly determine and remedy the problem.

IMPACT datasets are available to approved researchers who are conducting cyber security research in DHS-approved locations, such as the 50 United States and selected international locations approved by DHS. Researchers approved for an account on the IMPACT portal may request access to any number of dataset(s) of interest in established sub-categories by filling out an online application form and listing the dataset(s) desired and members of the research team and providing a description of the proposed research.

Only Researchers holding IMPACT accounts may request data from the IMPACT data catalog.

Types of Researchers

There are two types of Researchers:

Obligations

Requestors are subject to different obligations for each class of data/tool requested. (See classes of data in the Data Catalog section.) A researcher must agree to all of the obligations and use criteria specified for each class requested.

For all unrestricted and quasi-restricted datasets/tools, these terms are specified in the ToU associated with the request.

In the case of restricted datasets/tools, the terms are specified in an MoA executed between the Researcher and the ICC which may include additional provider terms. If the researcher declines to agree to the terms, the application for use of that provider's restricted dataset/tool will not be processed. The Provider will have final approval for release of their data/tool.

In all cases, Researchers must notify the ICC if the data/tool are compromised once they receive access to datasets. Compromised is defined as confirmed access by an unauthorized person or data's being lost, disclosed, stolen or sabotaged.

Researchers who have been approved for some sub-categories but not others will only have access to the sub-categories for which they have been approved.

When requesting restricted data/tools, researchers must provide the names of the proposed research team, i.e., the researcher's colleagues who will also be working with the requested data/tool. Researchers must notify the ICC of all departures and additions to the research team and execute an amendment(s) to the restricted data/tool MOA. Email notice of additions or deletions to the research team list to the ICC. All new research team members must be approved prior to their gaining access to the data/tool.

Researchers may use dataset(s) from approved sub-categories subject to the terms and conditions associated with them for a 12-month period, which begins when (1) the ToU is submitted to and approved by the ICC for all classes of unrestricted data, (2) the ToU is submitted to and approved by the ICC and the Data Provider approves the request for all classes of quasi-restricted data, or (3) when the MoA for restricted data is fully executed.

Researchers may not transfer authorization to use approved datasets/tools to other persons or organizations.

Researchers are granted access based on their affiliation with an organization and must inform the ICC when they change affiliations or are no longer in charge of the research project on which the IMPACT data/tool is being used. Researchers who move to another organization may reapply for access to the data/tool through their new organization. The new organization must meet all requirements for organizational participation before access is granted.

If a Lead Researcher who is managing a research project using restricted data/tools leaves the organization or the project, the organization must notify the ICC and either propose a new lead researcher or terminate the MOA and the use of the IMPACT data/tool.

All IMPACT users must:

  • Follow password guidelines, as listed in the IMPACT User Guide and on the portal.
  • Not share IMPACT accounts.
  • Not leave IMPACT browser sessions unattended.
  • Comply with the portal Terms of Use.

Researchers must:

  • Be an individual affiliated with an approved Organization, as verified by the ICC.
  • Perform all work involving IMPACT datasets/tools within DHS-approved locations provided that the Researcher and all research team members are located in one of these countries, or (2) at a DHS-approved location where the researcher is located.
  • Take steps to ensure that all persons named on the application to use data/tools are aware of these location restrictions and all other obligations associated with the item.
  • Not allow anyone other than the researchers named on the application to have access to or use the data/tool.
  • Notify the ICC when team members are added or removed from their research team.
  • Implement appropriate physical, technical and administrative measures to protect the datasets/tools.
  • Notify the IMPACT Coordinating Center (ICC) if the IMPACT datasets/tools are accessed by any unauthorized person or if they are lost or stolen.
  • Immediately notify the ICC and Data Host if they receive data/tool they did not request.
  • Notify the ICC if the individual affiliated with the Organization and leading the research moves to another organization or is no longer leading the approved research effort.
  • Execute appropriate legal documents (Terms of Use [ToU] Agreement or Memorandum of Agreement [MoA]) with the ICC and agree to abide by all provisions, including provisions specific to each dataset/tool.
  • Properly dispose of datasets/tools at expiration of the term of access and submit a Certificate of Disposal.

Data and Tool Providers must:

  • Execute a Memorandum of Agreement (MoA) with the ICC and hold an account on the portal as a Data/Tool Provider.
  • Not upload executable files.
  • Obtain access terms for the dataset/tool from the Host.
  • Provide metadata and terms of access associated with each dataset and tool to the Data Catalog.
  • Comply with ICC restrictions on data and tools.

Data and Tool Hosts must:

  • Execute a Memorandum of Agreement (MoA) with the ICC and hold an account on the portal as a Data/Tool Host.
  • Provide access terms to the Data/Tool Provider and ensure they are correct in the catalog.
  • Maintain records of all access to datasets/tools by Researchers and report records to the ICC.

The ICC must:

  • Maintain the IMPACT portal and data and tool catalog on available datasets.
  • Develop, maintain and enforce operational policies and procedures.
  • Execute Memoranda of Agreement with Data and Tool Providers and Data and Tool Hosts to provide and host IMPACT data and tools.
  • Facilitate Researcher interaction with the ICC through a secure portal.
  • Review and approve organization affiliations for researchers and communicate regarding approval/rejection.
  • Manage the approval and administrative processes related to requests for IMPACT data and tools.
  • Execute appropriate legal documents (ToU or MoA) with approved Researchers to provide a legal foundation for use of the IMPACT data and tools.
  • Provide researchers with Data/Tool Host contact information to obtain access to the data/tools.
  • Maintain records of all access to data/tools by researchers.
  • Maintain the security of the IMPACT Portal according to industry standards.

Users of the IMPACT portal expect information to be readily available, accurate and safeguarded from unauthorized access. The ICC has established management, operational and technical controls to protect the IMPACT information and the automated information systems within the portal. Controls for granting, changing and terminating access to the IMPACT portal are essential to the security of the portal. Password-protected role-based accounts are the foundation of these controls. 

Role-Based Accounts

The IMPACT portal provides access to the content and functions of the portal via role-based accounts. The roles and associated portal access are described in Portal User Roles and Responsibilities. Users and their associated roles are identified by logging in with a valid user ID and password.

Password Standards

Passwords are used by the portal in conjunction with user IDs to uniquely identify individual users. Passwords may not be shared with, used by or disclosed to others. Generic or group passwords cannot be used. To preclude password guessing, an intruder lock-out feature will suspend accounts after five invalid attempts to log on. Manual action by the Portal Administrator is required to reactivate the account.

All user and system passwords, even temporary passwords set for new user accounts, have to meet the following criteria:

  • Be at least eight (8) characters in length (required);
  • Can not contain any white space (spaces, tabs, etc.)
  • Use a combination of at least one upper and lower case letter

Users should follow these password suggestions:

  • Do not use words found in a dictionary, including names, obscene words, phrases and well-known combinations (i.e., NLRB1234, attorney1, judge111, etc.).
  • Do not use reverse spellings of dictionary words.
  • Do not choose a name associated with you in any way (middle initial, wife's maiden name, pet's name, child's name, your favorite team's name, films, etc.)
  • Do not use words from any religious text.
  • Do not use biological terms.
  • Do not use portions of a user name in a password
  • Do not write down your password .
  • Do not share a common password between computers or applications.
  • Do not send your password via email.
  • Do not use simple keyboard patterns.
  • Use at least two special-use characters.
  • Change password frequently.
  • Never give the password to anyone.

Users are required to select a new password immediately after their initial log in.

Passwords must not be embedded in automated programs, utilities or applications, such as: autoexec.bat files, batch job files or terminal hot keys.

Passwords must not be visible on a screen, hard copy or in any other output device.

Administrative account passwords will be changed promptly upon the departure (voluntary or involuntary) of administrative personnel or the suspected compromise of the password. User accounts will be disabled promptly upon departure of personnel (voluntary or involuntary) and accounts will be terminated.

Users should immediately change their password if they suspect it has been compromised.

Text Inputs

The IMPACT Portal restricts text inputs based on whether the user is authenticated. If the user is not authenticated, all input text is tested against a character white list:

  • Date Field: The portal will only allow these characters: 0-9/:
  • Data Entry: The portal will only allow these characters: a-Z,0-9,._+`~!@#$^()+=\(space).

All text inputs, regardless of authentication status, will be HTML decoded iteratively and checked for a number of SQL and HTML keywords.

All string fields read out of the database will be passed into the Microsoft.Security.Application.Encoder.HtmlEncode method (aka "Anti-XSS").

Compliance

All IMPACT users are required to operate within the guidelines of portal security. Any violation of the security policy by a user will result in the immediate termination of that user's account on the portal and may affect their access to IMPACT data or participation in the IMPACT project.

AGREEMENT BETWEEN USER AND IMPACT

The IMPACT Web Site is composed of various Web pages operated by IMPACT.

The IMPACT Web Site is offered to you conditioned on your acceptance without modification of the terms, conditions and notices contained herein. Your use of the IMPACT Web Site constitutes your agreement to all such terms, conditions, and notices.

MODIFICATION OF THESE TERMS OF USE

IMPACT reserves the right to change the terms, conditions and notices under which the IMPACT Web Site is offered, including but not limited to the charges associated with the use of the IMPACT Web Site.

LINKS TO THIRD PARTY SITES

The IMPACT Web Site may contain links to other Web Sites ("Linked Sites"). The Linked Sites are not under the control of IMPACT and IMPACT is not responsible for the contents of any Linked Site, including without limitation any link contained in a Linked Site, or any changes or updates to a Linked Site. IMPACT is not responsible for webcasting or any other form of transmission received from any Linked Site. IMPACT is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by IMPACT of the site or any association with its operators.

NO UNLAWFUL OR PROHIBITED USE

As a condition of your use of the IMPACT Web Site, you warrant to IMPACT that you will not use the IMPACT Web Site for any purpose that is unlawful or prohibited by these terms, conditions and notices. You may not use the IMPACT Web Site in any manner that could damage, disable, overburden or impair the IMPACT Web Site or interfere with any other party's use and enjoyment of the IMPACT Web Site. You may not obtain or attempt to obtain any materials or information through any means not intentionally made available or provided for through the IMPACT Web Sites.

MATERIALS PROVIDED TO IMPACT OR POSTED AT ANY IMPACT WEB SITE

IMPACT does not claim ownership of the materials you provide to IMPACT (including feedback and suggestions) or post, upload, input or submit through the IMPACT Web Site. (collectively "Submissions"). However, by posting, uploading, inputting, providing or submitting your Submissions, you are granting IMPACT permission to use your Submissions in connection with the operation of IMPACT operations, including, without limitation, the rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate and reformat your Submission; and to publish your name in connection with your Submission.

No compensation will be paid with respect to the use of your Submission, as provided herein. IMPACT is under no obligation to post or use any Submission that you may provide and may remove any Submission at any time in IMPACT's sole discretion.

By posting, uploading, inputting, providing or submitting your Submission you warrant and represent that you own or otherwise control all of the rights to your Submission as described in this section including, without limitation, all the rights necessary for you to provide, post, upload, input or submit the Submissions.

LIABILITY DISCLAIMER

THE INFORMATION, SOFTWARE, AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE IMPACT WEB SITE MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. IMPACT MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE IMPACT WEB SITE AT ANY TIME.

IMPACT MAKES NO WARRANTY OR REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, AVAILABILITY, TIMELINESS, AND ACCURACY OF THE INFORMATION, SOFTWARE, SERVICES AND RELATED GRAPHICS CONTAINED ON THE IMPACT WEB SITE FOR ANY PURPOSE. IMPACT HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, SERVICES AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL IMPACT BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OR PERFORMANCE OF THE IMPACT WEB SITE, WITH THE DELAY OR INABILITY TO USE THE IMPACT WEB SITE OR RELATED SERVICES, THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR FOR ANY INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THE IMPACT WEB SITE, OR OTHERWISE ARISING OUT OF THE USE OF THE IMPACT WEB SITE, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF IMPACT HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE IMPACT WEB SITE, OR WITH ANY OF THESE TERMS OF USE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE IMPACT WEB SITE.

SERVICE CONTACT: IMPACT-contact@rti.org.

TERMINATION/ACCESS RESTRICTION

IMPACT reserves the right, in its sole discretion, to terminate your access to the IMPACT Web Site and the related services or any portion thereof at any time, without notice. To the maximum extent permitted by law, this agreement is governed by the laws of the State of North Carolina U.S.A. You agree that no joint venture, partnership, employment, or agency relationship exists between you and IMPACT as a result of this agreement or use of the IMPACT Web Site. If any part of this agreement is determined to be invalid or unenforceable pursuant to applicable law including, but not limited to, the warranty disclaimers and liability limitations set forth above, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the agreement shall continue in effect. Unless otherwise specified herein, this agreement constitutes the entire agreement between the user and IMPACT with respect to the IMPACT Web Site. A printed version of this agreement and of any notice given in electronic form shall be admissible in judicial or administrative proceedings based upon or relating to this agreement to the same extent an d subject to the same conditions as other business documents and records originally generated and maintained in printed form. It is the express wish to the parties that this agreement and all related documents be drawn up in English.

COPYRIGHT AND TRADEMARK NOTICES:

All contents of the IMPACT Web Site are: Copyright 2017 ImpactCyberTrust.org, with the exception of intellectual property rights associated with papers or documents available through the IMPACT Web Site that are owned by other parties. All rights reserved.