Department of Information Systems
Information handled by computer systems must be adequately protected against unauthorized modification, disclosure, or destruction. Warning banners are necessary at all access points in the event an organization wishes to prosecute an unauthorized user.
This standard statement applies to all state agencies, boards, commissions and institutions of higher education.
The Arkansas Information Systems Act of 1997 (Act 914, 1997) gives the Office of Information Technology the authority to define standards, policies and procedures to manage the information resources within the state. This is accomplished through work with a multi-agency working group known as the Shared Technical Architecture Team
In addition, Act 1042 of 2001 states that the Executive Chief Information Officer oversee the development of information technology security policy for state agencies.
4.1 Arkansas State Government Information Resources Security Policy Guidelines
4.2 Act 914 of 1997: Authorized the Office of Information Technology (OIT) to develop statewide policies.
4.3 Act 1042 of 2001: Authorized the Executive CIO to develop security policy.
5.1 Warning banners are required on all access points. The banner shall warn authorized and unauthorized users:
1) about what is considered the proper use of the system
2) that the system may be monitored to detect improper use and other illicit activity
3) that there is no expectation of privacy while using the system
4) of the penalties for noncompliance.
The agency shall be able to demonstrate compliance.
None
8.1 Warning banner: A warning banner is verbiage that a user sees or is referred to at the point of access to a system which sets the right expectations for users regarding acceptable use of a computer system and its resources, data, and network access capabilities. These expectations include notice of authorized monitoring of users' activities while they are using the system, and warnings of legal sanctions should the authorized monitoring reveal evidence of illegal activities or a violation of security policy.
8.2 Access points: Points of access at logon to a computer system.
Sample warning banners:
Navy AIS warning banner: http://www.nswc.navy.mil/ISSEC/Guidance/warning.banner.html
NIST sample banner: http://csrc.nist.gov/fasp/FASPDocs/logaccess-control/WARNINGbanner-nlb.doc
Information handled by computer systems must be adequately protected against unauthorized modi?cation, disclosure, or destruction.
Warning banners are necessary at all access points in the event an organization wishes to prosecute an unauthorized user.
Warnings are a positive step towards providing adequate notice as to the obligations and responsibilities relating to the use of the server and networking environments. If a person is known to have seen the warnings, they cannot subsequently claim ignorance of their responsibilities.
Warning banners are required on all computer access points. The banner shall warn authorized and unauthorized users:
About what is considered the proper use of the system;
That the system may be monitored to detect improper use and other illicit activity; That there is no expectation of privacy while using the system; Of the penalties for noncompliance.
The prosecution of an individual in a criminal case must show that the individual's actions were intentional in nature. It would be extremely difficult for anyone to argue that an individual's actions were by accident if they had to go past a warning on the target system or throughout the network.
In the event an organization wants to monitor a user's activity on state owned systems, the user must be warned prior to the monitoring. A warning banner provides this warning.
The user should be required to acknowledge some form of compliance prior to accessing resources. In the event that a system or appliance does not support or have pre-login capabilities, the system or appliance should display the banner immediately following authorization.
Lastly, if no banners are capable of being displayed, place a clearly visible printed banner in common areas where users may access the system and its environments.
**WARNING**WARNING**WARNING**
This is a {Your Agency Here} computer system, which may be accessed and used only for official Government business by authorized personnel. Unauthorized access or use of this computer system may subject violators to criminal, civil, and/or administrative action.
Any information on this computer system may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations. Access or use of this computer system by any person whether authorized or unauthorized, constitutes consent to these terms.
**WARNING**WARNING**WARNING**
If you have questions about the Warning Banner standard, please contact:
Arkansas State Security Office
http://www.dis.arkansas.gov/security/index.htm
If you have technical questions about warning banners, please contact:
Your Network Administrator / Information Technology Support Staff