RULE 200.00.03-004 - Warning Banner for State IT Systems

RULE 200.00.03-004. Warning Banner for State IT Systems

1.0 Purpose

Information handled by computer systems must be adequately protected against unauthorized modification, disclosure, or destruction. Warning banners are necessary at all access points in the event an organization wishes to prosecute an unauthorized user.

2.0 Scope

This standard statement applies to all state agencies, boards, commissions and institutions of higher education.

3.0 Background

The Arkansas Information Systems Act of 1997 (Act 914, 1997) gives the Office of Information Technology the authority to define standards, policies and procedures to manage the information resources within the state. This is accomplished through work with a multi-agency working group known as the Shared Technical Architecture Team

In addition, Act 1042 of 2001 states that the Executive Chief Information Officer oversee the development of information technology security policy for state agencies.

4.0 References

4.1 Arkansas State Government Information Resources Security Policy Guidelines

4.2 Act 914 of 1997: Authorized the Office of Information Technology (OIT) to develop statewide policies.

4.3 Act 1042 of 2001: Authorized the Executive CIO to develop security policy.

5.0 Standard

5.1 Warning banners are required on all access points. The banner shall warn authorized and unauthorized users

1) about what is considered the proper use of the system,

2) that the system may be monitored to detect improper use and other illicit activity,

3) that there is no expectation of privacy while using the system,

4) of the penalties for noncompliance.

6.0 Procedures

The agency shall be able to demonstrate compliance.

7.0 Revision History

Date

Description of Change

12/14/2003

Original Standard Statement Published

     
     

8.0 Definitions

8.1 Warning banner:

A warning banner is verbiage that a user sees or is referred to at the point of access to a system which sets the right expectations for users regarding acceptable use of a computer system and its resources, data, and network access capabilities. These expectations include notice of authorized monitoring of users' activities while they are using the system, and warnings of legal sanctions should the authorized monitoring reveal evidence of illegal activities or a violation of security policy.

8.2 Access points:

Points of access at logon to a computer system.

9.0 Related Resources

Sample warning banners:

Navy AIS warning banner: http://www.nswc.navy.mil/ISSEC/Guidance/warning.banner.html

NIST sample banner: http://csrc.nist.gov/fasp/FASPDocs/logaccess-control/WARNINGbanner-nlb.doc

10.0 Inquiries

Direct inquiries about this standard to:

Office of Information Technology Shared Technical Architecture

124 W. Capitol Ave., Suite 200

Little Rock, AR 72201

Voice: 501-682-4300

FAX: 501-682-2040

Email: ITarch@mail.state.ar.us

OIT policies can be found on the Internet at:

http://www.techarch.state.ar.us/

(12/9/2003)

The following state regulations pages link to this page.