AC-08-727 System Use Notification

System Use Notification

AC-08-727
System Use Notification
Access Control
Protect
Identification and Authentication
LOW, MOD, HIGH
P1
Yes
August 5, 2016

The mandated system notification message (banner) for all Agency-owned information resources as of April 1, 2017 shall read as shown below:

TITLE: STATE OF TEXAS SYSTEM USE NOTIFICATION

This is a State of Texas information system. Unauthorized use is prohibited and subject to criminal and civil penalties. Use indicates no expectation of privacy except as provided by law and consent to security monitoring, recording, auditing, and testing.

Unauthorized users log on to information systems.
The information system: a. Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: 1. Users are accessing a U.S. Government information system; 2. Information system usage may be monitored, recorded, and subject to audit; 3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and 4. Use of the information system indicates consent to monitoring and recording; b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and c. For publicly accessible systems: 1. Displays system use information [Assignment: organization-defined conditions], before granting further access; 2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and 3. Includes a description of the authorized uses of the system.
Organizational information systems should display an accepted system use notification message or banner before granting access to the information system.
System Identification/Logon Banner. System identification/logon banners shall have warning statements that include the following topics: - Unauthorized use is prohibited; - Usage may be subject to security testing and monitoring; - Misuse is subject to criminal prosecution; and - Users have no expectation of privacy except as otherwise provided by applicable privacy laws.
Obtain access control policy; privacy and security policies; procedures addressing system use notification; information system notification messages; information system configuration settings and associated documentation; other relevant documents or records and ascertain if (I) the information system displays a system use notification message before granting system access informing potential users: - that the user is accessing a U.S. Government information system; - that system usage may be monitored, recorded, and subject to audit; - that unauthorized use of the system is prohibited and subject to criminal and civil penalties; and - that use of the system indicates consent to monitoring and recording; (ii) the system use notification message provides appropriate privacy and security notices (based on associated privacy and security policies or summaries); (iii) the organization approves the information system use notification message before its use; and (iv) the system use notification message remains on the screen until the user takes explicit actions to log on to the information system.