Description:
System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content
Priority: High
Category: Personnel Security
Services Associated with AWS:
AWS Identity and Access Management (IAM)
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: documented data classification scheme
- Technical: screen shot of privacy / security notice(s)
Possible Technology Considerations:
- Data Classification Scheme
What needs to be answered:
Are users notified either on computers or in an employee policy how to handle CUI?
- Ensure Consistent Display of Privacy and Security Notices
Description: This check verifies that privacy and security notices are displayed before individuals log in to organizational systems, in compliance with CUI rules. - Validate System Use Notifications for Different Access Levels
Description: This check ensures that, based on a risk assessment, secondary system use notifications are displayed when necessary to access applications or other system resources after the initial network logon. - Confirm Use of Printed Materials for System Use Notification
Description: Where necessary, this check confirms that posters or other printed materials are used in lieu of an automated system banner to provide privacy and security notices. - Ensure Legal Approval of Warning Banner Content
Description: This check verifies that the content of warning banners and other system use notifications have been reviewed and approved by the organization's Office of General Counsel.
More details: Company developers undergo training regarding handling CUI containing systems.