Level 2
Description:
System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content
Priority: High
Domain: ACCESS CONTROL (AC)
Services Associated with AWS:
- AWS Identity and Access Management (IAM)
Services Associated with Azure:
- Azure Active Directory (Azure AD)
- Azure App Service
- Azure Virtual Machines
- Azure Security Center
- Azure Sentinel
- Azure Key Vault
- Azure Storage
- Azure SQL Database
- Azure Cosmos DB
- Azure Event Hubs
- Azure Service Bus
- Azure Cognitive Services
- Azure Machine Learning
- Azure Data Factory
- Azure Databricks
- Azure Synapse Analytics
- Azure Kubernetes Service (AKS)
- Azure Container Instances
- Azure DevOps
- Azure Media Services
- Azure Content Delivery Network (CDN)
- Azure Firewall
- Azure Virtual Network (VNet)
- Azure Backup
- Azure Site Recovery
- Azure Front Door
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: documented data classification scheme
- Technical: screen shot of privacy / security notice(s)
Possible Technology Considerations:
- Data Classification Scheme
What needs to be answered:
Are users notified either on computers or in an employee policy how to handle CUI?
Checks for AWS
- Ensure Consistent Display of Privacy and Security Notices
Description: This check verifies that privacy and security notices are displayed before individuals log in to organizational systems, in compliance with CUI rules. - Validate System Use Notifications for Different Access Levels
Description: This check ensures that, based on a risk assessment, secondary system use notifications are displayed when necessary to access applications or other system resources after the initial network logon. - Confirm Use of Printed Materials for System Use Notification
Description: Where necessary, this check confirms that posters or other printed materials are used in lieu of an automated system banner to provide privacy and security notices. - Ensure Legal Approval of Warning Banner Content
Description: This check verifies that the content of warning banners and other system use notifications have been reviewed and approved by the organization's Office of General Counsel.
Checks for Azure
- Ensure Display of Privacy and Security Notices
Description: This policy check verifies that privacy and security notices are consistently displayed to users before they log in to Azure systems. These notices inform users about their responsibilities, handling of sensitive information such as CUI, and the organization's policies regarding system use and security. - Validate System Use Notifications for Different Access Levels
Description: This policy check ensures that, based on a risk assessment, appropriate system use notifications are provided to users at different access levels within Azure. These notifications may be required when accessing specific applications or system resources beyond the initial network logon, providing additional information or warnings relevant to the specific access context. - Confirm Use of Printed Materials for System Use Notification
Description: This policy check verifies that if necessary, organizations use printed materials such as posters or other physical displays as a means of conveying system use notifications and privacy/security notices to users in Azure. These materials serve as alternative options when automated system banners are not feasible or appropriate. - Ensure Legal Approval of Warning Banner Content
Description: This policy check ensures that the content of warning banners, system use notifications, and privacy/security notices in Azure has undergone legal review and approval by the organization's Office of General Counsel. This ensures that the content aligns with legal requirements and protects the organization's interests.
More Details: Company developers undergo training regarding handling CUI containing systems.