3.1.9 has a weight of -1 points

(Access Control Family) 9/22

Provide privacy and security notices consistent with applicable CUI rules.

Video:

Example of Sysytem Security Plan (SSP):

      1. The organization displayed messages or warning banners before users logged into the organization’s systems, providing important information or reminders.
      2. The use of notifications was limited to when users interacted directly with the systems, ensuring they were not displayed when there were no human interfaces.
      3. The need for additional notifications for accessing specific applications or resources after logging in was assessed, taking into account the associated risks.
      4. Based on the evaluation, the organization decided whether extra notifications were necessary and implemented them accordingly.
      5. Alternative options, such as using posters or printed materials, were explored and considered as viable alternatives to automated system banners when they effectively served the purpose.
      6. If appropriate, the organization implemented the use of posters or printed materials to convey system use notifications in addition to or instead of automated banners.

Example of Plan of Action and Milestones ( POA & M):

Milestone 1: Displaying Messages or Warning Banners
Task 1: Display messages or warning banners before users log into the organization’s systems, providing important information or reminders.
Task 2: Ensure that these messages are displayed only when users interact directly with the systems and not when there are no human interfaces.
Task 3: Implement mechanisms to control the timing and content of the messages or banners.
 Completion date: November 30, 2023.

Milestone 2: Assessing the Need for Additional Notifications
Task 1: Evaluate the need for additional notifications when accessing specific applications or resources after logging in, considering the associated risks.
Task 2: Analyze the importance of conveying specific information or reminders to users during application/resource access.
Task 3: Determine whether additional notifications are necessary based on the evaluation.
Completion date: December 15, 2023.

Milestone 3: Implementation of Extra Notifications
Task 1: Implement extra notifications if deemed necessary based on the evaluation from Milestone 2.
Task 2: Configure systems to display specific notifications or reminders during application/resource access, considering the associated risks.
Task 3: Ensure that the content and timing of these notifications align with organizational requirements and best practices.
Completion date: January 31, 2024.

Milestone 4: Exploration of Alternative Options
Task 1: Explore alternative options, such as using posters or printed materials, as viable alternatives to automated system banners.
Task 2: Consider the effectiveness of posters or printed materials in conveying system use notifications and reminders.
Task 3: Assess the feasibility and practicality of using alternative options based on the organization’s specific context.
 Completion date: February 28, 2024.

Milestone 5: Implementation of Alternative Options
Task 1: If appropriate, implement the use of posters or printed materials to convey system use notifications in addition to or instead of automated banners.
Task 2: Design and distribute posters or printed materials that effectively communicate important information or reminders.
Task 3: Ensure that the use of alternative options aligns with organizational requirements and complements the automated system banners.

RELEVANT INFORMATION:

System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon. Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content

Explanation

When it comes to system use notifications, you want to provide messages or warning banners that are shown to individuals before they log in to your organization’s systems. These notifications serve as reminders or warnings about the acceptable use of the systems and the privacy and security policies that users should adhere to.It’s important to note that these notifications should only be implemented when individuals interact with the systems directly, such as when they need to log in or access specific applications. If there are systems or interfaces that do not involve human users, you don’t need to display these notifications there.In simpler terms, this step is about showing messages or banners to people before they log in to your systems, reminding them of the rules and policies they need to follow. However, if there are systems without human interfaces, you don’t need to show these notifications there



Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.