Logon Banners Clause Samples

Logon Banners. Wherever possible, a “Logon Banner” shall be provided to summarise the requirements for access to a system which may be needed to institute legal action in case of any breach occurring. A suggested format for the text depending on national legal requirements could be: “Unauthorised access to this computer system may constitute a criminal offence”. Unattended Terminals. Users are to be automatically logged off the system if their terminals have been inactive for some predetermined period of time, or systems must activate a password protected screen saver after 15 minutes of inactivity, to prevent an attacker making use of an unattended terminal. Internet Connections. Computer systems shall not be connected direct to the Internet or “untrusted‟ systems unless protected by a firewall (a software based personal firewall is the minimum) which is acceptable to the SSRO‟s Senior Information Risk Officer.

Logon Banners. Wherever possible, a “Logon Banner” shall be provided to summarise the requirements for access to a system which may be needed to institute legal action in case of any breach occurring. A suggested format for the text depending on national legal requirements could be: “Unauthorised access to this computer system may constitute a criminal offence”. Unattended Terminals. Users are to be automatically logged off the system if their terminals have been inactive for some predetermined period of time, or systems must activate a password protected screen saver after 15 minutes of inactivity, to prevent an attacker making use of an unattended terminal. Internet Connections. Computer systems shall not be connected direct to the Internet or “untrusted‟ systems unless protected by a firewall (a software based personal firewall is the minimum) which is acceptable to the SSRO’s Senior Information Risk Officer. Disposal Before IT storage media (e.g. disks) are disposed of, an erasure product shall be used to overwrite the data. This is a more thorough process than deletion of files, which does not remove the data. Laptops Laptops holding any supplied or contractor generated Sensitive Information are to be encrypted using a Foundation Grade product or equivalent. Unencrypted laptops not on a secure site are to be recalled and only used or stored in an appropriately secure location until further notice or until approved full encryption is installed. Where the encryption policy cannot be met, a Risk Balance Case that fully explains why the policy cannot be complied with and the mitigation plan, which should explain any limitations on the use of the system, is to be submitted to the SSRO for consideration. Unencrypted laptops and drives containing personal data or Sensitive Information are not to be taken outside of secure sites. For the avoidance of doubt the term “drives” includes all removable, recordable media (e.g. memory sticks, compact flash, recordable optical media (e.g. CDs and DVDs), floppy discs and external hard drives. Any token, touch memory device or password(s) associated with the encryption package is to be kept separate from the machine whenever the machine is not in use, left unattended or in transit. Portable Communication and Information Systems (CIS) devices are not to be left unattended in any public location. They are not to be left unattended in any motor vehicles either in view or in the boot or luggage compartment at any time. When the vehicle is...