Logging On and Logging Off Computer Resources
Number: ENT-SEC-072
Established for: State of Montana Information Technology Enterprise
Steve Bender, Acting Director
Department of Administration
Jeff Brandt, Acting Chief Information Officer
Information Technology Services Division
Department of Administration
October 2004
Policy - Requirements
SCOPE
This policy applies to all state employees and state contractors using a state computer. This policy does not apply to public access computers.
REQUIREMENTS
State entities must provide for the security of their data and information resources. Access to these resources must be controlled by: users properly logging on and off the network, users not using another employee's UserID, and user's having only one simultaneous connection on the network. Agency Security Contacts should document exceptions to simultaneous connections if they are needed.
All users must be positively identified prior to being able to use any state computer resource. Positive identification involves both a userID and a password which are unique to the individual.
All state computers used by a state employee or state contractor must have a warning banner displayed at all access points. This banner must warn authorized and unauthorized users of the following:
- what is considered the proper use of the system,
- that the system is being monitored to detect improper use and other illicit activity, and
- that there is no expectation of privacy while using the system.
SAMPLE WARNING BANNER
This computer is the property of the State of Montana and subject to the appropriate use policies located at: http://itsd.mt.gov/policy/itpolicy.asp. Unauthorized use is a violation of 45-6-311, MCA. This computer system, including all related equipment, networks, and network devices, is provided only for authorized state government use. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized personnel. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of authorized personnel. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system, you indicate your awareness of and consent to these terms and conditions of use. Log off immediately if you do not agree to the conditions stated in this warning.
Users leaving their computers unattended for 15 minutes or longer must either log off the network or have the screen protected with a password.
Background - History on the creation of or changes to this policy
This policy was created by the NetWare Managers Group Policy Committee. It was updated in September, 2000 by the State Information Security Manager. This policy was then updated in March, 2004 by the State Security Committee.
Guidelines - Recommendations, not requirements
When users leave work at the end of each day they must logoff the network and power off their workstation(s). Exceptions to this guideline include workstations that must be left on to run nighttime jobs. In these cases, the monitor must have a password protected screen saver to prevent unauthorized access.
All agency resources should be released (logged off) when not in use.
All entities that use the state's network that are not included within the scope of this policy are encouraged to adopt a similar policy.
References - Laws, rules, standard operating procedures and applicable policies
2-17-503, MCA; 2-15-114, MCA; 45-6-311, MCA 1-0250.00, MOM, 01/96