| |
|
| Issued Under Authority of |
UM Information Security Policy |
| Responsible Office |
UM Information Security Office |
| Category |
Technology and Platform Security |
IN PLAIN LANGUAGE
Before you log into a University system, you'll often see a notice reminding you that the system is for authorized use only, that your activity may be monitored, and that use of the system means you agree to follow University policy. This standard requires those notices — called logon banners — to be displayed on University-owned and managed systems wherever technically feasible. They serve an important legal and security function by establishing clear notice of monitoring and authorized use expectations before access is granted.
1. Purpose
The purpose of this Standard is to establish requirements for logon notification banners on University of Montana information systems. Logon banners provide notice of authorized use, monitoring, and acceptable behavior, and support the University's ability to protect information systems, investigate security incidents, and enforce information security policies.
This Standard supports the University's Information Security Program and aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.
2. Scope
This Standard applies to:
- University-owned or University-managed information systems
- Systems that require user authentication, including servers, endpoints, applications, and network devices
- On-premises, cloud-hosted, and third-party-managed systems used for University business
This Standard applies to digital systems and does not govern physical signage or non-digital access controls.
3. Logon Banner Requirements
3.1 General Requirement
Information systems that support logon banners must display an approved University logon notification banner prior to granting access.
The banner must:
- Notify users that the system is for authorized use only
- State that activity may be monitored, recorded, and reviewed
- Indicate that use of the system constitutes consent to monitoring and compliance with University policy
3.2 Approved Banner Content
The standard logon notification banner text is:
This computer system is the property of the University of Montana System. It is intended for authorized use only. By accessing this system, users acknowledge and agree to comply with University of Montana policies, including the Acceptable Use of Technology Resources Policy. Use of this system may be monitored, recorded, and reviewed. Unauthorized use is prohibited and may result in disciplinary action or legal consequences.
Minor formatting differences may be permitted where technical limitations exist, provided the intent and content of the notice are preserved.
4. Responsibilities
4.1 Information Technology Organizations
UM IT, UM System IT, and Distributed IT are responsible for:
- Implementing logon banners on systems under their management where technically feasible
- Ensuring banners remain present and unaltered during system configuration changes
4.2 Information Security Office
The Information Security Office is responsible for:
- Maintaining approved logon banner language
- Advising on banner implementation and exceptions
- Reviewing compliance as part of security assessments
5. Exceptions
Exceptions to this Standard may be granted when:
- Technical limitations prevent implementation of a logon banner
- Compensating controls provide equivalent notice and protection
All exceptions must be documented and approved by the CISO or designee.
6. Enforcement
Failure to implement or maintain required logon banners may increase institutional risk and may result in corrective action consistent with University policy.
7. Review and Maintenance
This Standard must be reviewed at least annually and updated as necessary to reflect changes in law, policy, or institutional needs.
8. References
- UM Information Security Policy
- UM Account Security Standard
- UM Audit Log Management Standard
- UM Incident Response Standard
- UM Acceptable Use of Technology Resources Policy
- NIST Cybersecurity Framework (CSF) 2.0