3.1.9—Access Control - Derived
>Control Description
>Discussion
System use notifications can be implemented using messages or warning banners displayed before individuals log in to organizational systems. System use notifications are used only for access via logon interfaces with human users and are not required when such human interfaces do not exist. Based on a risk assessment, organizations consider whether a secondary system use notification is needed to access applications or other system resources after the initial network logon.
Where necessary, posters or other printed materials may be used in lieu of an automated system banner. Organizations consult with the Office of General Counsel for legal review and approval of warning banner content
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policy governs user privacy during authentication?
- •How do you balance authentication logging with privacy requirements?
- •What procedures obscure authentication information during entry?
- •Who reviews authentication mechanisms for privacy compliance?
- •What training do users receive on protecting authentication credentials?
Technical Implementation:
- •How do you obscure passwords and PINs during entry (masking)?
- •What controls prevent shoulder-surfing or visual password capture?
- •How are authentication credentials encrypted in transit and at rest?
- •What mechanisms prevent authentication information from appearing in logs?
- •How do you implement privacy screens or secure authentication stations?
Evidence & Documentation:
- •Can you demonstrate password masking on login screens?
- •What evidence shows authentication data is not logged in clear text?
- •Can you provide screenshots showing privacy during authentication?
- •What security configurations obscure authentication feedback?
- •What audit logs prove authentication privacy is maintained?
Ask AI
Configure your API key to use AI features.