M5.2.5 - PREVENTION OF MISUSE OF INFORMATION SYSTEM Implementation Guidance
The entity shall deter users from using information systems for unauthorized purposes.
Back to M5.2.5 - P3 - PREVENTIONS OF MISUSE OF INFORMATION SYSTEM
Management should approve the use of information systems. Any use of these facilities for non-business purposes without management approval, or for any unauthorized purposes, should be regarded as improper use of the information systems. If any unauthorized activity is identified by monitoring or other means, this activity should be brought to the attention of the individual manager concerned for consideration of appropriate disciplinary and/or legal action.
Legal advice should be taken before implementing monitoring procedures. All users should be aware of the precise scope of their permitted access and of the monitoring in place to detect unauthorized use. This can be achieved by giving users written authorization, a copy of which should be signed by the user and securely retained by the entity. Employees of an entity, contractors, and third party users should be advised that no access will be permitted except that which is authorized.
At log-on, a warning message should be presented to indicate that the information systems being entered are owned by the entity and that unauthorized access is not permitted. The user has to acknowledge and react appropriately to the message on the screen to continue with the log-on process.
Back to M5.2.5 - P3 - PREVENTIONS OF MISUSE OF INFORMATION SYSTEM
