I had a good talk today over warning banners and what should go into them so I thought I would share a bit about what was discussed.
Why have a warning banner? The big reason for having a warning banner is to limit the presumption of privacy. After all, you could argue that you never knew gaining access to an unintended system was wrong because nothing told you it was off limits. Even worse you could go after IT and security staff for monitoring or recording your actions without your consent. However, with proper use of a warning banner you can protect yourself by expressly stating that such actions are in violation and that proper steps have been taken to monitor and report criminal activity.
Now that we know why warning banners are needed the question is just what should go into one? First, and most importantly, you absolutely need to state that any use of the resource being accessed may be monitored and recorded. This is the holy grail of warning banner content and trumps any other single item you can stuff into one. Next you should be careful to state that any access is limited strictly to authorized personal and activity and that any unauthorized attempt to access, use, or modify the resource is strictly prohibited. There should also be a clause stating that any unauthorized use could result in either criminal or civil charges and if the monitoring reveals evidence of criminal activity then the company may provide that information to law enforcement.
Now I am not a lawyer nor do I pretend to be one. If you make a warning banner have some legal counsel approve it (in writing) to make sure the verbiage is solid and accurate. This is extra important if you are setting this up in countries outside your own because some may have very explicit laws regarding privacy and what you are and aren't allowed to do.