Absence or inadequacy of user access banner
The lack or inadequacy of an user access banner can impair an eventual lawsuit against the user in case of fraud. The penal legislation usually requires that all evidence collected from monitoring the user, to be valid, must assure that the user knew he was being monitored.
Also the banner should warn to the user that all information processed by the system are property of the company. Even when the system is not controlling the information, i.e., in a printed report, for instance, the responsability of keeping the information confidencial remains to the user.
It is recommended a banner, before the user login, with a message: "This system and all information contained therein are owned by the organization. The user is responsible for maintaining the confidentiality of this information. All user access and actions are recorded in the audit trail for security reasons. If you identify anomalous operation or system error, please notify immediately the call center."
Common Criteria: FTA_TAB.1