Accountability

From The Secure Arc Wiki

Jump to: navigation, search

Contents

Assertion

All actions exceeding a specified risk threshold should be undeniably traceable to an initiating user, process or system.

Rationale

Also known as Non-Repudiation, this principle addresses a scenario where a user performs a transaction and later denies that they initiated it. For example, a system that simply employs a username and password to authenticate their users may be subject to phishing attacks. In this case a transaction may be performed and logged on behalf of a known user, but can not be sufficiently proven who had possession of the username and password at the time of the transaction.

A simple example solution would be to require the user of a username, password and a finger print using a biometric reader. This may [1] then be sufficient evidence to tie a transaction to a physical human being rather than simply any human being in possession of a piece of knowledge.

Further detailed information is available on Wikipedia.

Related References

Policies & Standards

ISO 17799:2002

  • Section 5.1
    • Accountability for the ownership of information assets should be established. Accountability is also required for controls assigned to protect the assets. This may be a delegated responsibility.

OECD Guidelines

    • Accountability - The responsibilities and accountability of owners, providers and users of information systems and other parties should be explicit. The term accountability generally refers to the ability to hold people responsible for their actions.

NIST - sp800-14 - Generally Accepted Principles and Practices for Securing Information Technology Systems

  • Section 2.5
    • Computer Security Responsibilities and Accountability Should Be Made Explicit. The responsibility and accountability of owners, providers, and users of IT systems and other parties concerned with the security of IT systems should be explicit. The assignment of responsibilities may be internal to an organization or may extend across organizational boundaries.

NIST - sp800-95 - Guide to Secure Web Services

  • Section 3.5 - Accountability End-to-End throughout a Service Chain
    • Enforcing accountability in a SOA (or other) environment requires the use of diligent auditing mechanisms, such that forensic data can be captured, compiled, and accurately attributed to users.

ACSI-33

  • Section 3.5.34
    • Agencies Should ensure that databases provide accountability of users' actions.

Common Criteria

  • Section C.2 - Security Audit Data Generation
    • This component addresses the requirement of accountability of auditable events at the level of individual user identity.

TCSEC (Trusted Computer System Evaluation Criteria)

  • Orange Book
    • "A trusted computer system must provide authorized personnel with the ability to audit any action that can potentially cause access to, generation of, or effect the release of classified or sensitive information. The audit data will be selectively acquired based on the auditing needs of a particular installation and/or application. However, there must be sufficient granularity in the audit data to support tracing the auditable events to a specific individual (or process) who has taken the actions or on whose behalf the actions were taken."

Design Patterns

Navigation

Personal tools