====== 4.3.4.5 Accountability ====== [[dido:public:ra:1.4_req:2_nonfunc:25_security | Return to Securability ]] ===== About ===== [[dido:public:ra:1.4_req:2_nonfunc:25_security:accountability| Return to Top]] [[dido:public:ra:xapend:xapend.a_glossary:a:accountability]] is the [[dido:public:ra:xapend:xapend.a_glossary:p:principle|principle]] holding an individual entrusted to safeguard and control [[dido:public:ra:xapend:xapend.a_glossary:k:key|key]] components of a system or program (i.e., equipment, keying material, and information) answerable to proper authority for the loss or misuse of that component.(( Accountability, __Computer Security Resource Center (CSRC)__ Accessed 14 August 2020, [[https://csrc.nist.gov/glossary/term/accountability]] )) Accountability is a security [[dido:public:ra:xapend:xapend.a_glossary:g:goal|goal]] outlined in [[dido:public:ra:xapend:xapend.a_glossary:i:iso|ISO]]/IEC 24010(( Accessed 15 August 2020, [[https://iso25000.com/index.php/en/iso-25000-standards/iso-25010?limit=3&start=6]] )) requiring the actions of an [[dido:public:ra:xapend:xapend.a_glossary:e:entity|entity]] to be traced uniquely to that entity. Accountability directly supports [[dido:public:ra:1.4_req:2_nonfunc:25_security:nonrepudiability | Non-Repudiation]]. It also provides a deterrence, helps with fault isolation, and is useful in intrusion detection and prevention. In many cases, it is a key source of [[dido:public:ra:xapend:xapend.a_glossary:e:evidence|evidence]] use in and [[dido:public:ra:xapend:xapend.a_glossary:a:aar]] and can ultimately, if needed, support legal actions. Accountability is part of an information security plan. The plan should enumerate every individual working with an information system and define specific responsibilities (i.e., tasks) regarding [[dido:public:ra:xapend:xapend.a_glossary:i:information_assurance|information assurance]]. Each task needs to me measurable and be subject to oversight by individuals higher up in the command chain. One example, might be an [[dido:public:ra:xapend:xapend.a_glossary:i:is|information security]] requirement that holds all employees responsible for not installing software from any source other than a company-owned repository (i.e., a task). The individual responsible for upholding the [[dido:public:ra:xapend:xapend.a_glossary:r:requirement|requirement]] might perform a periodic check of corporate assets to determine that the [[dido:public:ra:xapend:xapend.a_glossary:p:policy|policy]] is being followed. Any violations in the requirement would hold the individual responsible for performing the task. The plan makes the individuals aware of the tasks expected of them, and guide continual improvement in compliance with the requirement.(( Computer-Security-Glossary.org, Accessed 15 August 2020, [[https://www.computer-security-glossary.org/accountability.html]] )) ===== DIDO Specifics ===== [[dido:public:ra:1.4_req:2_nonfunc:25_security:accountability| Return to Top]] : To be added/expanded in future revisions of the DIDO RA /**=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- /* To add a discussion page to this page, comment out the line that says ~~DISCUSSION:off~~ */ ~~DISCUSSION:on|Outstanding Issues~~ ~~DISCUSSION:off~~