Return to Securability

Return to Top

Accountability is the principle holding an individual entrusted to safeguard and control key components of a system or program (i.e., equipment, keying material, and information) answerable to proper authority for the loss or misuse of that component.¹⁾

Accountability is a security goal outlined in ISO/IEC 24010²⁾ requiring the actions of an entity to be traced uniquely to that entity. Accountability directly supports Non-Repudiation. It also provides a deterrence, helps with fault isolation, and is useful in intrusion detection and prevention. In many cases, it is a key source of evidence use in and After Action Review (AAR) and can ultimately, if needed, support legal actions.

Accountability is part of an information security plan. The plan should enumerate every individual working with an information system and define specific responsibilities (i.e., tasks) regarding information assurance. Each task needs to me measurable and be subject to oversight by individuals higher up in the command chain.

One example, might be an information security requirement that holds all employees responsible for not installing software from any source other than a company-owned repository (i.e., a task). The individual responsible for upholding the requirement might perform a periodic check of corporate assets to determine that the policy is being followed. Any violations in the requirement would hold the individual responsible for performing the task. The plan makes the individuals aware of the tasks expected of them, and guide continual improvement in compliance with the requirement.³⁾

Return to Top

To be added/expanded in future revisions of the DIDO RA