Accountability

Accountability

Introduction

This term is one of the most important terms related to the Information Security discipline, without accountability no privacy or limit for information access, laws and systems are needed that hold people accountable for the misuse of personal information, whether public or private.

Definition

 Accountability is an essential information security concept. The phrase means that every individual who works with an information system should have specific responsibilities for information assurance. The tasks for which a individual is responsible are part of the overall information security plan and are readily measurable by a person who has managerial responsibility for information assurance. One example is the policy statement that all employees must avoid installing outside software on a company-owned information infrastructure. The person in charge of information security should perform periodic checks to be certain that the policy is being followed.

Every information asset should be “owned” by an individual in the organization who is primarily responsible each one. (computer-security-glossary.org)

Its Relevance

The duties and responsibilities of all employees, as they relate to information assurance, need to be specified in detail. Otherwise, the attempt of establishing and maintaining information security is haphazard and virtually absent. (computer-security-glossary.org)

One of the fundamental requirements of information security, accountability is the property that enables activities on a system to be traced to specific entities; who or which may then be held responsible for their actions. It requires an authentication system (to identify Users) and an audit trail (to log activities against Users).

Accountability supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Information accountability means that information usage should be transparent so it is possible to determine whether a use is appropriate under a given set of rules.

Procedures and policies should be set information accountability, All employees should be involved about the access permission of data depend on the privileges for users (Example: department manager has a permission to access to all data about the department, but the department employee has a permission to access to specific privileges to access some of department data)