Trust but Verify (Accountability) ◾ 171
business. According to a Ponemon Institute study in 2007, data breach incidents cost companies
$197 per compromised customer record, but this fi gure only accounts for notifi cation and restora-
tion costs; it does not include lost business opportunity, regulatory fi nes, or customer lawsuits that
drive the costs even higher. For large organizations and service providers these are billion dollar
fi gures. Accountability makes it possible to prove compliance and is designed to provide suffi cient
admissible evidence to ward off criminal or civil claims of negligence or malfeasance. Similarly,
accountability aids in the resolution of contract and/or service delivery disputes by providing a
chronological record of what was done, by whom, and when.
ird, accountability facilitates rapid response through the detection of illicit activities such as
logging on with a generic (e.g., guest) account or using a service account for an interactive log-on,
and the generation of alerts to security operations personnel. is is not limited to log-on events
because accountability can track virtually any type of user action; it can be confi gured to detect
all types of questionable behaviors, for example, database queries that return inordinately large
amounts of data. In this instance, the accountability control could also be confi gured to take pre-
ventative action by limiting the number of records returned or by “fi lling” the returned data with
randomly generated records. e accountability information collected also helps to focus response
eff orts by providing system and account specifi c records, as well as chronological records of all
actions leading up to the alert and all subsequent actions.
A fourth benefi t of accountability is intellectual property control. Accountability protects
against intellectual property loss by tracking what individuals were in possession of any particular
piece of information at the time it was compromised. is makes it possible to hold those indi-
viduals responsible for the breach and to take corrective action to reduce the likelihood of future
disclosure.
e fi nal benefi t of accountability, especially for organizations that deal with fi nancial and
other sensitive data and for service providers, is marketing. Accountability is a huge market diff er-
entiator. Few organizations have the ability to provide high levels of accountability, yet in today’s
compliance-heavy climate there is a need to account for handling sensitive customer data. e
ability to show potential customers an audit trail of every access and action taken to a particular
piece of stored information is an incredible marketing advantage.
Accountability is a security function that ensures actions taken on a system can be traced
back to the individuals who performed those actions. Assuming the records of these actions can-
not be tampered with, accountability makes it nearly impossible for someone to deny having
performed a specifi c action. Conversely, it makes it equally impossible to accuse people of doing
something they did not do. Accountability improves the detection of illicit activity and facilitates
rapid response through alerting and record retention. Accountability is also the vehicle for proving
compliance with statutory, regulatory, and contractual requirements and avoiding sanctions for
alleged violations. Finally, accountability is a huge deterrent to malicious behaviors and provides
a way to track the actions of highly trusted individuals (i.e., administrators and other privileged
users) to ensure they are not violating that trust.
SIDEBAR: OF AUDIT AND EVIDENCE
Before delving into the challenges and control objectives for accountability, it is necessary to discuss one other topic.
Compliance has caused one of the biggest shifts in system auditing since the invention of the computer. Originally,
system audit functions were designed for troubleshooting purposes; suffi cient information was collected to track sys-
tem behaviors and faults but little else. Often, standard audit records were augmented by debugging functions that
produced incredibly detailed logs of system activity. From a compliance standpoint, these two functions were part of
a “too little or too much” scenario. In order to prove compliance, audit mechanisms must create records containing
compliance evidence—proof of adherence to legal, regulatory, and industry requirements.
TAF-K11348-10-0301-C010.indd 171TAF-K11348-10-0301-C010.indd 171 8/18/10 3:10:34 PM8/18/10 3:10:34 PM