Accountability

This term is one of the most important terms related to the Information Security discipline, without accountability no privacy or limit for information access, laws and systems are needed that hold people accountable for the misuse of personal information, whether public or private.

Definition: Accountability is an essential information security concept. The phrase means that every individual who works with an information system should have specific responsibilities for information assurance. The tasks for which a individual is responsible are part of the overall information security plan and are readily measurable by a person who has managerial responsibility for information assurance. One example is the policy statement that all employees must avoid installing outside software on a company-owned information infrastructure. The person in charge of information security should perform periodic checks to be certain that the policy is being followed.

Every information asset should be "owned" by an individual in the organization who is primarily responsible each one. (computer-security-glossary.org)

Its Relevance: The duties and responsibilities of all employees, as they relate to information assurance, need to be specified in detail. Otherwise, the attempt of establishing and maintaining information security is haphazard and virtually absent. (computer-security-glossary.org)

One of the fundamental requirements of information security, accountability is the property that enables activities on a system to be traced to specific entities; who or which may then be held responsible for their actions. It requires an authentication system (to identify Users) and an audit trail (to log activities against Users).

Accountability supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Information accountability means that information usage should be transparent so it is possible to determine whether a use is appropriate under a given set of rules.

Procedures and policies should be set information accountability, All employees should be involved about the access permission of data depend on the privileges for users (Example: department manager has a permission to access to all data about the department, but the department employee has a permission to access to specific privileges to access some of department data)

IT Need a Controller

Let’s start with some assumptions, IT department employed an administrator to manage one of critical systems at the organization this employee have the permission to install any software, another assumption you want to setup a new workstation for new business employee and the IT not have the proper document to manage this setup administrator setup the workstation without any procedures to follow, can you guess what the risk behind the tow assumptions?

Like any operations you need to control and manage the IT operations, what about the risk of the first assumption if the organization has a control unit monitor and control all administrators operations? This risk will be decrease and the organization will be safer, the second assumption give the IT employee to install what he/she want, maybe give the business employee an administrator permission to manage him/her workstation, what if you have a document contain all software’s and the permission for all business employees should be installed ? Again the risk will be decreased and the environment will be typical and follow the organization procedures and policies, you can audit control and manage the IT operations easily.

IT should have an“IT Governance“ function, the IT Governance will be responsible to setup the procedures, policies, processes... etc. to monitor and control the IT organization and keep IT environment safer and more auditable and controllable.

IT Governance is the responsibility of executives and the board of directors and consists of the leadership, organizational structures and processes that ensure that the enterprise?s IT sustains and extends the organization?s strategies and objectives           (IT Governance Institute)

COBIT one of IT Governance framework and I found it very helpful to start with to build the IT Governance in your IT Organization, for more information about COBIT you can access the ISACA website: https://www.isaca.org/Pages/default.aspx

and you can ask contact me directly.i will be happy to serve you anytime.