The accountability portion of security control refers to holding system users responsible for their actions by constantly monitoring all activities within the system.

Consistently logging and auditing activities are ways that we monitor the system to ensure proper tracking of computer misuse. For example, as part of the auditing process, the following activities should be logged for effective control and accountability:

  • User identification information
  • System access time
  • Information on system objects being accessed
  • Failure login attempts
  • System warnings and error messages
  • Repeated users’ mistakes

Considering that a system that ensures accountability requires a strong system of authentication, a good access control system should be implemented. If the system has no access control system, logging the above activities could become meaningless.

Keep in mind that system logging must take into account numerous daily network activities. These valid activities need to be distinguished from activities that appear suspicious.  For this reason, an effective clipping mechanism should be in place. This mechanism, which includes setting clipping levels to define acceptable system activities, acts as a baseline for determining system violations.

The goal of monitoring, auditing, and clipping levels is to discover problems before major damage occurs, and to be alerted when a possible attack is underway.  Theoretically, when the clipping mechanism detects that the baseline has been exceeded, an alarm is generated and the system records further information regarding the detected changes in activity. In other words, as soon as the system detects that activities are occurring that fall outside of the predefined acceptable threshold, it notifies the security administrator via e-mail or pager, and generates a log of further activity. This log can then be used to investigate the suspicious activity.

Perhaps a more effective solution would be the use of software that automates the detection of a violation. The most common installation related to system violation is the Intrusion Detection System(IDS). IDS is software customized to collect and analyze system activities. It alerts system administrators of suspicious system activities by using a pre-installed database specifically built to record clipping levels and patterns of system misuse.

Any good system monitoring and auditing process should allow the user to work unimpeded. For security purposes, the user should not know what or how monitoring and auditing is being conducted. However, of course the issue of privacy should also be considered. The monitoring system should comply with local personnel and data privacy laws when carrying out monitoring activities. It is strongly advised that users be notified in advance of possible logging and analysis of their system activities.

Tags: Operations Security Control, Operations Security, Audit, IT Audit, System Auditing, Personnel Privacy Laws, Intrusion Detection System