Generally Accepted System Security Principles

P-1 Accountability Principle

P-1 Accountability Principle

Copyright(c), 1995 - Management Analytics and Others - All Rights Reserved


Information system security accountability and responsibility should be explicit.


Accountability characterizes the ability to ensure that the roles and actions of all parties who interact with information are clearly defined, identified, and authenticated at a level commensurate with the sensitivity and criticality of information systems and data. Accountability enables many safeguards. Without accountability, individual permissions and privileges cannot be effectively enforced or audited. In cases where the specific application requires user anonymity, (as in decision support systems, voting, or library card catalog use) accurate data can be provided to the user, while the useer's anoniminity is ensured, without sacrificing the accountability and integerity of the data.

It is important that the responsibilities and accountability of owners, providers, users of information systems, and other parties concerned with the security of information systems (such as custodians and auditors) be explicit. For example, the relationship between users, processes, and data should be clearly defined. For each system, the concepts and responsibilities of the information owner, manager, custodian, steward, user, developer, security official, auditor, and maintainer should be documented and taught as a part of system and organization training.