Chapter 15 Accountability

ability to positively identify the individual who is responsible for a specific action to provide non-repudiation (can prove that individual was the one who performed the action even if he denies it)

needs monitoring & auditing of events that affect integrity, confidentiality, availability

Users must be notified of rights & responsiblities thru acceptable use document
users must be identified
events/processes must be monitored & recorded in logs that form an audit trail that can be analyzed and used as legal evidence
alarms: real-time evaluation of logging info. thresholds. alert admin.
consistent enforcement of security policy

Events to record:
info access
admin activity
failed events

Audit data must be secured to prevent attacker from covering tracks.