Systems Security Certified Practitioner – SSCP – Question0006

Which of the following is needed for System Accountability?

A.
Audit mechanisms.
B. Documented design as laid out in the Common Criteria.
C. Authorization.
D. Formal verification of system design.

Correct Answer: A

Explanation:

Is a means of being able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed. Accountability is the ability to identify users and to be able to track user actions.
The following answers are incorrect: Documented design as laid out in the Common Criteria. Is incorrect because the Common Criteria is an international standard to evaluate trust and would not be a factor in System Accountability.
Authorization. Is incorrect because Authorization is granting access to subjects, just because you have authorization does not hold the subject accountable for their actions. Formal verification of system design. Is incorrect because all you have done is to verify the system design and have not taken any steps toward system accountability.
References: OIG CBK Glossary (page 778)