2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	34/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 30 31 32 33 34 35 36 37 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Accountability
An organization’s security policy can be properly enforced only if accountability is main-
tained. In other words, you can maintain security only if subjects are held accountable for
their actions. Effective accountability relies on the capability to prove a subject’s identity
and track their activities. Accountability is established by linking a human to the activities
of an online identity through the security services and mechanisms of auditing, authoriza-
tion, authentication, and identifi cation. Thus, human accountability is ultimately dependent
on the strength of the authentication process. Without a strong authentication process,
there is doubt that the human associated with a specifi c user account was the actual entity
controlling that user account when the undesired action took place.
To have viable accountability, you may need to be able to support your security decisions
and their implementation in a court of law. If you are unable to legally support your secu-
rity efforts, then you will be unlikely to be able to hold a human accountable for actions
linked to a user account. With only a password as authentication, there is signifi cant room
for doubt. Passwords are the least secure form of authentication, with dozens of different
methods available to compromise them. However, with the use of multifactor authentica-
tion, such as a password, smartcard, and fi ngerprint scan in combination, there is very little
possibility that any other human could have compromised the authentication process in
order to impersonate the human responsible for the user account.

12
Chapter 1
■
Security Governance Through Principles and Policies
legally defensible Security
The point of security is to keep bad things from happening while supporting the occur-
rence of good things. When bad things do happen, organizations often desire assistance
from law enforcement and the legal system for compensation. To obtain legal restitu-
tion, you must demonstrate that a crime was committed, that the suspect committed that
crime, and that you took reasonable efforts to prevent the crime. This means your orga-
nization’s security needs to be legally defensible. If you are unable to convince a court
that your log files are accurate and that no other person other than the subject could have
committed the crime, you will not obtain restitution. Ultimately, this requires a complete
security solution that has strong multifactor authentication techniques, solid authoriza-
tion mechanisms, and impeccable auditing systems. Additionally, you must show that
the organization complied with all applicable laws and regulations, that proper warnings
and notifications were posted, that both logical and physical security were not otherwise
compromised, and that there are no other possible reasonable interpretations of the
electronic evidence. This is a fairly challenging standard to meet. Thus, an organization
should evaluate its security infrastructure and redouble its effort to design and imple-
ment legally defensible security.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 30 31 32 33 34 35 36 37 ... 881