Controls for Ensuring Accountability

A.

Controls provide accountability for individuals who are accessing sensitive information.

This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function.

These controls must be in accordance with and accurately represent the organization's security policy.

Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system.

Source: KRUTZ, Ronald L.

& VINES, Russel.

D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

The accountability for individuals who are accessing sensitive information can be achieved through a combination of access control mechanisms and the audit function.

Access control mechanisms require identification and authentication to verify that the person requesting access is indeed authorized to access the sensitive information. Identification involves the user providing a unique identifier, such as a username, while authentication involves the user providing a password or other credentials to verify their identity. By requiring both identification and authentication, access control mechanisms provide a high level of assurance that only authorized individuals are accessing sensitive information.

In addition to access control mechanisms, the audit function plays a critical role in providing accountability for individuals accessing sensitive information. The audit function involves the monitoring and recording of all activities related to accessing sensitive information, including successful and unsuccessful attempts, as well as any changes made to the information. The audit function provides a detailed record of who accessed the information, when it was accessed, and what actions were taken, which can be used to investigate and track any suspicious or unauthorized activity.

Option A is the correct answer because it accurately describes how accountability for individuals accessing sensitive information is accomplished. Option B is partially correct, as logical or technical controls involving the restriction of access to systems can be part of access control mechanisms, but it does not mention the importance of the audit function. Option C is incorrect because it suggests that accountability can be achieved without restricting access to systems and protecting information, which is not a sound security practice. Option D is also incorrect because it suggests that access control mechanisms can operate without identification and authentication or the audit function, which is not the case.