7.4 CRITERIA CONTROL OBJECTIVE FOR ACCOUNTABILITY
Copyright(c) Management Analytics, 1995 - All Rights Reserved
The control objective for accountability is: "Systems that are used
to process or handle classified or other sensitive information must
assure individual accountability whenever either a mandatory or
discretionary security policy is invoked. Furthermore, to assure
accountability the capability must exist for an authorized and competent
agent to access and evaluate accountability information by a secure
means, within a reasonable amount of time, and without undue
difficulty."
This control objective is supported by the following citations:
- DoD Directive 5200.28 (VI.A.1) states: "Each user's identity shall be
positively established, and his access to the system, and his activity in
the system (including material accessed and actions taken) controlled and
open to scrutiny." [Denning75]
- DoD Manual 5200.28-M (Section V 5-100) states: "An audit log or file
(manual, machine, or a combination of both) shall be maintained as a
history of the use of the ADP System to permit a regular security review
of system activity. (e.g., The log should record security related
transactions, including each access to a classified file and the nature
of the access, e.g., logins, production of accountable classified
outputs, and creation of new classified files. Each classified file
successfully accessed (regardless of the number of individual references)
during each 'job' or 'interactive session' should also be recorded in the
audit log. Much of the material in this log may also be required to
assure that the system preserves information entrusted to it.)" [DoD-5000.29]
- DoD Manual 5200.28-M (Section IV 4-305f) states: "Where needed to assure
control of access and individual accountability, each user or specific
group of users shall be identified to the ADP System by appropriate
administrative or hardware/software measures. Such identification
measures must be in sufficient detail to enable the ADP System to provide
the user only that material which he is authorized." [DoD-5000.29]
- DoD Manual 5200.28-M (Section I 1-102b) states:
"Component's Designated Approving Authorities, or their designees
for this purpose . . . will assure:
. . . . . . . . . . . . . . . . .
- (4) Maintenance of documentation on operating systems (O/S)
and all modifications thereto, and its retention for a
sufficient period of time to enable tracing of security-
related defects to their point of origin or inclusion in the
system.
. . . . . . . . . . . . . . . . .
- (6) Establishment of procedures to discover, recover,
handle, and dispose of classified material improperly
disclosed through system malfunction or personnel action.
- (7) Proper disposition and correction of security
deficiencies in all approved ADP Systems, and the effective
use and disposition of system housekeeping or audit records,
records of security violations or security-related system
malfunctions, and records of tests of the security features
of an ADP System." [DoD-5000.29]
- DoD Manual 5220.22-M (Section XIII 111) states: "Audit Trails
- a. The general security requirement for any ADP system audit
trail is that it provide a documented history of the use of
the system. An approved audit trail will permit review of
classified system activity and will provide a detailed
activity record to facilitate reconstruction of events to
determine the magnitude of compromise (if any) should a
security malfunction occur. To fulfill this basic
requirement, audit trail systems, manual, automated or a
combination of both must document significant events
occurring in the following areas of concern: (i) preparation
of input data and dissemination of output data (i.e.,
reportable interactivity between users and system support
personnel), (ii) activity involved within an ADP environment
(e.g., ADP support personnel modification of security and
related controls), and (iii) internal machine activity.
- b. The audit trail for an ADP system approved to process
classified information must be based on the above three
areas and may be stylized to the particular system. All
systems approved for classified processing should contain
most if not all of the audit trail records listed below. The
contractor's SPP documentation must identify and describe
those applicable:
-
1. Personnel access;
- 2. Unauthorized and surreptitious entry into the
central computer facility or remote terminal areas;
- 3. Start/stop time of classified processing indicating
pertinent systems security initiation and termination events
(e.g., upgrading/downgrading actions pursuant to paragraph
107);
- 4. All functions initiated by ADP system console
operators;
- 5. Disconnects of remote terminals and peripheral
devices (paragraph 107c);
- 6. Log-on and log-off user activity;
- 7. Unauthorized attempts to access files or programs,
as well as all open, close, create, and file destroy
actions;
- 8. Program aborts and anomalies including
identification information (i.e., user/program name, time
and location of incident, etc.);
- 9. System hardware additions, deletions and maintenance
actions;
- 10. Generations and modifications affecting the
security features of the system software.
- c. The ADP system security supervisor or designee shall
review the audit trail logs at least weekly to assure that
all pertinent activity is properly recorded and that
appropriate action has been taken to correct any anomaly.
The majority of ADP systems in use today can develop audit
trail systems in accord with the above; however, special
systems such as weapons, communications, communications
security, and tactical data exchange and display systems,
may not be able to comply with all aspects of the above and
may require individualized consideration by the cognizant
security office.
- d. Audit trail records shall be retained for a period of one
inspection cycle." [DoD-5200.28]