System Accountability

A.

Is a means of being able to track user actions.

Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed.

Accountability is the ability to identify users and to be able to track user actions.

The following answers are incorrect: Documented design as laid out in the Common Criteria.

Is incorrect because the Common Criteria is an international standard to evaluate trust and would not be a factor in System Accountability.

Authorization.

Is incorrect because Authorization is granting access to subjects, just because you have authorization does not hold the subject accountable for their actions.

Formal verification of system design.

Is incorrect because all you have done is to verify the system design and have not taken any steps toward system accountability.

References: OIG CBK Glossary (page 778)

System accountability is the capability to trace and account for the activities of system users and processes. It involves establishing and maintaining the ability to link a particular user's actions to specific transactions or events in a system. To achieve system accountability, several mechanisms must be put in place, and one of the essential mechanisms is audit mechanisms. Therefore, the correct answer is A. Audit mechanisms.

Audit mechanisms are tools used to monitor and record system activity to establish a trail of evidence of what occurred on the system. Audit mechanisms enable the collection, analysis, and reporting of system events and user activities. They provide a means to track and investigate system misuse, policy violations, and other security-related events.

Documented design as laid out in the Common Criteria is a process used to develop and evaluate security features and capabilities of IT products and systems. It is not directly related to system accountability, and thus, it is not the correct answer to this question.

Authorization is the process of granting or denying access to resources based on the user's identity, roles, and responsibilities. Authorization is a crucial aspect of security, but it is not enough to achieve system accountability. Therefore, authorization is not the correct answer to this question.

Formal verification of system design is a process used to ensure that a system or product meets its design specifications and requirements. Formal verification is an important aspect of system security, but it is not directly related to system accountability. Therefore, it is not the correct answer to this question.

In conclusion, audit mechanisms are needed for system accountability. They enable the collection, analysis, and reporting of system events and user activities to establish a trail of evidence of what occurred on the system.