Accounting, Auditing, and Accountability

I3A

The diagram and the following concepts are addressed in the official study guide, (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide:

  • Auditing: recording a log of the events and activities related to the system and subjects.
  • Accounting (aka accountability): reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions.

But I don’t agree with it,  I would address Accounting, Auditing, and Accountability as follows:

Accountability can be concluded through auditing, an independent and systematic security assessment. Accounting is the process of writing logs of the activities of subjects and objects. An audit trail is a collection of logs to conclude accountability. Log review is one of the most common security assessment techniques used in an information systems audit.

In summary,

  • Accountability is concluded by auditing.
  • Auditing is an independent and systematic security assessment; log review is one of the most common security assessment techniques.
  • Accounting produces logs as audit trails to support auditing.
  • Logs reflect the activities of the authenticated subject.

Your feedback and comment are always welcome!

Leave a Reply