Your organization established a sound mechanism for authentication, authorization, and accounting by implementing systems for single sign-on, policy enforcement and decision, security information and event management, intrusion detection and prevention, etc. After an administrative investigation, a malicious employee was held accountable for the attempts to steal research and development secrets and got fired. Which of the following is the best perspective that justifies the punitive action?
A. Auditing
B. Authentication
C. Authorization
D. Accounting

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Authorization.

The question asks about justifying the punitive action, instead of concluding or tracing accountability. So, whether the behavior or activity is authorized or not is the key to take punitive action.

Accountability is concluded or determined by tracing “who did what” through auditing (reviewing logs). Accounting records “what has been done,” and authentication identifies and validates “who did that.” No matter if an activity is authorized, it shall be recorded or logged, as the following diagram/OSG question shows.

However, the punitive action is based on authorization after accountability has been confirmed. Authorized behavior will not be punished, while unauthorized conduct will.

Inconsistent Definitions

This question is designed to urge a consistent definition of AAA, Authentication, Authorization, and Accounting. It’s not uncommon that the last “A” for “Accounting” is replaced by “Auditing” or “Accountability.” I highly recommend using “Accounting” because auditing cannot be done, and accountability cannot be concluded without accounting. My post, Yet Another AAA, talks about this issue as well.

The following description of auditing and accounting in the official study guide (OSG) is not logically sound, no matter we interpret it literally or compare it with authoritative sources like NIST glossary or RFCs.

Auditing recording a log of the events and activities related to the system and subjects Accounting (aka accountability) reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions

Stewart, James M.; Chapple, Mike; Gibson, Darril. CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide (Kindle Locations 1737-1739). Wiley. Kindle Edition.

Accounting

In financial accounting, “accounting is the process of recording financial transactions pertaining to a business. The accounting process includes summarizing, analyzing and reporting these transactions to oversight agencies, regulators and tax collection entities.”(investopedia)

In IT, accounting is “the act of collecting information on resource usage for the purpose of trend analysis, auditing, billing, or cost allocation.” (RFC 3539)

Simply put, accounting tracks activities and records logs. Audit Trail is a collection of correlated logs for auditing, or “a chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to final result.” (CNSSI 4009)

Auditing

Auditing is the “independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.” (CNSSI 4009)

Accountability is “the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.” (CNSSI 4009)

Authentication

The act of verifying a claimed identity, in the form of a pre-existing label from a mutually known name space, as the originator of a message (message authentication) or as the
end-point of a channel (entity authentication). (RFC 3539)

Authorization

The act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential. (RFC 3539)

Reference

• Risk-based auditing
• What Is Accounting?
• RFC 3539: Authentication, Authorization and Accounting (AAA) Transport Profile
• RFC 2866: RADIUS Accounting

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

您的組織透過建置單一簽入(SSO)、政策實施和決策(policy enforcement and decision)，安全資訊和事件管理(SIEM)，入侵檢測和預防等系統，建立了可靠的身份驗證，授權和記錄(accounting)機制。經過行政調查，一位惡意員工被認定必須為企圖竊取研發機密的行為負責，並因此而被解僱。 下列哪種觀點最能證明讓懲處是正確的？
A. 稽核 (auditing)
B. 身份驗證 (authentication)
C. 授權 (authorization)
D. 記錄 (accounting)