Principle 6 - Enable Accountability

Detail

Where services support the accountability of individuals and external systems for their actions, they must provide reliable, strong and comprehensive audit trails which can be monitored and reported on.

Services should be designed in a manner which enforces the repeated checking of access permissions each and every time subjects request access to objects in order to ensure that authorisation controls may not be circumvented.

Audit, logging and alerting systems must be considered that meet the classification of the information to be stored. They must be appropriate to the risk exposure and provide controls to prevent the misuse, loss and availability of the service.

Decision Evaluation Criteria:

  • Are the appropriate levels of audit being captured across all OSI layers of the service ?
  • Does the service use an appropriate logging, audit and alerting mechanism to record and manage not only valid access, but also attempted violations and permissible access control overides ?
  • Have you identified the audit monitoring and reporting mechanisms to the used, including conformance with any external management and reporting systems which might be employed ?
  • Are all auditable events captured with non-repudiation and identifiable to a person or process ?
  • Is there non-repudiation to the legal integrity of the audit ?
  • Does the design incorporate user session management controls which securely maintain the authenticated user’s authorisation information within a session context ?
  • Do software solutions employ server-side validation of all user requests in order to minimise the possibility of client-side access control subversion attacks ?
  • Do Use cases (or user stories) for all user interactions exist that demonstrate system validation of access permissions at every object request, both in the context of the authenticated user session and the state of the workflow transaction ?

Basis

  • NIST 22 - Design and implement audit mechanisms to detect unauthorised use and support incident investigation
  • CSSLP - Complete mediation