Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 40
Accountability
ОглавлениеInformation and information systems represent significant investments by organizations, and as a result, there's a strong bottom-line financial need to know that such investments are paying off—and that their value is not being diluted due to loss of control of that information (via a data breach or exfiltration) or loss or damage to the data's integrity or utility. Organizations have three functional or operational needs for information regarding accountability. First, they gather information about the use of corporate information and IT systems. Then they consolidate, analyze, and audit that usage information. Finally, they use the results of those reviews to inform decision-making. Due diligence needs, for example, are addressed by resource chargeback, which attributes the per-usage costs of information to each internal user organization. Individuals must also be held accountable for their own actions, including their use or misuse of corporate information systems. Surrounding all of this is the need to know whether the organization's information security systems are actually working correctly and that alarms are being properly attended to.