(1) Principle that an individual is entrusted to safeguard and control equipment, keying material, and information and is answerable to proper authority for the loss or misuse of that equipment or information.
(2) The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action. This accountability needs to be made explicit in terms of sanctions for not being accountable.
(3) In terms of HIPAA and FISCAM, accountability is accomplished through maintaining a record of the movements of hardware and electronic media and any person responsible for that movement. All requests for and access granted to stored information must be logged for review and possible investigation. Logging should include such items as a date/time stamp, the identification of the user, the type of access, e.g., create, read, modify, delete, the success or failure of the request, and identification of the data acted upon.
(4) The ability to hold responsible the owners, providers, and users of information systems and other parties. The repercussions of actions taken by individuals. It is the principle that individuals, organizations, and the community are responsible for their actions and may be required to explain them to others.
(5) The ability to answer for, explain, or justify actions or decisions for which an individual, organization, or system is responsible.