The readiness to have one’s actions, judgments, and failures to act to be questioned by responsible others; to explain why deviations from the reasonable expectations of responsible others may have occurred; and to respond responsibly when errors in behavior or judgment have been detected. Accountability, a critical component of professionalism, is closely related to the principles of morality, ethics, and legal obligations. In a computer sense, this term associates computer users with their actions while online.
In recent times, accounting corporate scandals at Enron, WorldCom, and Nortel have resulted in corporate leaders’ being held accountable for their misdeeds, with some serving time in prison. Alberta-born, one-time Telecom tycoon Bernard Ebbers, for example, was found guilty on March 15, 2005, of conducting the largest accounting fraud in U.S. history. His convictions on all nine counts and on the $11 billion fraud carry a cumulative maximum jail time of 85 years. Ebbers’ case is a continuation of white-collar crime exposure that made media headlines at the end of the 1990s when the high-tech bubble burst. The role of executive and board accountability has since become a major business issue in this millennium, with new laws being passed in the United States and elsewhere for dealing with corporate accountability infractions. More recently, on May 25, 2006, the U.S. government Enron task force was praised publicly when guilty verdicts were announced against former chair Kenneth Lay and former CEO Jeffrey Skilling, the two top executives most accountable for the Enron corporation’s collapse. Lay, convicted of 6 charges of conspiracy and securities and wire fraud, faces a maximum of 165 years behind bars, while Skilling, convicted of 19 counts of conspiracy, securities fraud, lying to auditors, and insider trading, faces a maximum sentence of 185 years behind bars.
Moreover, with the passage of the Sarbanes-Oxley Act of 2002 (SOX) in the United States, any breach in Information Technology security represents a risk to the information stored on company computers and could be viewed as a violation of Section 404 of the Act—a major issue pertaining to accountability. In short, Section 404 requires company corporate leaders and third-party auditors to certify the effectiveness of internal controls put in place to protect the integrity of financial reports—processes as well as technologies. In other words, a corporate leader’s lack of control over Information Technology (IT) security might reasonably imply a lack of control over the organization’s financial reports, a violation of section 404 of the Act. The Chief Executive Officer (CEO) or the Chief Information Officer (CIO) could, indeed, be held accountable for a breach of the Act.
As a result of the importance of corporate accountability with regard to SOX compliance, security information management (SIM) solutions are an emerging product group that will enable CEOs and CIOs to comply with the conditions defined in the Sarbanes-Oxley Act by providing rapid threat detection to the system, management of the threat, and containment. Real-time security monitoring and correlation solutions are a key means of having companies comply. Moreover, if challenged in court with violating provisions of the Act, CEOs and CIOs using SIM solutions will be able to provide a reporting and complete logging of incidents to show that security policies not only were in place but also were being followed correctly and in a consistent, compliant, accountable manner.
A typical SIM system collects logfiles and incident data from a number of network and server sources; correlates these incidents in real time to identify potential threats before they materialize into real threats; prioritizes threats based on risk weightings, target vulnerabilities, and other key variables; maintains a known threats and vulnerability information data set; and allows for automated as well as guided operator system actions to help the company provide for a reliable and consistent set of incident responses.
Network World Inc. Website. http://www.nwfusion.com/news/2005/0318offsite.html; Hollows, P. Hackers Are Real-Time. Are You? [Online, February 28, 2005.] Simplex Knowledge Company Website. http://www.s-ox.com/Feature/detail.cfm?ArticleID=623; Houpt, S. Ebbers’ Storied Career Ends With Record-Fraud Conviction. The Globe and Mail, March 16, 2005, p. B1, B7; Hunt, G. 1999. Accountability. [Online, 1999.] Freedom to Care Website. http://www .freedomtocare.org/page15.htm.
Bednarz, A. Offsite Security Complicates Compliance. [Online, March 22, 2005.]