Threat On The Wire
  • Home
  • CISSP
  • Accountability, Monitoring, and Session Management: Knowing Who Did What and When
CISSP Domain 5 IAM

Accountability, Monitoring, and Session Management: Knowing Who Did What and When

Authentication and authorization are not enough without logging and monitoring. Learn how to design accountability and session controls that support detection, forensics, and compliance.

Mar 11, 2026 3 min read
Holographic audit theater with glowing traces of user actions representing accountability and monitoring

CISSP lens

Pick answers that align business risk, governance intent, and practical control execution.

Why this matters

Authentication and authorization tell you who can do what. Accountability tells you what they actually did. Without good logging, monitoring, and session management, you cannot detect abuse, investigate incidents, or prove compliance.

Core concept

Accountability links actions in a system to specific identities in a way that can be verified later.

Identification, authentication, authorization, accountability

The full chain works like this:

  1. Identification: A subject claims an identity, such as entering a username
  2. Authentication: The subject proves that identity
  3. Authorization: The system checks what that identity is allowed to do
  4. Accountability: The system records what the subject actually does

If any link is weak, accountability suffers.

Audit logging

Audit logs record security relevant events such as:

  • Successful and failed logins
  • Privileged actions, such as configuration changes
  • Access to sensitive data
  • Changes to accounts, roles, and permissions

Good logging requires decisions about:

  • What to log
  • Where to store logs
  • How long to keep them
  • Who can access them

Logs themselves are sensitive and must be protected from tampering.

Session management

A session represents a period of authenticated interaction between a user and a system.

Key controls include:

  • Session timeouts, which limit how long a session can last
  • Idle timeouts, which end sessions after inactivity
  • Concurrent session limits, which restrict how many sessions a user can have
  • Re authentication, which may be required for sensitive actions

Poor session management makes token theft or shoulder surfing more damaging.

Monitoring and alerting

Logging by itself is not enough. Monitoring analyzes logs and other signals to detect anomalies and trigger alerts.

  • Real time monitoring detects suspicious behavior as it happens
  • Periodic review supports audits and forensic investigations
  • User and entity behavior analytics (UEBA) identifies deviations from normal patterns

Monitoring systems often feed into a Security Information and Event Management (SIEM) platform.

Non repudiation

Non repudiation means that a user cannot credibly deny performing an action.

It relies on:

  • Strong authentication that ties actions to a specific identity
  • Logging that records actions with timestamps and context
  • Digital signatures or other cryptographic evidence for high value transactions

CISSP lens

Domain cross-reference

For CISSP, accountability and monitoring connect technical controls with legal and compliance requirements.

Important exam angles:

  • Logs must be protected against tampering and unauthorized access to support forensics.
  • Effective time synchronization, such as NTP, is vital for correlating events across systems.
  • Non repudiation often involves digital signatures, not just basic logging.
  • Session management controls limit exposure when sessions are hijacked or left unattended.

Scenarios may ask which logs are most important to retain, how long to keep them, or which control best improves accountability.

Real world scenario

An insider used legitimate access to slowly exfiltrate customer data over several months. The organization had logs, but they were stored locally on each server, with no central collection and no regular review.

When unusual activity was finally suspected, investigators found:

  • Incomplete logs due to disk space issues
  • Unsynchronized clocks, making event correlation difficult
  • No alerts tied to large data exports or unusual access patterns

In response, the organization:

  • Deployed a SIEM for centralized log collection and retention
  • Configured critical systems to log key events with appropriate detail
  • Implemented UEBA to flag unusual data access patterns
  • Synchronized all systems to trusted NTP sources

Subsequent incidents were detected more quickly, and investigations had a clearer trail of evidence.

Common mistakes

Generating logs that no one ever reviews. Logs without monitoring provide little security value.

Failing to protect log integrity, allowing attackers or administrators to alter records.

Omitting critical events, such as failed logins, privilege changes, or data exports.

Using inconsistent time sources, which makes timeline reconstruction unreliable.

Setting very long session timeouts for convenience, increasing the window of abuse for hijacked sessions.

Actionable checklist

  • Define a logging standard that specifies which events to log, retention periods, and required fields such as timestamps and source IPs.
  • Centralize log collection in a SIEM or log management platform with appropriate access controls.
  • Implement integrity protections for logs, such as write once storage or cryptographic signing.
  • Configure session and idle timeouts based on data sensitivity and user workflows, and require re authentication for high risk actions.
  • Synchronize clocks across all systems using authenticated NTP, and monitor for time drift.
  • Develop alerting rules and UEBA models that focus on high risk activities, such as privilege escalation, mass data access, or unusual login patterns.

Key takeaways

  • Accountability depends on linking identification, authentication, authorization, and logging into a coherent chain.
  • Logging without review is insufficient. Monitoring, alerting, and periodic analysis are required to realize value.
  • Session management limits the damage of hijacked or abandoned sessions.
  • Log integrity and time synchronization are critical for credible forensic evidence.
  • Non repudiation often requires stronger measures, such as digital signatures, in addition to logging.

Exam-style reflection

Question: An employee denies submitting a high value financial transaction. The system uses strong authentication, logs all actions with timestamps, and applies a digital signature to each transaction. Can the employee credibly repudiate the action

Answer: No. The combination of strong authentication, detailed logging, and a digital signature provides non repudiation. It creates an evidence chain showing that the transaction was initiated from the employee's account and signed with their private key.

This article is part of the CISSP Domain 5: Identity and Access Management study guide. Use the pillar to navigate every article in this domain.

Published by
J
J
You might also like
Great! Next, complete checkout for full access to Threat On The Wire.
Welcome back! You've successfully signed in.
You've successfully subscribed to Threat On The Wire.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.
© 2025 Threat On The Wire. All rights reserved.