Threat On The Wire
Holographic audit theater with glowing traces of user actions representing accountability and monitoring
CISSP Domain 5 IAM

Accountability, Monitoring, and Session Management: Knowing Who Did What and When

J
J
CISSP lens: Pick answers that align business risk, governance intent, and practical control execution.

Why this matters

Authentication and authorization tell you who can do what. Accountability tells you what they actually did. Without good logging, monitoring, and session management, you cannot detect abuse, investigate incidents, or prove compliance.

Core concept

Accountability links actions in a system to specific identities in a way that can be verified later.

Identification, authentication, authorization, accountability

The full chain works like this:

  1. Identification: A subject claims an identity, such as entering a username
  2. Authentication: The subject proves that identity
  3. Authorization: The system checks what that identity is allowed to do
  4. Accountability: The system records what the subject actually does

If any link is weak, accountability suffers.

Audit logging

Audit logs record security relevant events such as:

  • Successful and failed logins
  • Privileged actions, such as configuration changes
  • Access to sensitive data
  • Changes to accounts, roles, and permissions

Good logging requires decisions about:

  • What to log
  • Where to store logs
  • How long to keep them
  • Who can access them

Logs themselves are sensitive and must be protected from tampering.

Session management

A session represents a period of authenticated interaction between a user and a system.

Key controls include:

  • Session timeouts, which limit how long a session can last
  • Idle timeouts, which end sessions after inactivity
  • Concurrent session limits, which restrict how many sessions a user can have
  • Re authentication, which may be required for sensitive actions

Poor session management makes token theft or shoulder surfing more damaging.

Monitoring and alerting

Logging by itself is not enough. Monitoring analyzes logs and other signals to detect anomalies and trigger alerts.

  • Real time monitoring detects suspicious behavior as it happens
  • Periodic review supports audits and forensic investigations
  • User and entity behavior analytics (UEBA) identifies deviations from normal patterns

Monitoring systems often feed into a Security Information and Event Management (SIEM) platform.

Non repudiation

Non repudiation means that a user cannot credibly deny performing an action.

It relies on:

  • Strong authentication that ties actions to a specific identity
  • Logging that records actions with timestamps and context
  • Digital signatures or other cryptographic evidence for high value transactions

CISSP lens

Domain cross-reference

For CISSP, accountability and monitoring connect technical controls with legal and compliance requirements.

Important exam angles:

  • Logs must be protected against tampering and unauthorized access to support forensics.
  • Effective time synchronization, such as NTP, is vital for correlating events across systems.
  • Non repudiation often involves digital signatures, not just basic logging.
  • Session management controls limit exposure when sessions are hijacked or left unattended.

Scenarios may ask which logs are most important to retain, how long to keep them, or which control best improves accountability.

Real world scenario

An insider used legitimate access to slowly exfiltrate customer data over several months. The organization had logs, but they were stored locally on each server, with no central collection and no regular review.

When unusual activity was finally suspected, investigators found:

  • Incomplete logs due to disk space issues
  • Unsynchronized clocks, making event correlation difficult
  • No alerts tied to large data exports or unusual access patterns

In response, the organization:

  • Deployed a SIEM for centralized log collection and retention
  • Configured critical systems to log key events with appropriate detail
  • Implemented UEBA to flag unusual data access patterns
  • Synchronized all systems to trusted NTP sources

Subsequent incidents were detected more quickly, and investigations had a clearer trail of evidence.

A minimum viable logging matrix

"Log everything" fails in practice: storage costs explode and signal drowns in noise. A defensible starting point is a small matrix of high-value events, each tied to the question it answers:

Event categoryExamplesQuestion it answersAlert-worthy pattern
AuthenticationSuccess, failure, lockout, MFA outcomeWho got in, who triedSpray patterns, impossible travel, MFA fatigue bursts
Privilege useAdmin logins, sudo, role elevationWho wielded powerElevation outside change windows
Account lifecycleCreation, deletion, group changesWho changed who can do whatNew account plus immediate privileged group add
Data accessSensitive reads, exports, bulk queriesWho touched the crown jewelsVolume spikes, off-hours bulk access
Policy changeAudit config, log clearing, GPO editsWho touched the controls themselvesAny log-clearing event, ever

The last row is the one juniors miss and attackers rely on: changes to the logging and audit configuration are themselves the highest-value events. An attacker's first stop after privilege escalation is often the audit policy.

Retention and the compliance clock

How long to keep logs is rarely a technical decision. Regulatory regimes set floors: PCI DSS requires one year of audit trail history with three months immediately available; HIPAA's six-year documentation requirement sweeps in security records; some sector regulators and contracts go further. Internal investigations set a second floor - breach dwell times measured in months mean that 30 days of retention can leave you reconstructing an intrusion with no evidence.

A practical tiering: hot storage with full search for 90 days, compressed warm storage to one year, and archival cold storage beyond that where regulation or litigation-hold obligations require it. Whatever you choose, write it down as a standard and apply it consistently: an examiner, an auditor, and opposing counsel will all ask the same question, and "it varies by server" is the wrong answer.

Common mistakes

Generating logs that no one ever reviews. Logs without monitoring provide little security value.

Failing to protect log integrity, allowing attackers or administrators to alter records.

Omitting critical events, such as failed logins, privilege changes, or data exports.

Using inconsistent time sources, which makes timeline reconstruction unreliable.

Setting very long session timeouts for convenience, increasing the window of abuse for hijacked sessions.

Actionable checklist

  • Define a logging standard that specifies which events to log, retention periods, and required fields such as timestamps and source IPs.
  • Centralize log collection in a SIEM or log management platform with appropriate access controls.
  • Implement integrity protections for logs, such as write once storage or cryptographic signing.
  • Configure session and idle timeouts based on data sensitivity and user workflows, and require re authentication for high risk actions.
  • Synchronize clocks across all systems using authenticated NTP, and monitor for time drift.
  • Develop alerting rules and UEBA models that focus on high risk activities, such as privilege escalation, mass data access, or unusual login patterns.

Key takeaways

  • Accountability depends on linking identification, authentication, authorization, and logging into a coherent chain.
  • Logging without review is insufficient. Monitoring, alerting, and periodic analysis are required to realize value.
  • Session management limits the damage of hijacked or abandoned sessions.
  • Log integrity and time synchronization are critical for credible forensic evidence.
  • Non repudiation often requires stronger measures, such as digital signatures, in addition to logging.

Exam-style reflection

Question: An employee denies submitting a high value financial transaction. The system uses strong authentication, logs all actions with timestamps, and applies a digital signature to each transaction. Can the employee credibly repudiate the action

Answer: No. The combination of strong authentication, detailed logging, and a digital signature provides non repudiation. It creates an evidence chain showing that the transaction was initiated from the employee's account and signed with their private key.

Keep learning: Access Control Administration, Authentication Methods and Technologies.

This article is part of the CISSP Domain 5: Identity and Access Management study guide. Use the pillar to navigate every article in this domain.

You might also like
Secure Coding Foundations For Managers
CISSP
members

Secure Coding Foundations For Managers

J
J
Security Operations Foundations: Running Day to Day Security Without Burning Out Your Team
CISSP
members

Security Operations Foundations: Running Day to Day Security Without Burning Out Your Team

J
J
Security Assessment And Testing Fundamentals: How To Know If Your Controls Actually Work
CISSP
members

Security Assessment And Testing Fundamentals: How To Know If Your Controls Actually Work

J
J
© 2025 Threat On The Wire. All rights reserved.