The document provides an overview of access control techniques including discretionary access controls, mandatory access controls, role-based access controls, and authentication methods like passwords, tokens, biometrics, and multifactor authentication. It discusses important access control concepts like identification, authorization, accountability, and session management. Key factors in choosing an authentication method include the value of protected assets, the threat level, potential countermeasures and costs, and usability. Maintaining accountability requires strong identification, authentication, monitoring, auditing, policies, and an organizational culture that enforces responsibility.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Access Control: Principles and PracticeNabeel Yoosuf
Slides prepared based on the paper Access Control: Principles and Practice by Ravi S. Sandhu and Pierangela Samarati, IEEE Communications Magazine, 1994
To Support Digital India, We are trying to enforce the security on the web and digital Information. This Slides provide you basic as well as advance knowledge of security model. Model covered in this slides are Chinese Wall, Clark-Wilson, Biba, Harrison-Ruzzo-Ullman Model, Bell-LaPadula Model etc.
Types of Access Control.
This presentation covers the topic of access control in software. Access control is an essential part of every software application that manages data of any value. However, access control is also complex and hard to get right, both from a development and management point of view.
In this presentation, we first explore the concept and goals of access control in general. We then discuss the different models that exist in practice and in literature to reason about access control. We then investigate different approaches of how to enforce access control in an application. Overall, this sessions aims to provide deeper insights into access control in order to better reason about it and implement it correctly and efficiently.
Understand the operations necessary to protect and control information processing assets
Identify the security services available
Know the process and techniques that can be implemented to keep the system operational when faced with threats
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Access Control: Principles and PracticeNabeel Yoosuf
Slides prepared based on the paper Access Control: Principles and Practice by Ravi S. Sandhu and Pierangela Samarati, IEEE Communications Magazine, 1994
To Support Digital India, We are trying to enforce the security on the web and digital Information. This Slides provide you basic as well as advance knowledge of security model. Model covered in this slides are Chinese Wall, Clark-Wilson, Biba, Harrison-Ruzzo-Ullman Model, Bell-LaPadula Model etc.
Types of Access Control.
This presentation covers the topic of access control in software. Access control is an essential part of every software application that manages data of any value. However, access control is also complex and hard to get right, both from a development and management point of view.
In this presentation, we first explore the concept and goals of access control in general. We then discuss the different models that exist in practice and in literature to reason about access control. We then investigate different approaches of how to enforce access control in an application. Overall, this sessions aims to provide deeper insights into access control in order to better reason about it and implement it correctly and efficiently.
Understand the operations necessary to protect and control information processing assets
Identify the security services available
Know the process and techniques that can be implemented to keep the system operational when faced with threats
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Cryptography is both an art and a science – the use of deception and mathematics, to hide, transmit, and receive data. This short course covers Cryptography as it relates to the CISSP certification. The full video course is located here: http://resources.infosecinstitute.com/cryptography-CISSP-use-of-cryptography
The SlideShare 101 is a quick start guide if you want to walk through the main features that the platform offers. This will keep getting updated as new features are launched.
The SlideShare 101 replaces the earlier "SlideShare Quick Tour".
Blockade.io : One Click Browser DefenseRiskIQ, Inc.
When thinking of modern attacks, the web browser is still one of the top delivery vehicles. Whether it’s displaying an email or facilitating a link-redirection or merely serving a web page, browsers aid in the attack process. Despite their popularity, many companies focus their efforts defending the operating system, inspecting the network or attempting to keep up with threats through delivered feeds.
In order for any tool to gain adoption, it not only has to be useful, but also needs to easily fit into a user’s workflow. Using native browser interfaces, we’ve created a set of open source browser extensions that not only detect malicious activity, but block it entirely. More importantly, this functionality is delivered in a one-click package and doesn’t require any technical knowledge in order to successfully function. Users are able to take advantage of hosted repositories of data or run their own data node and updates are automatic.
This presentation will introduce the browser extension details, highlight how they function and inform users how they could take advantage of this functionality in their organization. No security solution is perfect, but bringing blocking capabilities to the browser without requiring any user change guarantees even the least technical of users can be protected. Originally developed with non-profit and smaller businesses in mind, these security browser extensions can bring peace of mind to any size organization, free of charge.
Troubles with Large Identity Providers.pptxYury Leonychev
I have tried to summarize my experience from development of large-scale IdP. And highlight typical problems, that companies can face, when they will build their own IdP platforms.
Slides present data and information system. In any information system security and integrity is the prime concern. How we can make sure stored data is more secure and generated information should be accurate, reliable and consistent.
GRC 2020 - IIA - ISACA Machine Learning Monitoring, Compliance and GovernanceAndrew Clark
With Machine Learning (ML) taking on a more significant role in decision making, ML is becoming a risk management
and compliance issue. In light of increasing regulatory scrutiny, companies deploying ML must ensure that they have a
robust monitoring and compliance program. This presentation will provide context around relevant regulations, outline
critical risks and mitigating controls for ML, and provide an overview of monitoring and governance best practices.
Cybersecurity Identity and Access Management applies to the security architecture and disciplines for digital identity management. It governs the duties and access rights shared with individual customers and the conditions under which such privileges are permitted or refused.
Segregation of Duties and Sensitive Access as a Service
Description
This webinar highlighted the key risks in your PeopleSoft Applications, including PII, Sensitive Data, and Segregation of Duty Risks. We took a look at the key Application controls, from Components/Pages to User Preferences and Workflow Approval. If you are approaching Audit season, we also covered our unique Access Review as a Service, with no software to deploy in exchange for powerful and insightful reports as to the effectiveness of your current controls.
Finally, we took a look at PII's use in your Applications and the process of governing this access in light of legislation such as GDPR and CCPA.
Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security entitlements and authentication factors.
This document defines the components of identity management, starting with the underlying business challenges of managing user identities and entitlements across multiple systems and applications. Identity management functions are defined in the context of these challenges.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
2. ● Access Control Techniques
○ Methods
● Identification and Authentication
○ Types and Strategies
● Identification Management
○ Considerations
● Authentication Methods
○ How to establish
● Sessions
○ Strategies on how to control
What the pages cover
3. Access Control
● Only Authorised Users, Programs, and/or
systems are allowed to access resources.
Access Control Techniques
● How we can determine which users,
programs or systems, what resources, and
what access.
● Methods of organising and protecting
data.
Access Controls - Continued
4. "Yo, Check out that sweet role-based access
control..." - Lord Nikon
Access Control Techniques
5. The process of translating the balance
between Access controls enforced by the
Organization, and information owners to can
have access, can be defined by three
general frameworks:
● Discretionary (DACs)
● Non-Discretionary
● Mandatory (MACs)
Discretionary and Mandatory
Access Controls
6. Discretionary:
● Controls placed on data by the owner of the data.
The owner decides who, and what privilege.
● User-centric (User is responsible).
Mandatory:
● Controls are determined by the system and based on
Organisational Policy.
● System-centric (User vs. Resource Classification).
● The Information Owner provides who needs to know.
System makes decision against that criteria.
● man chmod
Discretionary and Mandatory
Access Controls - continued.
7. ACL's (Access Control Lists)
● Keyword Pattern & Action
○ Examples: MAC Address filtering
● If no matches or unspecified actions -
default will either be deny by default or
allow by default (based on the org's
stance).
● Structure of access is often based on
Organization Structure (Users into
Groups. Groups into file and directory
permissions).
Data Access Controls
8. ● An ACL in the form of a table.
● Unwieldy for large environments, but
useful when designing a system, or
looking at smaller portions.
Access Control Matrix
9. ● Access is based on a predefined set of
rules.
● These rules specify the privileges granted
to users when specific conditions are met.
○ Example:
■ The Standard ACL says that Jr. Admin Bob
can access the Dubstep MP3 Folder, but the
rule based system would specify that while he
can access it, he can only access the folder
between 5PM and 8AM (outside of Sr. Admin
Barry's Office Hours).
Rule-based Access Control
10. ● RBAC bases the access control
authorizations on the roles or functions
that the user is assigned within an
organization.
● The determination of what roles have what
access, can be governed by both the Data
Owner, or the applied based on Org
Policy.
Role-Based Access Controls
11. The four basic RBAC architectures:
● Non-RBAC
○ Traditional user-granted access (like ACL's).No
formal roles or mapping.
● Limited RBAC
○ Users are mapped to a single application only.
● Hybrid RBAC
○ Users are mapped to multiple applications, that
subscribe to the Org's role-based model.
● Full RBAC
○ Enterprise wide. Top down, from role policy.
See Fig. 1.11
RBAC - Continued
12. ● RBAC is easily modeled after the
organisations own organization, or
functional structure.
○ Personal moves are simplified (job role is tied to
access).
See also "The Triangle of Power" by Matt
Byrd, MSFT:
http://blogs.technet.
com/b/exchange/archive/2009/11/16/340882
5.aspx
RBAC - Continued
13. ● Content dependant access controls are
based on the data. The control
mechanism examines the data, and
makes decisions based on what it finds.
● Constrained User Interface is a method
of restricting users to functions in the UI,
based on role in the system.
○ Example: AS/400 Payroll Menus, POS unit, or
Views in a database.
Miscellaneous Controls
14. ● Capability tables are used to match
subjects (like users or process) and their
capabilities (read, write, etc..).
● Temporal (Time-based) Isolation limits
access based on time.
○ Examples: Dubstep MP3 Folder, or Limiting
access to change Payroll to the first 4 hours of
the day.
Miscellaneous Controls - cont'd
15. ● Identification
○ Provides uniqueness and accountability (when
done properly)
● Authentication
○ Provides validity. You are expected, and trusted.
● Authorization
○ Provides Control.
Identification and Authentication
16. Identification provides a point of assignment
and association to a user entity within a
system. Can be user, service account, etc...
Examples:
● User Name
● User ID
● Account Number
● PIN
● Certificates
Identification Methods
17. ● The Identification Badge is the most
common form of Physical identification.
○ Name, Logo, Face, Colour, etc..
● Policy usually dictate they must be worn at
all times.
● "Badge Check"
● Usually tied together with an access
badge & reader.
● RFID
Badges
18. ● User ID
○ Only use it as a system ID, not an authenticator.
● MAC (Media Access Control)
○ No longer a good way to authenticate a user
(spoofable).
● IP Address
○ Logical Location on network. Set by software, not
a good indicator.
○ Subnets
● Email Address
○ Concept is email is globally unique, however it's
spoofable and only unique by convention.
Other Types
19. ● Three Essential Security characteristics
regarding identities:
○ Uniqueness
■ Must be unambiguous & distinct
■ Can be duplicated across systems, but bad
practice
○ Non Descriptiveness
■ billg@microsoft.com
■ Samir_Nagheenanajar@Initech.com
■ CIO@Wellsfargo.com
○ Secure Issuance
■ Documentable and traceable.
User Identification Guidelines
20. ● Every system must track valid users and
control their permissions, across different
types of administrative software and
processes.
● Account creation process & propagation.
● Goal of the system is to consolidate
access rights into a managed system.
● See Fig 1.13
● Quicker provision & deprovision
Poll: How long does it take to deprovision/lock all
passwords/etc on a user account in your org?
Identity Management
21. ● 2 Minutes Hate - topic: User Provisioning
● Backlog
○ Not Enough People to process
● Cumbrsome
○ Too Complex, or time consuming = Errors
● Incomplete Forms
○ "I just check all the boxes."
● No Audit Trails
○ "Fuck it, we'll do it live!"
● Stale users
○ Ghost NDRs
Identity Management Challenges
22. ● Consistency
○ User profile data should be consistent and
uniform.
● Usability
● Reliability
○ "My admin account never worked right, so I've
just been using the domain admin."
● Scalability
○ If you have 10,000 users, and your domain
controller is an old laptop, your gunna have a bad
time.
Identity Management Challenges -
continued
23. ● Can help with legal obligations, and
industry-specific compliance.
● When properly done, you can have a finer
control (and flexabillity) over what levels
the public, guests, vendors, contractors,
support, etc... groups have.
Other Considerations
24. ● In general, an Org will either opt to be
Centralized, or Decentralized.
● Centralized:
○ All access decisions, provisioning, and
management is concentrated in a central location.
○ One entity (user/department/system) manages
the service for the entire org. Example: RADIUS
● Decentralized:
○ ID Management, authentication, and authorisation
decisions are moved closer to the local resource.
○ Could be per department.
Centralised Identity Management
25. ● Authentication by knowledge
○ Something you know
■ Example: Password
● Authentication by possession
○ Something you have
■ Example: ID Badge
● Authentication by characteristic
○ Something you are
■ Example:
Authentication Methods
26. ● Logical controls related to those types are
called "Factors"
● Single-Factor
○ Use of 1 Factor (makes sence, right?)
● Two-Factor
○ Usingtwoofthethreefactorswhoeditedthisbook?
● Three-Factor
○ You get the picture.
● The book mentions a possible 4th (Geolocation) by
GPS or IP.
Factors
27. ● Passwords
○ Standard Words
■ God
● Easily Guessable
○ Combination
■ G0d
● Got an app for that
○ Complex
■ 1||$1D3j0|<3
● Harder to remember - people usually write these down or
have them somewhere.
● Passphrase
○ List of names, Phrase, or Mnemonic
■ Example: AD5wu5ydD!
● "Always do sober, what you said you'd do drunk." -Hemmingway
Authentication by Knowledge
28. ● Issues:
○ Cleartext
○ Offline and Off Site Cracking
● Passwords are often hashed, as an extra
measure of protection.
● Graphical Passwords
○ Protect somewhat against keyloggers
Passwords continued
29. ● Token, Fob, Badge, Key, Ring, etc..
● Concept is to add an additional layer of
confidence.
● Two Methods:
○ Asynchronous
■ Challenge-Response
● Slide Card, Enter Pin
○ Synchronous
■ Time, Event, or Location
● Seed. Like the WoW account thingie.
Authentication By Possession
30. ● Physical device that contains credentials.
● Two Types:
○ Memory Cards
■ Swipe Cards. Mag Stripe.
■ Used + PIN, often.
■ Often the stripe is unencrypted. Theft.
○ Smart Cards
■ Embedded Chip, that can accept, store, and
send information.
■ Some have apps.
● Used for Secure log-on, S/MIME, Secure Web Access,
VPN's, Hard Disc Encryption.
■ Helps integrate outside devices into Enterprise
PKI.
Static Authentication Devices
31. ● Types of information on a smart card:
● Read only.
● Added only.
● Updated only.
● No Access available.
● Trusted Path
○ Login process is done by the reader, instead of
the host.
○ Minimises surface area, and "hops", with each
addition adding opportunity for security failures.
Smart-Card Segway
32. ● ROM
○ Predetermined by MFGR
● Programmable Read-Only (PROM)
○ Can be modified, but looks like a pain in the ass.
● Erasable Programmable Read-Only
(EPROM)
○ Widely used early on, but the process is difficult.
Ultraviolet light? Really?
● Electrically Erasable PROM (EEPROM)
○ Current IC of choice.
● RAM
○ Not bad, actually, if used as a Deadmans switch.
Smart Card Memory Types
33. ● Data controls are intrinsic to how the IC
works.
● Example:
○ When power is applied to the smart card, the
process can apply logic to perform services and
take action or control of the EEPROM.
○ No power = no access = less exposure
● Mag Stripe & Contact, and Contactless
(rfid)
○ See Page 126-128 for Pinouts...
More Smart Card Stuff
34. The book mentions a few other possession-
based authentication devices, One of which
was USB devices.
iLok:
Footnote
35. ● Biometrics
○ Two Types:
■ Physiological
● Example: Fingerprint, Hand, Face, Eyes
● Vascular Scans (They scan yer veins! And if you mash
your hand, you're SOL).
■ Behavioral
● Examples: Voice Pattern & Recognition. Keystroke
pattern (typing style), Signature dynamics.
○ Accuracy
■ Typical Passwords, tokens, and devices
provide a high degree of accuracy and
confidence.
■ Humans are different, and Environments are
different.
Authentication by Characteristic
36. ● False Reject Rate (Type I Error):
○ When authorised users are falsely rejected as
unidentified or unverified.
● False Accept Rate (Type II Error):
○ When unauthorised persons or imposters are
falsely accepted as authentic.
● Crossover Error Rate (CER):
○ The point at which the false rejection rates and
the false acceptance rates are equal. THe smaller
the value of CER, the more accurate the System.
Biometric Accuracy
37. ● Not sensitive enough, everyone will be
authorised.
● Too sensitive, and no one gets through.
● The "tune" of the system is largely based
on risk vs. importance of the controls,
resulting in an Org-accepted level of risk.
Biometric Accuracy - Cont'd
38. ● Resistance to counterfeiting
○ A determined attacker can take advantage by
counterfeiting what is measured.
● Data storage requirements
○ Security of the data it's matching against.
● User acceptance
○ "Ain't nobody got time for that."
○ Enrollment speed.
● Reliability and accuracy
○ "The system...is down..."
● Target user and approach
○ Who and how?
Biometric Considerations
39. ● The capabilities and level of confidence
increases as more factors and techniques
are included in the identification and
authentication process.
○ See Fig. 1.23
● "Strongest" leans towards Biometrics.
○ Strong:
■ Assurance that the authentication produced by
the method is valid.
○ Harder to implement, manage, impersonate.
○ As with anything, trade-offs.
Authentication Method Summary
40. Most prevalent considerations when looking
at an enterprise authentication method(s):
● The Value of the Protected Asset
○ High Value = More Complex method
● The Level of Threat to the Asset
○ Assess Risk. Real vs. Perceived.
● Potential Countermeasures
○ How can we reduce threat?
● The Cost of Countermeasures
○ "Consider the following..."
● Feasibility and inconvenience to users.
○ Participation vs. Annoyance.
Authentication Method Summary -
cont'd
42. ● Term to describe how a single instance of
identification and authentication are
applied to resources.
○ Desktop Sessions can be controlled & protected:
■ Screensavers
● GPO
■ Timeouts
● Power Saver
■ Automatic Logouts
■ Login Limitations
■ Schedule Limitations
● Time/Day
Session (sessi on ) Management
44. ● Being able to determine who or what is
responsible for an action, and can be held
responsible.
● Repudiation (as defined by the book)
○ The ability to deny an action, event, impact, or
result.
● Non-repudiation (Cue Tim)
○ The process of ensuring that a user may not deny
an action. Accountability relies on non-repudiation
heavily.
Accountability
45. ● Strong Identification
○ NO SHARED ACCOUNTS!
● Strong Authentication
○ Biometrics
● User training and awareness
○ Are users aware of the consequence?
● Comprehensive and Timely Monitoring
○ IDS
● Accurate and Consistent Audit Logs
○ Collect and consolidate. Security Information and
Event Management (SIEM) Systems.
○ Splunk (shudder)
Factors contributing to
accountability of actions
46. ● Independent Audits
○ Unbiased review. Helps root out accountability in
the event of collusion.
○ Helps shape culture.
● Policies enforcing Accountability
○ HR's teeth.
● Org Culture supporting Accountability
○ "Do as I say, not as I do."
Factors contributing to
accountability of actions - cont'd