AU-10 Non-Repudiation

Control: The information system provides the capability to determine whether a given individual took a particular action.

Supplemental Guidance: Examples of particular actions taken by individuals include creating information, sending a message, approving information (e.g., indicating concurrence or signing a contract), and receiving a message. Non-repudiation protects against later false claims by an individual of not having taken a specific action. Non-repudiation protects individuals against later claims by an author of not having authored a particular document, a sender of not having transmitted a message, a receiver of not having received a message, or a signatory of not having signed a document. Non-repudiation services can be used to determine if information originated from an individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Non-repudiation services are obtained by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts, time stamps).

Control Enhancements: (0) None.

Baseline: LOW Not Selected MOD Not Selected HIGH Not Selected

Family: Audit And Accountability

Class: Technical

ISO 17799 mapping: 10.8.2, 10.9.1, 12.3.1

COBIT 4.1 mapping: DS5.11

PCI-DSS v2 mapping: 10.5, 10.5.5