IBM Cloud Docs
AU-10 - Non-repudiation

AU-10 - Non-repudiation

Control requirements

AU-10 - 0
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [IBM Assignment: minimum actions including the addition, modification, deletion, approval, sending, or receiving of data].

Implementation guidance

See the resources that follow to learn more about how to implement this control.

NIST supplemental guidance

Types of individual actions covered by non-repudiation include, for example, creating information, sending and receiving messages, approving information (e.g., indicating concurrence or signing a contract). Non-repudiation protects individuals against later claims by: (i) authors of not having authored particular documents; (ii) senders of not having transmitted messages; (iii) receivers of not having received messages; or (iv) signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from a particular individual, or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request) or received specific information. Organizations obtain non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).