cess controls prevent unauthorized users from retrieving, using,
or altering information. They are determined by an organization’s risks, threats, and vulnerabilities.
Appropriate access controls are categorized in three ways:
preventive, detective, or corrective. Preventive controls try to
stop harmful events from occurring, while detective controls
identify if a harmful event has occurred. Corrective controls are
used after a harmful event to restore the system.
“Access Control Process,” on page 50, illustrates the primary
steps in the access control process.
Telecommunication and Network Security
Telecommunication and network security is one of the most
technical of the domains, because it addresses the various
structures for a network, methods of communication, formats
for transporting data, and measures taken to secure the network
and transmission. The key issues of this domain as they relate to
each area of the CIA triad are:
x Net work security protocols
x Net work authentication services
x Data encryption services
x Firewall services
x Communications security management
x Intrusion detection services
Application and System Development Security
x Fault tolerance for data availability (back-ups, redundant
x Acceptable log-ins and operating process performance
x Reliable and interoperable security processes and net-
work security mechanisms3
A 2009 report found that more than half of the current cyber attacks are focused on application software vulnerabilities rather
than network systems.
4 Special care needs to be taken when developing Web applications that are externally accessed through
the Internet. The software code should be written following a
secure coding guideline such as the Open Web Application Security Project (OWASP).
Security and privacy professionals must be involved in the
software development cycle to ensure that concerns are addressed throughout the process. Information security components should be addressed concurrently in the development
cycle (conception, development, implementation, testing, and
The following list identifies key security issues at each stage in
the development life cycle:
x System feasibility: Identify security requirements, including regulatory requirements, internal policies, and
standards that will need to be addressed.
Confidentiality, Integrity, and
Availability (CIA) Triad
THE CIA TRIAD
Confidentiality: A requirement that private or confidential
information not be disclosed to unauthorized individuals.
Integrity: Data integrity is a requirement that information and
programs are changed only in a specified and authorized
manner. System integrity is a requirement that a system
performs its intended function in an unimpaired manner,
free from deliberate or inadvertent unauthorized manipulation of the system.
Availability: A requirement intended to ensure that systems
work promptly and service is not denied to authorized
Source: National Institute of Standards and Technology. “An Introduction to
Computer Security: The NIST Handbook.” Special Publication 800-12. October 1995. http://csrc.nist.gov/publications/nistpubs/800-12/handbook.
x Software plans and requirements: Identify the vulner-
abilities, threats, and risks. Plan the appropriate level of
protection. Complete a cost-benefit analysis.
x Product design: Plan for the security specifications in
product design (access controls, encryption, etc.).
x Detailed design: Balance business needs and legal liabili-
ties within the design of security controls in an applica-
tion or system.
x Coding: Develop the security-related software code and
x Integration product: Test security measures and make
x Implementation: Implement any additional security
measures prior to “go-live.”
x Operations and maintenance: Monitor the software and
system for changes in security controls. Assess existing
controls against newly discovered threats and vulnerabil-
ities. Implement appropriate updates and patches when