Journal of AHIMA - May 2012

cess controls prevent unauthorized users from retrieving, using, or altering information. They are determined by an organization’s risks, threats, and vulnerabilities.

Appropriate access controls are categorized in three ways: preventive, detective, or corrective. Preventive controls try to stop harmful events from occurring, while detective controls identify if a harmful event has occurred. Corrective controls are used after a harmful event to restore the system.

“Access Control Process,” on page 50, illustrates the primary steps in the access control process.

Telecommunication and Network Security

Telecommunication and network security is one of the most technical of the domains, because it addresses the various structures for a network, methods of communication, formats for transporting data, and measures taken to secure the network and transmission. The key issues of this domain as they relate to each area of the CIA triad are:

Confidentiality x Net work security protocols x Net work authentication services x Data encryption services

Integrity x Firewall services x Communications security management x Intrusion detection services

Availability
x Fault tolerance for data availability (back-ups, redundant
disk systems)
x Acceptable log-ins and operating process performance
x Reliable and interoperable security processes and net-
work security mechanisms3

Application and System Development Security

A 2009 report found that more than half of the current cyber attacks are focused on application software vulnerabilities rather than network systems. 4 Special care needs to be taken when developing Web applications that are externally accessed through the Internet. The software code should be written following a secure coding guideline such as the Open Web Application Security Project (OWASP).

Security and privacy professionals must be involved in the software development cycle to ensure that concerns are addressed throughout the process. Information security components should be addressed concurrently in the development cycle (conception, development, implementation, testing, and maintenance). 5

The following list identifies key security issues at each stage in the development life cycle:

x System feasibility: Identify security requirements, including regulatory requirements, internal policies, and standards that will need to be addressed.

Confidentiality, Integrity, and
Availability (CIA) Triad

THE CIA TRIAD
Confidentiality
Integrity
Availability

Confidentiality: A requirement that private or confidential information not be disclosed to unauthorized individuals.

Integrity: Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.

Availability: A requirement intended to ensure that systems work promptly and service is not denied to authorized users.

Source: National Institute of Standards and Technology. “An Introduction to Computer Security: The NIST Handbook.” Special Publication 800-12. October 1995. http://csrc.nist.gov/publications/nistpubs/800-12/handbook. pdf

x Software plans and requirements: Identify the vulner-
abilities, threats, and risks. Plan the appropriate level of
protection. Complete a cost-benefit analysis.
x Product design: Plan for the security specifications in
product design (access controls, encryption, etc.).
x Detailed design: Balance business needs and legal liabili-
ties within the design of security controls in an applica-
tion or system.
x Coding: Develop the security-related software code and
documentation.
x Integration product: Test security measures and make
refinements.
x Implementation: Implement any additional security
measures prior to “go-live.”
x Operations and maintenance: Monitor the software and
system for changes in security controls. Assess existing
controls against newly discovered threats and vulnerabil-
ities. Implement appropriate updates and patches when
necessary.