Access Control Process
(who are you?)
(what are you doing?)
Identification is the assignment of unique user IDs. Most organizations base a user’s identification off of a person’s name;
for example, a user ID could be the first letter of a person’s
first name combined with their last name.
Authentication is the process of proving a user’s identity
before entering a system. The three primary ways to authenticate users are based upon:
1. Something a user knows (e.g., PIN, password, phrase,
2. Something a user has (e.g., smart card, ATM card,
3. Something a user is (e.g., retina scan, fingerprint, voice
A user’s access privileges are based upon some predetermined level of authorization, usually established to ensure
the user’s access is the minimum necessary in order to perform the job. Role-based access is an example of how authorization can be predetermined by management based upon a
user’s role within the organization.
Physicians generally have the ability to place orders and
access more patient information than a nurse who works on
a single nursing unit. A volunteer working at the information
desk in the main entrance to a hospital is only authorized to
access patient census or directory information.
Accounting is the final step in the process. Limiting user
access to the minimum necessary can be challenging. Therefore audit controls should be implemented for holding users
accountable for their actions.
Source: Harris, Shon. All-in-One CISSP Exam Guide, Fifth Edition. Berkeley, CA: McGraw-Hill, 2010.
The cryptography domain addresses the security measures
used to ensure that information transmitted is readable only by
the appropriate individual. In layman’s terms, this is commonly
referred to as encryption. Encryption is the transformation of
plain text into an unreadable cipher text and is the basic technology used to protect the confidentiality and integrity of data.
There are two types of cryptography: symmetrical and asymmetrical. Symmetrical cryptography uses the same private or
secret key to encipher and decipher a message. Asymmetrical
cryptography uses two different keys: a private key and a public key. For example, the public key can be used to encrypt and
send a message and the private key is used to decrypt a message.
7 Confidentiality is maintained because the recipient of the
message must use their private key to decrypt the message. “
Encryption Process,” on page 51, depicts the coding and decoding
While encryption is an addressable implementation specification under HIPAA’s security rule, the rules governing breach
notification under the 2009 Health Information Technology for
Economic and Clinical Health (HITECH) Act require encryption methods that render protected health information (PHI)
unreadable and meet guidelines established by NIST and the
requirements of Federal Information Processing Standards 140-
2 to prevent potential breaches. Additionally, vendors of electronic health record systems must be able to meet two meaningful use requirements for encryption: §170.302(u) General
encryption and §170.302(v) Encryption when exchanging electronic health information.
Security Architecture and Models
Security professionals must understand the entire information
system (configuration, hardware, software) to develop appropriate security architecture. For example, an information system based on a client-server model will have unique security
concerns. Desktop PCs could contain sensitive business information and have unique risks, threats, and vulnerabilities. A
security professional must understand the issues of this architecture and apply appropriate safeguards.
Information security models are used to organize and formalize security policies by providing a concept and framework.
There are three main types of security models:
Operations Security Domain
x Access control: This model, common in healthcare, al-
lows organizations to identify classes of users and the in-
formation they are permitted to access.
x Integrity: This type of model not only protects confiden-
tiality, but also works to protect the integrity of informa-
tion. An integrity model prevents information from being
modified by unauthorized users and prevents authorized
users from making unauthorized changes.
x Information flow: In this model, information is classified
and flows in a specified manner based on security policies
The operations security domain is concerned with implementing appropriate controls and protections on hardware, software,
and resources; maintaining appropriate auditing and monitoring; and evaluating system threats and vulnerabilities.
There are a number of controls that organizations must con-