Full Text

Editor's note: This update supplants the February 2004 practice brief "The 10 Security Domains."

TODAY'S ENVIRONMENT REQUIRES that HJM professionals understand basic computer security principles to fully protect the privacy of information. The connection between privacy and security is critical for securing electronic health records.

This practice brief outlines the International Information Systems Security Certification Consortium's 10 security domains and highlights the key concepts. The domains provide the foundation of security principles and practices. It is important to note that the 10 security domains are different from the HIPAA security rule.

The Security Domains

Information security must support the mission ofthe organization. Organizations need to protect their information assets and must decide the level of risk they are willing to accept when detenniningthe cost of security controls.

According to the National Institute of Standards and Technology (NIST), "The cost [of security] should be proportionate to the value and degree of reliance on the computer system and the severity, probability and extent of potential harm- the requirements for security will vary depending on the particular organization and computer system."1

To provide a common body of knowledge and define terms for information security professionals, the International Information Systems Security Certification Consortium (ISC) created 10 security domains. These domains provide the foundation for security practices and principles in all industries, not just healthcare:

* Security management practices

* Access control systems and methodology

* Telecommunications and networking security

* Cryptography

* Security architecture and models

* Operations security

* Application and systems development security

* Physical security

* Business continuity and disaster recovery planning

* Laws, investigation, and ethics

Security Management Practices

The security management practices domain is the foundation for security professionals' work and identifies key security concepts, controls, and definitions. NIST defines computer security as the "protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (this includes hardware, software, firmware, information/data, and telecommunications)."2

NIST outlines three tenets for which security practices should be measured: confidentiality, integrity, and availability. The figure "Confidentiality, Integrity, and Availability (CIA) Triad," displayed on the following page, outlines these three tenets.

A key step in security management is risk analysis; that is, identifying threats and vulnerabilities...