Introduction to Security and Controls
  
Introduction to Security and Controls
This section introduces the security and internal control features in your system.
Overview
The fundamental components involve measures to assure the preservation of confidentiality, integrity, and availability.
Security
The security model used by the system integrates the different components of the system architecture, controls who can access the system, and defines the actions that system users can perform.
Internal Controls
Internal controls are mechanisms that help an organization comply with legal or regulatory requirements to reduce their exposure to potential liability imposed for violations.
Implementation Summary
Every user must be identified in the system, given access to a domain and at least one entity in the domain, and associated with at least one role in the domain in order to gain system access.
Security and Internal Controls Programs
Lists the menu programs you use to define and maintain security and internal controls in your system.
Overview
The security and related internal controls operating in your system must be viewed within the context of your organization’s overall security framework. While it is beyond the scope of this user guide to discuss the details of information security, the fundamental components involve measures to assure the preservation of:
Confidentiality—ensuring that information is accessible only to those authorized to have access
Integrity—safeguarding the accuracy and completeness of information and processing methods
Availability—ensuring that authorized users have access to information and associated assets when required
Security properly starts with a comprehensive policy statement that:
Demonstrates clearly management’s support and commitment to security
Defines the principal security components important to the organization
Describes the general approach for meeting security objectives
After the policy statement is prepared, procedures, guidelines, and other supporting administrative controls are typically defined to support the policy. Finally, technical controls are designed and implemented to support the administrative controls.
The system provides multiple types and levels of security and internal controls, which are described in this chapter. This chapter also includes several checklists to use as starting points in planning and implementing a comprehensive security plan to meet the specific security requirements of your environment. See Security Planning Checklists for details.
The specific level of security control an organization should implement is a function of the underlying information security requirements. Those requirements originate:
Externally, including regulatory, legal, and legislative requirements
Internally, based on the value of information assets, associated risks to those assets, and available controls that can eliminate or mitigate exposures to an acceptable level
Much of the security control in the system is designed to support external requirements. Numerous controls to support customers who are concerned with meeting the security requirements of legislation and regulations such as the Sarbanes-Oxley Act and Food and Drug Administration 21 CFR Part 11.