ABSTRACT
This chapter discusses controls in the context of the Common Body of Knowledge of the Certified Information Systems Security Professional, but it also introduces the language and definitions used by the audit profession. This approach will ease some of the concept misconceptions and terminology differences between the security and audit professions. The security professional establishes controls to limit access to a facility or system or privileges granted to a user. Auditors evaluate the effectiveness of the controls. The security profession uses integrity or data integrity in this context, as the primary focus is to ensure the information is accurate and has not been inappropriately modified. Security professionals use risk assessments to define the threats and exposures and to establish appropriate controls to reduce the risk of their occurrence and impact. The security professional assists in the review of the role to ensure no unauthorized activity can occur and to establish proper segregation of duties.
