School of Information Systems

Designing Security Controls

Security controls are technical or administrative safeguards or counter measures to avoid, counteract, or minimize loss or unavailability due to the threats acting on their matching vulnerability, i.e., security risk (SANS Technology Institute, 2009). According to Satzinger, Jackson, and Burd (2012), security controls have two primary objectives:

  • To maintain a stable operating environment. This objective focuses on eliminating and controlling any undesirable access that comes from external attacks, such as hackers, viruses, etc.
  • To protect transactions during transmission. This objective focuses on the use of techniques to protect data while they are transmitted from the source to a certain destination.

Network and operating systems become the first point that is being discussed in security control because they perform direct control over organization’s assets, such as files, application programs, and disk drive. Based on this reason, network and operating systems are the foundation of security for most information systems.

Access Controls

According to Hitachi ID Systems, Inc., access control is any mechanism by which a system grants or revokes the right to access some data, or perform some action. Common principles and processes in access control systems include:

  • Authentication—a process that ensures and confirms a user’s identity, usually through usernames and passwords, to access any resources or information in a system.
  • Access control list—is a list of user permissions for a specific resources, typically read, update, or execute.
  • Authorization—is a process of determining access levels to a specific authenticated user’s access to a specific resource based on access control list.

Data Encryption

Providing other measures to protect data confidentiality and anticipating access control breaches are the issues designers must do as a response of access control system imperfections. The primary method of maintaining the security of data that is transmitted outside the organization’s network and on internal systems is by encrypting the data. Encryption is a process of translating data into a secret code so that the unauthorized users cannot view the data. Decryption is a process of transforming data that has been encrypted back to the original state.

Digital Signatures and Certificates

Digital signatures and certificates are the next level of encryption technique to ensure the entity of the other communication and to ensure that the key that is purported to be the public key of some institution is in the fact. According to Satzinger, Jackson, and Burd (2012), digital signature is a technique in which a document is encrypted by using a private key to verify who wrote the document, while digital certificate is an institution’s name and public key encrypted and certified by a third party.

Secure Electronic Transactions

According to, Secure Electronic Transaction (SET) is a system for ensuring the security of financial transactions on the internet. The most common standards used that were developed to support SET are Secure Sockets Layer (SSL), Transport Layer Protocol (TLS), IP Security (IPSec), and Secure Hypertext Transport Protocol (HTTP or HTTP-S).


Definition of Access Control. (n.d.). Retrieved February 20, 2017, from Hitachi ID Systems, Inc. Web site:

Northcutt, S. (n.d.). Security Laboratory. Retrieved February 20, 2017, from SANS Technology Institure Web site:

Rouse, M. (n.d.). Search Financial Security. Retrieved February 20, 2017, from TechTarget:

Satzinger, J. W., Jackson, R. B., & Burd, S. D. (2012). Systems Analysis and Design: In A Changing World. Boston: Cengage Learning.

Nanda Feronika