Any modification is authorized and is stored and transferred as intended when referring to the integrity of data. Integrity is part of the CIA triad.

Availability means that any information is accessible to those authorized to view or modify it. Availability is part of the CIA triad.

Confidentiality means that certain information should only be known to certain people. Confidentiality is part of the CIA triad.

Risk is the likelihood and impact (or consequence) of a threat actor exploiting a vulnerability.

Detect refers to performing ongoing proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.

Identify covers developing security policies and capabilities, and evaluating risks, threats, and vulnerabilities and recommend security controls to mitigate them.

Protect and procure covers the processes to install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of an operations life cycle.

Recovery deals with the implementation of cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.

Security is increasingly thought of as a dedicated function. The goals of a network manager are not always well-aligned with the goals of security; network management focuses on availability over confidentiality.

System security may be a dedicated business unit with its own management structure. As a result, network management might only concern itself with availability.

The goals of a basic network management are not always well-aligned with the goals of security; network management would not focus on confidentiality, but rather availability.

Network management would encompass the responsibility for systems up-time and availability. Security administrators would focus on integrity and confidentiality.

External responsibility for security (due care or liability) lies mainly with owners or senior executives. It is important to note that all employees share some measure of responsibility.

Technical and specialist staff have the direct responsibility for implementing, maintaining, and monitoring the policy. Security might be made a core competency of systems and network administrators, or there may be dedicated security administrators.

Managers at an organization may have responsibility for a specific domain or unit, such as building control, ICT, or accounting.

Non-technical staff have the responsibility of complying with policy and with any relevant legislation. Public relations is responsible for media communications.

The identify function is to develop security policies and capabilities. This function is used to evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them.

The detect function is to perform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats.

The recover function is to implement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks.

The respond function is to identify, analyze, contain, and eradicate threats to systems and data security.

Managerial is the control that gives oversight of the information system including selection of other security controls. An example of this type of control is regular scans and audits.

Technical control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Technical controls may also be described as logical controls.

Physical controls deter access to premises and hardware. Examples include alarms, gateways, and locks.

A compensating control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

The Computer Security Act (1987) specifically requires federal agencies to develop security policies for computer systems that process confidential information.

The Sarbanes-Oxley Act (2002) mandates the implementation of risk assessments, internal controls and audit procedures. This act is not for any specific entity.

The Federal Information Security Management Act (2002) governs the security of data processed by federal government agencies. This act requires agencies to implement an information security program.

The Gramm-Leach-Bliley Act (1999) is a United States federal law that requires financial institutions to explain how they share and protect their customers' private information.