U.S. Department of Health and Human Services
Identification and Authorization - Organizations must identify information systems users, process acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.
Access Control - Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
Page 4 of 5
Using Security Controls