Selecting a Matching Common Control
When searching for the best Common Control match keep in mind the following concepts:
- Context Clues
- Impact zones
- Common Control Parents, Grandparents, and Children
- Accuracy Rating (Match %)
Context Clues
The best strategy for finding a suitable match is to use context clues. Based on wording alone many controls can appear to match a citation at the surface. Looking deeper however, you may find that the citation and control do not match contextually. Citations often are not straightforward in telling you every aspect of the actions that need to be taken. For instance, you may come across a citation that reads 'Conduct performance monitoring, as necessary'. OK, what kind of performance monitoring? This can refer to system performance, employee performance, or performance towards Service Level Agreement requirements. This is where context is the most important.
Context can be elicited from the document itself, the section under which a citation falls, and the way that a citation contributes to the overall narrative when taken with surrounding citations. As noted above Informational citations can be a good source of context, as can stubs. If stubs and informational citations don't yield satisfactory context you can also look at the Table of Contents and section headers (where applicable) for context clues. Additionally, consideration of the document's target audience can also be a great source of context. Using the 'Conduct performance monitoring, as necessary' example again, if you are working with a document about Supply Chain Management, the citation is more likely related to Service Level Agreements and contract performance that system performance.
Once you understand the context of a citation it will be easier to locate the best possible match.
Impact Zones
One effective strategy for limiting potential matches based on context is to look at Impact Zone under which a control is placed. Common Controls are broken down into sections, referred to as Impact Zones, based on the scope of an audit. Each Impact Zone contains a suite of controls that are directly related to the Impact Zone's overarching concept. The Impact Zones are:
- Leadership and High Level Objectives - Common Controls that cover the establishing of high level objectives coordinating of strategy with an organization's top leadership and the organization's IS staff's tactics.
- Audits and Risk Management - Common Controls that cover the identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks.
- Monitoring and measurement - Common Controls that cover the processes of surveillance in order to observe, record, or detect and then giving an account or statement describing in detail an event, situation, or the like, usually as the result of the monitoring activities.
- Technical Security - Common Controls that cover the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Access management, identity verification, data protection within and across networks, within databases and records archives, and down to individual computers and their software are all covered within this impact zone.
- Physical and environmental protection - Common Controls that cover the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.
- Operational and Systems Continuity - Common Controls that cover the practice of protecting an Information Technology system against three classifications of threats; Natural threats such as hurricane, tornado, flood, and fire; Human threats such as operator error, sabotage, implant of malicious code, and terrorist attacks; and Environmental threats such as equipment failure, software error, telecommunications network outage, and electric power failure.
- Human Resources Management - Common Controls that focus on the areas of identity management, background checks, separation of duties, considerations for outsourcing and consulting services, supervision strategies, team development and communication, budgeting, recruiting, job definitions, performance discipline, and more.
- Operational Management - Common Controls that cover the management of the design, execution, and control of operations that convert resources into desired goods and services and implement an organization's business strategy.
- System hardening through configuration management - Common Controls that cover the activities focused on establishing and maintaining the integrity of information technology products and information systems, through control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.
- Records Management - Common Controls that cover the set of activities required for systematically controlling the creation, distribution, use, maintenance, and disposition of recorded information maintained as evidence of business activities and transactions.
- Systems design, build, and implementation - Common Controls that cover the development of the organization products, including records created to initiate new product design and specification information, produce ability studies, design and specification of spares, research and development records that may or may not result in actual product development, and contract research records regarding new products.
- Acquisition or sale of facilities, technology, and services - Common Controls that cover the purchasing of products and services or acquiring organizations (or their assets), or the giving or handing over to a buyer assets or services for money.
- Privacy protection for information and data - Common Controls that cover the right of individuals to control or influence information that is related to them in terms of who may collect or store it and to whom that information may be disclosed, as well as how personal information is collected, used, retained and disclosed.
- Harmonization Methods and Manual of Style - Common Controls that cover the organization and language structure of an organization's compliance documents.
- Third Party and supply chain oversight - Common Controls that cover the intersection of managing the supply chain and third parties.
For example, the citation Limit unsuccessful logon attempts, you would be more likely to find a match looking under System hardening through configuration management or Technical Security than under Records Management.
Parents, Grandparents, and Children
Another strategy for finding a good match is to consider a Common Control's placement in relation to those around it. Although all controls are categorized by Impact Zone, the control relationships are broken down even further within the Impact Zones to apply to more specific scenarios.
Matching Citations: Control Lineage
The example above illustrates how Common Controls are categorized from general to specific. Control 805 – Operational Management is the general Impact Zone. Control 11751 – Establish, implement, and maintain a capacity management plan is a parent control for the controls that fall directly below it on the control hierarchy. As you can see, as the controls descend, they also become more specific. Controls 13492, 1617, and 1618 are children of 11751 and (since they are at the same level of the control hierarchy) are siblings to each other. Going deeper, you will notice that control 6754 – Provide excess capacity or redundancy to limit any effects of a Denial of Service attack is at a child of control 1618 and a grandchild of control 11751. Thus, control 13048 - Implement network redundancy, as necessary is a great grandchild of control 11751, as it is the most granular control that applies to very specific situations compared with its higher-level relatives.
Accuracy Ratings (Match Percentages)
Citations are matched to Common Controls based on how closely the tagged action (primary verb) and tagged object (primary noun) in the Citation relate to the tagged action and object in the Common Control. In short, verb hops + noun hops = Accuracy Rating, or Match Percentage. Verb hops are given greater precedent than noun hops as the action of each concept is a greater differentiator than the object of the concept. Typically, Accuracy Ratings of 85% or higher are considered strong matches.
A high match percentage alone is not necessarily indicative of a good match. Similarly, multiple controls will have the same match percentage, although some will not apply to the citation in question. For this reason, context is more important than a high percentage. Use your best judgment to determine which control is the best contextual match to each mandate.