Common Elements Definition Standardization

Document Lineage

Term Elements & Descriptions

The following table contains the UCF element type, generic descriptions for each, and examples of terms we frequently encounter during mapping.

These descriptions are intended to be used as a starting point for writing definitions. Please tailor definitions to fit each term in context and do not copy and paste the descriptions directly.

Term

UCF Element

Description

Example

Exception

Noun

An action or entity that does not conform to normal operations or rules. 

 

compliance exception:

An instance that does not conform to the general rule of being in accordance with laws, regulations, industry codes, organizational standards, or contractual arrangements.

Framework

cDoc or Record Example

The overall documented structure and template that the organization can use to create and maintain XXX (It defines the scope, objectives, activities, and structure)

compliance framework:

A compliance framework is a structured set of guidelines to aggregate and harmonize, then integrate, all compliance requirements applicable to an organization.

Guideline

Record Example 

A documented recommendation of how an organization should XXX. (Inspiration for Programs, policies, etc.) 

coding guideline:

A documented recommendation of how an organization should implement best practices for computer coding.

Measure

Noun

A course of action taken to enforce guidelines and standards.

organizational measure:

A plan or course of action taken to achieve a particular purpose by an organization.

Methodology

Noun

Business strategy of how to approach XXX. (how to approach creating a framework, policy, etc.) 

reporting methodology:

A system of processes and procedures used in the querying of data sources with different models to produce readable compilations of information.

Metric

Record Example

 

 

Metrics Standard

Record Example

A methodology for measuring XXX designed to facilitate decision-making and improve the performance thereof. The standard includes an explanation of the metric formula, the calculation used to define the metric, how the metric should be displayed, and where to find the data or information that feeds the metric calculation.

audit metrics standard:

A methodology for measuring both internal and external audit processes and performance designed to facilitate decision-making and improve the performance thereof. The standard includes an explanation of the metric formula, the calculation used to define the metric, how the metric should be displayed, and where to find the data or information that feeds the metric calculation.

 

Plan

Record Example 

A step-by-step outline of the processes and procedures to be performed to complete or implement XXX. 

Business Continuity Plan:

A proposal detailing the processes and procedures to put into place to ensure that essential organizational functions can continue during and after a disaster.

Policy

Record Example

The business rules and guidelines of the organization that ensure consistency and compliance with XXX.

Information Technology asset removal policy:

The business rules and guidelines for removing Information Technology assets from the facility.  

Procedure

Record Example

A detailed description of the steps necessary to implement or perform XXX in conformance with applicable standards. A procedure is written to ensure XXX is implemented or performed in the same manner in order to obtain the same results.

physical security procedure:

A set of guidelines that lists actions needing to be taken in order to provide physical security.

Process

Noun

The non-descriptive term itself.

process:

A particular series of actions or steps to bring about a certain outcome; series of procedures.

Organizational Task

Activities performed while following the documented procedures.

capacity management process:

A series of actions or operations to plan and monitor an entity’s technology resources to support current and future strategic objectives.

Program

Record Example

A documented listing of procedures, schedules, roles and responsibilities, and plans/instructions to be performed to complete/implement XXX. 

security awareness program:

The documented plan and documented activities to create well-informed interest in being free from danger or threat.

Requirement

Record Example 

A condition or capability that must be met. 

third party reporting requirement:

A formal statement of the necessity, completeness, and timeliness the third party must follow when providing information or reports to an organization.

Specification

Record Example

A defined set of requirements.

system requirements specification:
A detailed description of what a system must be able to do and perform under certain conditions.

Standard

Record Example

A documented goal or ideal an organization uses to determine their compliance with XXX.

supply chain management standard:

A documented goal or ideal that an organization uses to ensure that the business activities and performance of its suppliers align with internal and external requirements.

Strategy

Record Example

A documented plan or method an organization uses to achieve a major or overall goal.

awareness and training strategy:

A plan of action for teaching relevant skills necessary to perform specific functions and focusing attention on issues.

System

Noun

A collection of techniques, processes, and technologies implemented while following the documented programs.

 

risk reporting system:

A collection of techniques, processes, and technologies that are implemented to facilitate the conveyance of risk and mitigation-related information to relevant personnel.

Asset

A set of resources under the same control that share common functionality.

Computer System:

A collection of related hardware, software, or both that work together for a common purpose or are regarded as a whole.

 Technique

Noun 

The use of a specific technology or procedure to achieve XXX in alignment with the organization's methodologies. (usually when there are multiple paths for an Organization to take)

de-identification technique:

An established or planned way to remove a person's identity associated with information in compliance with pertinent standards