- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-06-2020 02:20 PM
Are policy written from citations?
Are authority document a framework
can an organization have more than one framework/authority documents
How is control objective related or connected with control?
Please, I need a layman's explanation
once UCF is activated, are all these automatically populated ( authority documents, citation, control objective )
Thank you
Solved! Go to Solution.
- Labels:
-
Policy and Compliance Management

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-07-2020 03:23 PM
Hi Damon,
You got it somewhat right, but let me use the same format you used to explain it further, plus a real life example.
Authority Document = Framework = PCI DSS
Citations = Section or Area of PCI DSS = Requirement 1: Install and maintain a firewall
Citations = Section or Area of PCI DSS = 1.1 Establish and implement a firewall
Control Objective = Procedure or guideline = Implement a firewall
In the example above, the Control Objective will have much more details around how the control should be implemented and even assessed.
------------
Policy = Internal mandate = Security Policy
Control Objective = Implement a firewall
A policy is almost the same as an Authority Document with the exception that it stems from internal guidance rather than external regulations.
-----------
Once the governance has been set in place then it's time to go ahead and implement it. You do that via controls. A control is an instance of a Control Objective after it has been applied to an entity.
Let's say that we have 2 data centers, one in New York and the other in Boston. You need to establish firewalls per PCI and your own internal policy so you create two controls.
Control Objective = Implement a firewall
Entity = NY Data Center
Control = Implement a firewall in NY Data Center
Control Objective = Implement a firewall
Entity = Boston Data Center
Control = Implement a firewall in Boston Data Center
Finally, once the controls start being assessed and monitored via indicators, the results are aggregated and rolled up to the chain. In this example, if both of these controls are passing then that would reflect at both the Security Policy level, as well as the PCI DSS level.
Hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-08-2020 09:33 AM
Thank you so much for this clarification.This is really helpful.
Now,
Regarding Control, Attestation, Indicator and Control Test.
For example:
Authority Document: NIST
Citation: Validity of employee email password should not exceed 120-180days
control objective: change the maximum age of employee email password
policy: change password every 60days with 8 alphanumerical character including 1upper and lower case
control1: change the maximum age of employee email password for james
control1: change the maximum age of employee email password for john
Once an entity is specified and a control is generated.
The next thing will be for the owner to attest. When exactly, or at what point is the owner of the control meant to attest a control. I asked because,look at my example of control for james and john. Will the control be attested to anytime from the 61st day or within the 60 day, or how will the owner know that the password gas been changed within the 60 day grace period or changed after the 60 day grace period.
I know my questions is arround indication also but i just want you to help me allign my example and questions arround:
Control
Attestation
Indicator
Please can i also get your email
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-07-2020 01:18 PM
Thank you Sean,
This is my analysis and please tell me if I am wrong or correct me.
Authority Document = Framework
Citations = Best Practices/Regulations of the framework
Control Objective = Procedure or guideline of each citation of the authority document
policy = internal mandate or rule created based on a control objective
control = action or step taken to ensure compliant of the policy
I have problems understanding control. Please help with a real or an example in a layman's term, I picked a control objective and chose an entity type which automatically generates a control. I clicked on the control and I attest to it. Then the policy and attestation became compliant after answering the questions correctly.
What happens if the result of the attestation is no, which means the control & policy will be non-compliant?, Will the indicator automatically generate, or how and when will the indicator show up.
Also regarding attestation, why is this a necessity, why does the response of the assessment determine if the policy is compliant or not. I am just a little confused because if I am attesting to a control as "yes the control is in place" which makes the control-compliant, and the policy compliant also before it gets to the state of monitor, what is then the use of the control itself being in the monitor state if it has already been attested and it is already compliant.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-08-2020 12:29 PM
Hi Damon, you will find a lot of "layman's language" explanations here.
In particular, I recommend that you spend a few minutes reviewing:
If nothing else, these will help you master the terminology. It is not straight forward 😉