Common ControlCc |
Short Description: The specific steps or actions within a compliance mandate that must be met to fulfill a compliance requirement. Common Controls harmonize wording across Authority Documents so you can compare Authority Documents or track your compliance status.
Long Description: Common Controls are the heart and soul of the Unified Compliance Framework. They are how we link the various Citations together.
Common Controls within the UCF are written following strict regulatory drafting standards.
This element connects to the following elements:
Informational Links:
JSON Calls documentation:
This element is comprised of the following fields:
Field | Type | Description |
---|---|---|
type | string |
If this is describing users, then the type is either a = admin , u =regular user, i = invited user. If this is describing Authority Documents, the choices of elements within UCF_AD_Type are listed in their legal hierarchical status, as defined within the UCF_AD_Type_Type, documented below. • Bill or Act• Regulation or Statute • Contractual Obligation • Self-Regulatory Body Requirement • Audit Guideline • Safe Harbor • International or National Standard • Best Practice Guideline • Organizational Directive • Vendor Documentation • Not Set |
date_added | string |
Date_Added is a date stamp for when the record was created. This element is created when the record is entered into the UCF’s Master Content database and not the working database. We chose this method because the UCF team’s editorial process is a fluid one which allows, during the editing process, for records to be added, moved, deleted, or even “un-deleted” fluidly until the lock-date that ends the editorial process. Once the lock-date has been reached, all of the records are then finalized from the “working” list and uploaded as a batch to the Master Content database, which also triggers the change log process. Therefore, it is common to see all new records for any given quarter being added on the same date. Because the Date Added element is controlled post-editorial process, the UCF database system manages everything automatically. |
date_modified | string |
Date_Modified is a date stamp for when the record was modified. We use this as a key field for tracking all roll forward and roll backward field calculations. The initial date reflects the date the authority document was added to the database. This element is created and updated when the record is entered into the UCF’s Master Content database and not the working database. We chose this method because the UCF team’s editorial process is a fluid one which allows, during the editing process, for records to be added, moved, deleted, or even “un-deleted” fluidly until the lock-date that ends the editorial process. Once the lock-date has been reached, all of the records are then finalized from the “working” list and uploaded as a batch to the Master Content database, which also triggers the change log process, which relies on this field to trigger that a change has taken place in the record. Therefore, it is common to see all new records for any given quarter being “modified” on the same date, and all modifications for the quarter to happen on the same date as well. We have heard from multiple XML licensees that they would rather have the exact date and time that the record was modified instead of the batch upload date. That isn’t possible, given that all of the XML licensees also want us to produce a compact and digestible change log. A change log based upon the exact date of modification would have already produced several instances with over ten changes for certain records. Changes that were of no consequence to either the XML licensee or an end user, because those changes were simply a part of our internal editorial process. Therefore, to save processing time on the change log and to shorten the length (of the already very heavy) change log, we made the strategic decision to limit both date modified and date created to be the batch upload dates. Because the Date Added element is controlled post-editorial process, the UCF database system manages everything automatically. |
deprecated_by | string |
If a record in the UCF needs to be deprecated, the record will not be deleted from the system. Instead, the record will be marked as deprecated (its "Live Status" field will be set to 0), and the Deprecated By field will be filled out with the ID(s) of the record(s) that took its place (if any). Initially this element is blank and only a UCF editorial process can indicate a Deprecated By content change. That change is then reviewed by the editorial reviewer and editorial approver. If there are contents in this field, the Live Status field must be set to deprecated (0). |
deprecation_notes | string |
Deprecation notes are new to version 2.1 of the UCF, and we’ve done as good a job as possible back-filling them to ensure that we have covered our bases. In a nutshell, when our mappers, reviewers, or approvers have made the decision to deprecate one of the records in the various XML tables, they will add their deprecation notes, their reasoning, to this field. There is no set format for what they are writing, so there aren’t any hard and fast editorial rules, other than something has to be added to the field during deprecation. |
genealogy | string |
Within the UCF, a record’s genealogy is a set of UCF IDs strung together as distinct words (e.g., 0000000 0000001 0000002) that represent (from right to left) the current record’s parent, grand-parent, great-grand-parent, on back to the very root element that spawned the list. At minimum, every record will have a genealogy of 0000000 which represents the root record within the list. The genealogy element is initially created by the UCF database system when the record in question is created. If the record in question is moved lower or higher in the taxonomy, the genealogy is automatically re-calculated and the value will change to reflect the new taxonomic structure. Because the UCF editorial team does not have edit privileges for this element, the genealogy will always reflect the taxonomic position the record was last stored in. If there is a dispute about the record’s genealogy, the dispute is an editorial one, and not a programming one. |
language | string | If the record is in a specific language, that’s what needs to be entered here. However, we are not using the name of the language, but rather the ISO 639-2 Codes for the Representation of Names of Languages reference. A complete and up-to-date reference can be found online at http://www.loc.gov/standards/iso639-2/php/code_changes.php. By default, all records are in English (code eng). |
license_info | string |
Because some of the records within the UCF are being provided by external sources, we now indicate this with a URI stored here. By default, the URI will point to Unified Compliance usage license information. If the record is subject to external (outside of the UCF) usage terms, the URI will point you to those usage terms. |
live | Boolean |
This is either a 1 or a 0. It indicates whether the record is live within the database, or should be redacted. Because the UCF™ treats every ID as both unique and persistent, we never delete an ID once used, nor do we re-use the ID. Therefore, if we have to redact a record, we merely mark the Live Status as moving from 1 (live) to 0 (redacted). All records are initially created and marked by the system as Live (1). There are certain scripts that the UCF’s database team will run to ensure that two instances of automated deprecation takes place: 1. If an Authority Document has been deprecated, all of its citations will be deprecated. 2. If a control has no citations pointing to it, the control in question will be deprecated. Other than the instances noted above, records must be deprecated as an editorial process and approved by both the editorial reviewer and the editorial approver. When the Live Status is set to deprecated (0), there might also be a corresponding setting for the Deprecated By element, but this is not mandatory. |
parent._href | URL | URL to get this record's parent information. |
sort_id | string |
We sort our displayed information according to a taxonomic display hierarchy (which means that the genealogy plays a vital role). For the most port, each element in any of our lists is given a three digit sort identifier. We then append the record’s sort identifier to its parent’s sort identifier to create its Sort ID. We treat this numeric Sort ID as a text field so that we can run our sort routine from left to right in the character string. The Sort ID is created and managed in the same manner as the genealogy (it is a dynamic calculation). It directly reflects the record’s place within the taxonomic hierarchy and is therefore uneditable by the UCF’s editorial team (although the team does set the sort order, the system handles the ID to manage the sort order). Any disputes with the validity of the sort ID are in effect a dispute with where the UCF’s editorial team placed the record in question within the taxonomic structure. |
sort_value | integer | The Sort Value is relative to its siblings, sort ID is relative to the entire hierarchy. Developers should be using the Sort ID instead of the Sort Value. |
impact_zone | string | The top level Impact Zone this Common Control belongs to. |
classification | string | A classification that sorts controls into types of actions taken. |
metric_name | string | The name of the Metric associated with the Common Control. |
metric_calculation | string | This is the calculation used to define the metric. A sample calculation that fits the above formula might be “# of key IT assets for which an assurance strategy has been implemented / # IT assets.” |
metric_information_source | string | This is where the person(s) creating the metric would need to go to find the data to support the calculation. A sample that fits the above metric might be “The assets in your CMDB as the base / # of assets that have assigned configuration standards and controlling procedures.” |
metric_target_result | string | This is usually indicated by “low is good” or “low is bad.” |
metric_presentation_format | string | This element defines the chart type that should be used when presenting the metric in question. It uses the list format for the chart type defined by the UCF_Metric_Chart_Type. |
metric_image_reference | string | No longer used |
sentence.id | Integer | ID of the associated sentence for this record. |