Control Type classifies controls by the intent of the control.
- IT Impact Zone - These are the fifteen top level items in the UCF, and as such, really aren't auditable.
- Establish/Maintain Documentation - Common Controls that specifically state that a document has to be produced as a final result. The emphasis on this vs. an activity is the focus is on the document, not the ongoing activity.
- Technical Security - Common Controls that cover the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. This also includes Common Controls that cover access management, identity verification, data protection within and across networks, within databases and records archives, and down to individual computers and their software.
- Data and Information Management - Common Controls that call out for the collection, disclosure, use, or retention of information and data.
- Behavior - Behavioral controls are put forward as auditable policies within the organization.
- Establish Roles - Common Controls that call out for the organization to specifically establish and formalize certain roles.
- Testing - Common Controls that specifically call for the testing of some configurable item, policy, plan, or process.
- Records Management - Common Controls that focus on creating and caring for organizational records. Everything from their creation, their management, their cataloging, storage, and even their disposition.
- Physical and Environmental Protection - Common Controls that call out for the protection of personnel, hardware, programs, networks, and data from physical circumstances and events that could cause serious losses or damage to an enterprise, agency, or institution. This includes protection from fire, natural disasters, burglary, theft, vandalism, and terrorism.
- Configuration - Common Controls that state something needs to be set a certain way.
- Log Management - Common Controls focus on creating and caring for audit and security logs.
- Monitor and Evaluate Occurrences - Many controls are very specific about the activity and call out for a combination of monitoring and evaluation. Our mappers believed this should be in its own category because of that.
- Systems Continuity - Common Controls that focus on protecting an Information Technology system against three classifications of threats; Natural threats such as hurricane, tornado, flood, and fire; Human threats such as operator error, sabotage, implant of malicious code, and terrorist attacks; and Environmental threats such as equipment failure, software error, telecommunications network outage, and electric power failure.
- Business Processes - Generic Common Controls that focus on any type of business process not covered by the other Control Types listed here.
- Actionable Reports or Measurements - Common Controls that call out for metrics and reports, as opposed to documenting a process or activity (which would fall under Create/Maintain documentation below).
- Audits and Risk Management - Common Controls that call out for the identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks.
- Systems Design, Build, and Implementation - Common Controls that call out for the development of the organization products, including records created to initiate new product design and specification information, produce ability studies, design and specification of spares, research and development records that may or may not result in actual product development, and contract research records regarding new products.
- Process or Activity - General Common Controls that call out for an activity.
- Acquisition/Sale of Assets or Services - Common Controls that call out for the purchasing of products and services or acquiring organizations (or their assets), or the giving or handing over to a buyer assets or services for money. The complex equation of scoping, assessing, sourcing, and implementing acquired technologies.
- Human Resources Management - Common Controls that that cover the hiring, firing, training, and other personnel activities and issues.
- Investigate - Common Controls that call for the organization to inspect or probe assets, processes, records, or people.
- Training - Common Controls that focus specifically on the delivery of Training as opposed to training documentation.
- Communicate - Common Controls that call out the need to communicate documents, processes, training plans, etc.
- Maintenance - Common Controls that focus on upkeep activities for all assets.
To find out more about Common Control Categories and Classifications check out our FAQ Control Impact Zones and Control Classifications.