Document Lineage
Term Elements & Descriptions
The following table contains the UCF element type, generic descriptions for each, and an example for terms we frequently encounter during mapping.
These descriptions are intended to be used as a starting point for writing definitions. Please tailor definitions to fit each term in context and do not copy and paste the descriptions directly.
|
Term |
UCF Element |
Description |
Example |
|
Exception |
Noun |
An action or entity that does not conform to normal operations or rules. |
compliance exception: An instance that does not conform to the general rule of being in accordance with laws, regulations, industry codes, organizational standards, or contractual arrangements. |
|
Framework |
cDoc or Record Example |
The overall documented structure and template that the organization can use to create and maintain XXX (It defines the scope, objectives, activities, and structure) |
compliance framework: A compliance framework is a structured set of guidelines to aggregate and harmonize, then integrate, all compliance requirements applicable to an organization. |
| Guideline | Record Example | A documented recommendation of how an organization should XXX. (Inspiration for Programs, policies, etc.) |
coding guideline: A documented recommendation of how an organization should implement best practices for computer coding. |
| Measure | Noun | A course of action taken to enforce guidelines and standards. |
organizational measure: A plan or course of action taken to achieve a particular purpose by an organization. |
| Methodology | Noun | Business strategy of how to approach XXX. (how to approach creating a framework, policy, etc.) |
reporting methodology: A system of processes and procedures used in the querying of data sources with different models to produce readable compilations of information. |
| Metrics Standard | Record Example | A methodology for measuring XXX designed to facilitate decision-making and improve the performance thereof. The standard includes an explanation of the metric formula, the calculation used to define the metric, how the metric should be displayed, and where to find the data or information that feeds the metric calculation. |
audit metrics standard: A methodology for measuring both internal and external audit processes and performance designed to facilitate decision-making and improve the performance thereof. The standard includes an explanation of the metric formula, the calculation used to define the metric, how the metric should be displayed, and where to find the data or information that feeds the metric calculation. |
|
Plan |
Record Example |
A step-by-step outline of the processes and procedures to be performed to complete or implement XXX. |
Business Continuity Plan: A proposal detailing the processes and procedures to put into place to ensure that essential organizational functions can continue during and after a disaster. |
|
Policy |
Record Example |
The business rules and guidelines of the organization that ensure consistency and compliance with XXX. |
Information Technology asset removal policy: The business rules and guidelines for removing Information Technology assets from the facility. |
|
Procedure |
Record Example |
A detailed description of the steps necessary to implement or perform XXX in conformance with applicable standards. A procedure is written to ensure XXX is implemented or performed in the same manner in order to obtain the same results. |
physical security procedure: A set of guidelines that lists actions needing to be taken in order to provide physical security. |
|
Process |
Noun |
The non-descriptive term itself. |
process: A particular series of actions or steps to bring about a certain outcome; series of procedures. |
|
Organizational Task |
Activities performed while following the documented procedures. |
capacity management process: A series of actions or operations to plan and monitor an entity’s technology resources to support current and future strategic objectives. |
|
| Program | Record Example | A documented listing of procedures, schedules, roles and responsibilities, and plans/instructions to be performed to complete/implement XXX. |
security awareness program: The documented plan and documented activities to create well-informed interest in being free from danger or threat. |
| Requirement | Record Example | A condition or capability that must be met. |
third party reporting requirement: A formal statement of the necessity, completeness, and timeliness the third party must follow when providing information or reports to an organization. |
| Specification | Record Example | A defined set of requirements. | system requirements specification: A detailed description of what a system must be able to do and perform under certain conditions. |
|
Standard |
Record Example |
A documented goal or ideal an organization uses to determine their compliance with XXX. |
supply chain management standard: A documented goal or ideal that an organization uses to ensure that the business activities and performance of its suppliers align with internal and external requirements. |
| Strategy | Record Example | A documented plan or method an organization uses to achieve a major or overall goal. |
awareness and training strategy: A plan of action for teaching relevant skills necessary to perform specific functions and focusing attention on issues. |
| System |
Noun |
A collection of techniques, processes, and technologies implemented while following the documented programs.
|
risk reporting system: A collection of techniques, processes, and technologies that are implemented to facilitate the conveyance of risk and mitigation-related information to relevant personnel. |
| Asset |
A set of resources under the same control that share common functionality. |
Computer System: A collection of related hardware, software, or both that work together for a common purpose or are regarded as a whole. |
|
| Technique | Noun | The use of a specific technology or procedure to achieve XXX in alignment with the organization's methodologies. (usually when there are multiple paths for an Organization to take) |
de-identification technique: An established or planned way to remove a person's identity associated with information in compliance with pertinent standards |