When controls are generated for an information system, they need to be approved by appropriate organization personnel. Until they are approved, they will not be formally included in the compliance program. Each control needs to be approved. There are three ways to approve controls, with two of the ways being discreet and structured while the other is a process to rapidly approve controls in a bulk manner. Two of the processes will be defined below and the considerations for both of them outlined. Approving the controls that are generated by CyMetric requires individual controls review to ensure each control is appropriate for the respective Information System and the risk tolerance for the company. Controls that have not been approved are located in the Pending Approval section within the Navigation portion of the screen. Click on Pending Approval to get started.
Approve Controls by Triggering Event or By Control Family
Controls generated by the Information System Add or Edit process can be grouped in two ways: by Triggering Event or by Control Family. Both are very similar in process. We will approve controls by Triggering Event understanding that by Control Family is the same process just a different consolidation of controls for approval.
Navigate to the Pending Approval module: Click on Pending Approval from the left navigation area. Users will see a list of control groups pending approval. By default, CyMetric has the pending controls grouped by Triggering Event, which in this case is the adding or editing of an Information System.
Pending Control Group: Select the Pending Control Group you would like to approve by clicking on the Start Review button.
The list of controls that have been assigned to the information system are displayed in a grid for viewing. This process enables users to review each control one at a time.
Review Controls – Review All Controls Option: To begin the review process, click on the Review All button. By clicking on this button, all of the controls in the list will be displayed for approval or rejection. Click on Start Review to begin the control review process.
The list of pending controls is displayed. Controls can be sorted by any of the column headers – click on a column header to sort by that parameter.
Review Controls - Filtered or Selected Controls: To review specific controls, click on the check box at the beginning of each row to review specific controls and then click on the Review Selected Controls button. The list of selected pending controls is displayed. Users can also limit the controls that appear in the review area by filtering controls. To filter the controls for review, enter a parameter in the filter area at the top of the grid. This will limit the number of controls to those that meet the search criteria. Click on the Review Selected button to review the filtered pending controls.
Approve or Reject Controls: The master list of all the controls in the Pending Control Group appear on the left portion of the screen along with a tally of the progress of the review. Users accept or reject controls and also be able to edit control ownership to each individual control. RECALL: When we added or edited the information system, we defined a default control owner for all of the controls assigned to the system. In this module, you can modify the control owner one control at a time. To change the control implementation owner, click on the drop-down dialog box and select the name of the person or entity that will be responsible for implementing this control on this specific system. Accepting a control incorporates the control into the compliance program and applies the control to the specific information system. To accept the control, click on the Approve button.
Rejecting a control removes the control from being applied to that specific information system. When a control is rejected, a dialog box appears providing a text area to define why the control was rejected. This provides an audit trail for understanding why controls were not included in the program for specific systems. To reject a control, click on the Reject button. If the rejected control was approved for a different system, the control would still be present for the program just not applied to the specific system that rejected it. Users can view the specific control details by clicking on the control name. Use the back arrow from the browser bar to return to the approval area.
Configuration: CyMetric uses the name “Default” for the initial configuration. Many NIST controls have variables or options that need to be defined to reflect the protocols of the organization. There are many types of variables that comprise the NIST 800-53 controls that need to be configured. Each control is displayed with a default configuration with the variables undefined. Caetra.io recommends that the configuration be managed after the control is approved. To approve the control in its "undefined" default configuration, click on the Approve button. Each control with variables can have multiple configurations that reflect different variables/parameters for the same control. Until the controls are configured, they will appear in any documents or screens as VARIABLE NOT SET. When controls are created, they are presented with the Default configuration. If an information system requires a different configuration than the default for the control, a separate configuration can be created and provided with a different name (other than Default). See Managing and Editing Controls for details on how to properly configure and define your control variables.
To reject the control, click on the Reject button. In the event of a rejection of a control, a supplemental dialog box will appear to confirm the rejection and also to document the reason for the rejection.
Approve or Reject controls until the process is completed. Along the left side of the screen, the Control status will be marked with a green check or a red X based upon disposition. Continue until all controls are evaluated and their appropriate designation defined.
PRO TIP: If you would like to review ALL controls for ALL systems with the controls grouped by control family, from the Pending Controls landing page, select the grouping by Control Family option and all controls for all systems will be grouped by control family.
Bulk Approve Controls: Controls can also be approved in a bulk or mass approval process. To see instructions on how to do that, please see the Approving Many Controls at Once article in the Help File.