Approved controls comprise your compliance program and reflect the commitment of the organization to secure, properly store, and manage information assets per the organization’s policies, CyMetric enables users to review the approved controls and in so doing, better understand what the controls are and why they are being put in place. Additionally, controls can be customized to reflect the specific requirements of an information system. CyMetric enables the creation of multiple configurations for controls to reflect those needs.
Review Approved Controls
Navigate to the Approved Controls module by clicking on Approved from the Controls module navigation area. Controls that have been approved into the compliance program are listed in the grid. You will see multiple columns in the grid.
Definitions
Identifier: The acronym-based title for a specific control within the NIST family.
Title: The name of the control in long form.
Family: The grouping or “family” the specific control belongs to. There are currently 26 NIST control families all representing different functions or procedural areas the family of controls focuses on.
Configurations: Many of the NIST controls have variables or elements that need to be defined in order to implement a control. In some cases, the same control may require multiple versions with different parameters to reflect the relative importance or other criteria for different information systems. The Configurations reference line identifies how many unique configurations have been built for the specific control. This document will address configuring controls in a later section.
Instances: Instances reflects how many information systems are applying the specific control. This includes all configurations of the control.
Configurations Tab: Review the control by clicking on the chevron (>) at the end of the line of the specified control. On the Configurations tab, users see details of the control including what configurations are available, the control description and the implementations of the control (what information systems are applying the control). If you would like to add additional configurations for a control, please see the article Creating Multiple Configurations for a Control.
Control Details Tab: The Control Details tab provides specific details regarding why the organization is implementing the control. The reference to a specific line of a regulation or mandate is defined in the Control Details tab. CIOs, technology leaders or compliance personnel can articulate this to management and leadership teams so they better understand why investments are being made in technology, human resources or procedures to better protect their environments and meet obligations of laws they are required to comply with. Additionally, Supplemental Guidance regarding the control is available for review. The Supplemental Guidance is NIST drafted information that provides more clarity and practical application to what the control is designed to do. It can be very helpful for technology leaders to communicate in practical terms what the control is designed to do.
