2.5: Variables

Last updated
Save as PDF

Page ID: 84942

Thomas P. Dover
Butler County Community College

\( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

Variable: COMPLIANCE & VALUE (Figure 1)
Type: String or Text
Definition: Value expressing organizational compliance with and satisfaction of the security requirement. Numeric value is assigned to text value (e.g., Yes = 1) which is then used to calculate individual, group and statistical compliance.

The organization:
(Y) performs this task¹
(P) partially performs this task
(A) uses an alternate approach to perform this task (that satisfies the requirement)
(N) does not perform this task
(D) this control requirement does not apply

Variable: VALUE
Depending on compliance, the following numerical values are automatically assigned:
Y or A = 1
P(L)(M)(H) = Low (.25), Medium (.50), High (.75) respectively
D or N = 0

Compliance variable Figure 1. Compliance (note: Value (0-1) is automatically entered depending on level-of-compliance)

---
Variable: SATISFYING STATEMENT (Figure 2)
Type: String or Text
Definition: a short but concise statement conveying how the (control) requirement is satisfied.

Normally, security assessments require detailed explanations² of policies and/or procedures in order to satisfy a particular security requirement. Such detail may require additional allocation of resources (i.e., time, staff & effort) to complete. The approach taken here is to provide a “trimmed” answer which nevertheless satisfies the requirement. For example, under ACCESS CONTROL, the question: (do you) “Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)”? A short, satisfying statement would be (yes) via “Role-based Access Control (RBAC)”. The trimmed statement, Role-based Access Control (RBAC), is placed in the cell directly below the control-requirement.

Figure 2. Satisfying Statement variable Figure 2. Satisfying Statement

---

Variable: NAME (Figure 3)
Type: String or Text
Definition: The person responsible for providing the Satisfying Statement. This value is normally placed in the cell directly below the Satisfaction of Requirement (Y, N) variable.

Figure 3. Name variable Figure 3. Name

---

Variable: VALIDATION POINT/TOOL (Figure 4)
Type: String or Text
Definition: a short, concise statement describing the tool, process or procedure used to satisfy the control requirement.

This information describes what application, utility, or process is used to satisfy the control requirement. Often, the same tool is used to satisfy multiple requirements or multiple requirements are satisfied by a single tool (example: an IDS³ for network security).

Figure 4. Validation Point/Tool variable Figure 4. Validation Point/Tool

---

Variable: SECURITY CONTROL/TYPE* (Figure 5)
This value directly references HIPAA’s Security Rule which requires security controls to be categorized as Administrative, Technical or Physical. Most often, a security control has but a single categorization but there are instances where a control may encompass more than one. For example, establishing an operational incident-handling capability may be categorized as both an Administrative and Technical control.

Figure 5. Security Control Type variable (applies to healthcare (HIPAA) sector only) Figure 5. Security Control Type (note: applies to healthcare (HIPAA) sector only)

* this variable is only required for healthcare assessments.

[1] The term ‘task’ implies steps taken to satisfy the control requirement.

[2] The level of detail need only be sufficient to satisfy the security requirement. Nevertheless, more often than not extensive and detailed explanations are given.

[3] Intrusion Detection System (IDS)