Skip to main content
Library homepage
Engineering LibreTexts

2.5: Variables

  • Page ID
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    Variable: COMPLIANCE & VALUE (Figure 1)
    String or Text
    Definition: Value expressing organizational compliance with and satisfaction of the security requirement. Numeric value is assigned to text value (e.g., Yes = 1) which is then used to calculate individual, group and statistical compliance.

    The organization:
    (Y) performs this task1
    (P) partially performs this task
    (A) uses an alternate approach to perform this task (that satisfies the requirement)
    (N) does not perform this task
    (D) this control requirement does not apply

    Variable: VALUE
    Depending on compliance, the following numerical values are automatically assigned:
    Y or A = 1
    P(L)(M)(H) = Low (.25), Medium (.50), High (.75) respectively
    D or N = 0

    Compliance variable Figure 1. Compliance (note: Value (0-1) is automatically entered depending on level-of-compliance)

    Variable: SATISFYING STATEMENT (Figure 2)
    Type: String or Text
    Definition: a short but concise statement conveying how the (control) requirement is satisfied.

    Normally, security assessments require detailed explanations2 of policies and/or procedures in order to satisfy a particular security requirement. Such detail may require additional allocation of resources (i.e., time, staff & effort) to complete. The approach taken here is to provide a “trimmed” answer which nevertheless satisfies the requirement. For example, under ACCESS CONTROL, the question: (do you) “Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)”? A short, satisfying statement would be (yes) via “Role-based Access Control (RBAC)”. The trimmed statement, Role-based Access Control (RBAC), is placed in the cell directly below the control-requirement.

    Figure 2. Satisfying Statement variable Figure 2. Satisfying Statement


    Variable: NAME (Figure 3)
    String or Text
    Definition: The person responsible for providing the Satisfying Statement. This value is normally placed in the cell directly below the Satisfaction of Requirement (Y, N) variable.

    Figure 3. Name variable Figure 3. Name


    Variable: VALIDATION POINT/TOOL (Figure 4)
    String or Text
    Definition: a short, concise statement describing the tool, process or procedure used to satisfy the control requirement.

    This information describes what application, utility, or process is used to satisfy the control requirement. Often, the same tool is used to satisfy multiple requirements or multiple requirements are satisfied by a single tool (example: an IDS3 for network security).

    Figure 4. Validation Point/Tool variable Figure 4. Validation Point/Tool


    Variable: SECURITY CONTROL/TYPE* (Figure 5)
    This value directly references HIPAA’s Security Rule which requires security controls to be categorized as Administrative, Technical or Physical. Most often, a security control has but a single categorization but there are instances where a control may encompass more than one. For example, establishing an operational incident-handling capability may be categorized as both an Administrative and Technical control.

    Figure 5. Security Control Type variable (applies to healthcare (HIPAA) sector only) Figure 5. Security Control Type (note: applies to healthcare (HIPAA) sector only)

    * this variable is only required for healthcare assessments.

    [1] The term ‘task’ implies steps taken to satisfy the control requirement.

    [2] The level of detail need only be sufficient to satisfy the security requirement. Nevertheless, more often than not extensive and detailed explanations are given.

    [3] Intrusion Detection System (IDS)

    This page titled 2.5: Variables is shared under a CC BY-NC 4.0 license and was authored, remixed, and/or curated by Thomas P. Dover.

    • Was this article helpful?