Tuesday, March 11, 2008

Another Attempt at Defining Control

I looked for "control" in an online dictionary. Here are a couple of definitions that I like:

A restraining device, measure, or limit;

To verify or regulate

I like a combination of those applied to information systems, so here's my first attempt: Rules that measure, limit, or regulate activity or behavior within and information system environment.

The definition is not that important, because I can fall back on examples to help someone understand controls.

Feel free to shoot holes in my definition.

Definition of Security Control

I'm writing a a piece to describe validating the DoDI 8500.2 security controls. The audience is project managers, lead developers, and clients -- anyone who isn't familiar with the effort, but needs to know so they can make a judgment about how much work is ahead of them.

While writing this piece, I decided to define the term security control. I'm finding it's more difficult than I thought.

I first tried to create my own definition. When I discovered that my definition stunk, I searched for others.

Here's one from 8500.2 itself -- the horse's mouth:

E2.1.26. IA Control. An objective IA condition of integrity, availability, or confidentiality achieved through the application of specific safeguards or through the regulation of specific activities that is expressed in a specified format (i.e., a control number, a control name, control text, and a control class). Specific management, personnel, operational, and technical controls are applied to each DoD information system to achieve an appropriate level of integrity, availability, and confidentiality in accordance with OMB Circular A-130 (reference (v)).

I mean no offense to the people who wrote that, but it's difficult to understand. It is a definition that's all encompassing and yet leaves me with a confused feeling and is not much help pinning down the term. I'm looking for a short, pithy definition.

I'll keep trying and post what I find.