All Authority Documents are read and reviewed for the sections that contain mandates. Whole sections are not mapped into the UCF when they are informational and contain nothing that tells your organization to do something (think the About section, the authority section, a sanctions section, sections talking about the government’s responsibilities and not yours, etc.).
For sections that contain Mandates (do this to that) we map all of their Citations.
Of those Citations that the UCF maps, each Citation is examined and falls into one of three categories:
- It contains mandates. If so, we add the Citation, tag the primary and secondary verbs and nouns, and either match them to an existing Common Control or suggest a new Common Control if no match exists. In this case they are mapped accordingly.
- It contains informational gathering content that your GRC/SCM/SIEM/Audit tool needs to know. Questions like “how many vendors do you have?” isn’t a mandate. But it could very well be used by one of your tool vendors in creating a risk profile for you. If it is an information gathering Citation, we don’t tag the terms - we map it to the one Common Control for such purposes and that alerts your vendor that they have to programmatically do something with the contents.
In this case they are mapped to Control ID 6726 Document the organization’s local environments.
- It contains no mandates and is not asking you to give information. That means its either a stub (PCI is famous for writing “1.2.1 The organization must audit the following:“) that we include to make any exported hierarchy read correctly, or it is an informational Citation (“For the purposes of this document, an organization and a person acting as a data manager both fall under the same jurisdiction.“).
In this case they are mapped to Control ID 0, the root Control, which has no content.