To control is an activity conducted to bring into check (to manage or to verify), or to constrain (to restrict or confine) something. In order to abstract a control, each control can be broken down into two parts,

• • the action and demonstrable outcome being called for (the basis of the control) as well as

  • the parameters associated with the action

That means that before we can figure out which of the controls we should be mapping in a document, we need to figure out where the controls start in the document. For instance, the Authority Document entitled TG-3 Retail Financial Services Compliance Guideline - Part 1: PIN Security and Key Management, there aren't any controls until chapter 4 in the document. And then, once we get to the controls within the document, they are written as multiple controls within one reference. Let's look at the first written control as presented by this Authority Document:

The secure environment is physically, logically, and procedurally protected with access controls or other mechanisms designed to prevent any penetration, which would result in the disclosure of all or part of any cryptographic key and / or PINs stored within the environment. Documented procedures exist and are followed that ensure the secured environment remains secure until all keying material has been removed or destroyed.

In the UCF parlance, there are three distinct actions (and therefore three distinct controls) here, with the first being the environment is protected with access controls, the second being documented procedures exist, and the third being documented procedures are followed.

So what you need to know about controls is that

1. they need to be searched for in the Authority Document,

2. they need to be separated or combined from the Authority Document reference as necessary, and

3. they need to be rewritten to make sense in plain language once separated or combined.