Back

Establish and maintain an organizational data dictionary, including data syntax rules.


CONTROL ID
00600
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598

This Control has the following implementation support Control(s):
  • Refrain from including metadata in the data dictionary., CC ID: 13529
  • Refrain from allowing incompatible data elements in the data dictionary., CC ID: 13624
  • Include information needed to understand each data element and population in the data dictionary., CC ID: 13528
  • Ensure the data dictionary is complete and accurate., CC ID: 13527
  • Include the factors to determine what is included or excluded from the data element in the data dictionary., CC ID: 13525
  • Include the date or time period the data was observed in the data dictionary., CC ID: 13524
  • Include the uncertainty in the population of each data element in the data dictionary., CC ID: 13522
  • Include the uncertainty of each data element in the data dictionary., CC ID: 13521
  • Include the measurement units for each data element in the data dictionary., CC ID: 13534
  • Include the data source in the data dictionary., CC ID: 13519
  • Include the nature of each element in the data dictionary., CC ID: 13518
  • Include the population of events or instances in the data dictionary., CC ID: 13517
  • Disseminate and communicate the data dictionary to interested personnel and affected parties., CC ID: 13516


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • a documented data architecture, data model and/or dictionary, that is validated with relevant business and IT stakeholders to support the needed data consistency across the ICT systems and to make sure that the data architecture, data model and/or dictionary remain aligned with business and risk man… (Title 3 3.3.4(d) 57.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • You have a good understanding of data important to the operation of the essential function, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This also applies to third parties storing or access… (B3.a ¶ 1, NCSC CAF guidance, 3.1)
  • Maintain an enterprise data dictionary that incorporates the organisation's data syntax rules. This dictionary should enable the sharing of data elements amongst applications and systems, promote a common understanding of data amongst IT and business users, and prevent incompatible data elements fro… (PO2.2 Enterprise Data Dictionary and Data Syntax Rules, CobiT, Version 4.1)
  • CSR 2.11.1: The organization must control access and changes to database management system (DBMS) software. The organization must limit access to the DBMS security profiles in the data dictionary and security tables. CSR 2.11.2: The organization must limit the use of database management system (DBMS… (CSR 2.11.1, CSR 2.11.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Analyze and define data requirements and specifications. (T0007, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Data elements can be accessed for deletion. (CT.DM-P4, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Analyze and define data requirements and specifications. (T0007, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)