Before you can examine an Authority Document and map its contents, you need to start with an overview of basic concepts.
A citation is a passage or expression in a document that is quoted or cited. The example below shows a total of eight Citations (1, then 1(a) through 1(f), and 2):
Figure 1: Excerpt from “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016”.
A citation reference is the symbolic annotation that ascribes a citation as being a part of a particular passage or expression in a specific document. This means that you have to define the document as one part of the citation reference and then define the portion within the document wherein the citation exists as the other part. For example, in Figure 1 the citations all come from the document “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016”. So the first citation reference would be described below:
§ 1., Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
And the second citation reference would be described below:
§ 1.(a), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
There are four classes of Citations that you will encounter in each and every Authority Document, though not all Authority Documents will have all four classes (because Configuration Citations are only found in certain types of Authority Documents). The four classes of Citations are Configuration Citations, Citations with Mandates, Stub Citations, and Information Gathering Citations.
Configuration Citations are found in Secure Technical Implementation Guides, or STIGs as they are called. Configuration Citations contain the instructions for how a user should arrange or set-up a computer system, application, or component based upon system environment and organizational requirements.
Configuration Citations can be found at STIGViewer.com. A typical configuration citation reads like this: “If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by security, bin, sys, or system.” That whole thing about the etc/ldap.com is a configuration item found within the AIX product line (and many others).
Citations with Mandates
A mandate is an official order or commission to do something. Think of a mandate as “turn off the faucet”, or “feed the dog”. A mandate is broken down into a combination of a primary verb “turn off” or “feed” and a primary noun “faucet” or “dog”.
Every citation can contain one or more mandates, but as in the case of stub citations, they don’t have to.
Going back to Figure 1, § 1.(b) reads “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes…”. Notice that the sentence has two clauses separated by an “and”. The first clause “collected for specified, explicit and legitimate purposes” is one mandate. The second clause “not further processed in a manner that is incompatible with those purposes…” is a second mandate. They are two separate ideas with two very distinct primary verbs and primary nouns.
As a mapper, you have to be able to discern and separate multiple mandates within each citation. It is impossible to map citations with multiple mandates to Common Controls without separating the mandates before mapping.
In Figure 1, the first Citation “Personal data shall be” is a stub citation, normally a partial sentence, that is used as a pre-cursor to a fuller citation, such as “Personal data shall be:” wherein the following citations fill out the rest of the sentence. In Figure 1, combining section 1 and (a) you get a single mandate - that personal data shall be processed lawfully… etc.
Stub Citations don’t convey any particular ideas of what the reader should do, they simply serve as a mechanism to present the information that follows.
An information gathering citation is one that asks a question to gather information about the organization, its facilities, its services, etc. provides information, or relies on references to other sections in the Authority Document or other Authority Documents. Information gathering citations do not have mandates.
Objective formatted Information Gathering Citations
Sometimes the information gathering Citation is stated as an objective, such as this example shows.
Figure 2: An Information Gathering Citation
Sometimes the Authority Document authors will add whole paragraphs used to describe some-thing that is done simply because it is expected and is a precursor to the actual mandates being given to the reader. Normally these paragraphs will state that “this or that should be taken into account” as a part of whatever they are mandating. Such is the case with the example below.
Figure 3: An Information Gathering Citation as a perfunctory statement