A control in the context of governance, risk management, and compliance is any action taken to reduce risk or comply with mandated regulations or voluntary policies. In the Compliance and Risk Process Management Pack the following key objects are used to manage controls:
- Control Objective. This is a goal statement to reduce or eliminate a risk or meet a compliance requirement. A Control Objective typically maps to one or many control activities. A Control Objective can be linked to various Authority Documents, such as SOX, HIPAA, GLBA, and so on. This process is designed to improve the ability of customers to use one Control Objective to address similar compliance requirements in multiple authority documents.
- Control Activity. This is a single policy, procedure, or practice that you can use to validate how well your organization is meeting its control objectives. Control activities consist of procedures performed by IT professionals that validate the process of meeting objectives defined in one or more Control Objective. Control activities can be manual or automated via System Center products, such as Microsoft System Center Configuration Manager and Systems Center Operations Manager.
- Control Activity Result. This is the result of the validation process for a control activity.