Scope of Control
A Scope of Control (of a Party) is the extent of the area or subject matter (as in OED that the party controls. One might say that the party is 'sovereign' or 'autonomous' within its scope of control.
Knowing the Scope of Control (of a Party) helps other parties as well as the party itself to determine what (not) to expect of that party.
Suggestions for criteria are welcomed.
- The scope of control of a nation's government is typically limited by the physical area of the nation and the behaviors that actors and parties may exhibit there.
- The scope of control of an individual is limited by what it can do by him/herself, and the rights and duties that it has been assigned in or by some jurisdiction.
- Larger organizations are typically a (hierarchical) construction of organizational entities called departments, divisions, and the like. Each of these entities is a party, and has its own scope of control. It is a common mistake for e.g. the board of such an organization to confuse the scope of control of the board with that of the organization itself. In fact, it may be the cause of actual incidents.1
The Dutch Cyber Security Council is an advisory body for the Dutch government, providing it with advise regarding all sorts of cyber security related matters. Back in 2013, it was chaired by the CEO of KPN, the leading Dutch telecom operator. Being highly aware of cyber security and associated risks, KPN had a framework in place, and was certified against ISO 27001. In spite of all this, a 17-year old script-kiddie broke into IT systems of KPN in the beginning of February, which enabled him to intercept internet traffic and manipulate the telephone network to the extent that the emergency call number 112 could have been rendered out of service. (One of the news items (in Dutch) is at Tweakers). This case demonstrates that there is a difference between an organization having information security organized at the board level, and having it organized in its 'operational cellars'. See the pattern on decentralized risk management for a way to resolve this. ↩