Control Zone

A “control zone” is a categorical designation applied to infrastructure (e.g., hardware, software, and network components) to restrict access according to the classification of the data contained in that infrastructure.

For example, a server (part of the infrastructure) containing Protected Health Information (PHI) is categorized in the “High Control Zone,” and is protected by a set of specific security measures routinely applied in the High Control Zone. Conversely, a server hosting Public Information is categorized in the “Low Control Zone” and is not subject to stringent security controls.

Data classification and the security requirements associated with various control zones originate from laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA), industry standards such as the Payment Card Industry Data Security Standard (PCI-DSS), and requirements imposed by the organizations such as the Department of Homeland Security (DHS), the Food and Drug Administration (FDA), and the Nuclear Regulatory Commission (NRC).

Refer to Standard 200: Information Security Classification, Labeling, and Handling and Standard 202: Information Security Access Control for additional details.