By creating a single, industry-vetted compliance database, developers of the Unified Compliance Framework say the tool can help organizations manage and create best practices to meet global compliance requirements.
Developed by Lafayette, Calif.-based Network Frontiers, the Unified Compliance Framework (UCF) is designed to simplify IT controls identification across multiple authority documents by identifying overlapping compliance regulations and requirements.
"It definitely reduces redundant processes," said Dorian Cougias, Network Frontiers co-founder. "The intent of the UCF is for someone to select the authority document they have to follow, and then find the controls that give them complete coverage across those authority documents."
The Unified Compliance Framework was created with input from IT professionals, auditors and lawyers. It's designed leverage commonalities between regulations to create a list of controls that meet all compliance requirements.
The rules covered include the Payment Card Industry Data Security Standard (PCI DSS), The Sarbanes-Oxley Act, those promoted by the National Institute of Standards and Technology and many more national, state and even global regulations. It also updated quarterly to ensure newer regulations are covered. By identifying processes that satisfy and demonstrate compliance with many different intersecting requirements, it makes it much easier for organizations to reduce duplicated compliance efforts, Cougias said.
"We are seeing somewhere around 80% overlap, on average," Cougias said. "A lot of these organizations say, 'My god, we're doing three times more than is really required of us.'"
The Unified Compliance Framework tracks authority documents for the regulations, as well as their changes, their individual originators and issuers, and their terms and acronyms. This information is then threaded into its database to create a list of controls.
From the list of controls, the framework can help develop a transparent and directly linked structure to maintain corporate governance tools necessary to the compliance process. These tools include:
- Metric standards.
- Role definitions.
- Information classification guidelines.
- Configuration management guides.
- Compliance documents such as policies, standards, procedures and audit guidelines.
The tools help organizations create "a harmonized, legal and technical framework" for virtually every law that deals with IT, physical security and records management, said Craig Isaacs, CEO at Network Frontiers.
What we created is a 'superset' of everything people need to do to stay compliant.
"Really top-notch, high-end CIOs are saying this is a problem: 'We're getting audited to death, and we need to find a way to essentially cover Sarbanes-Oxley and HIPAA [the Health Information Portability and Accountability Act] and these other requirements without going over budget,'" Isaacs said. "What we created is a 'superset' of everything people need to do to stay compliant -- that lets people actually focus on just what they need to do."
In 2007, Morristown, N.J.-based Honeywell International Inc. became the first company to implement the Unified Compliance Framework.
"Honeywell's policy was comprehensive in covering the functional areas of security per ISO 17799. All policy statements were contained in a single, hard-to-manage document," said John McClurg, Honeywell's vice president of global security, in a statement.
"The UCF helped Honeywell move from that 'big book' approach to a more sensible, modular system with individual policies and standards for each business department."
The Unified Compliance Framework is available in several packages, ranging from a free option to a "corporate database package" that costs $20,000 for a yearly subscription. For more information on the Unified Compliance Framework, visit www.unifiedcompliance.com.
Do you know of new compliance products we should feature? Email us at firstname.lastname@example.org.