Compliance regulations and standards, like other bodies of laws, are straightforward in theory -- but they're maddeningly...
opaque and complex in practice.
If you have any doubt, just Google a term like Payment Card Industry Data Security Standard and look at the great variety of links that come back promising to help you sort it all out. Now multiply PCI by three or four or 50 to account for the multiple and overlapping sets of regulations and statutes that government entities and public companies in the U.S., Europe and elsewhere are being asked to comply with, and you get a sense of the challenges facing chief information security officers and IT staffs in ensuring compliance.
One constant need is harmonizing the requirements of different sets of regulations and compliance standards. Presumably, if companies can identify which regulations they're bound by and then areas that overlap, they can reduce their compliance costs by taking a "fix once, comply many" approach that will streamline internal audits and reduce capital expenditures.
Such an approach also allows organizations to focus more time and energy on their areas of greatest risk and exposure and requirements with the sharpest teeth. But making sense of hugely complex regulatory frameworks is no mean task, which is why many have found it easier to rush into the arms of (expensive) consultants and managed services firms that can do the heavy lifting for them.
Connecting the compliance dots
What's needed, of course, is an easy way to make sense of the various regulations that bear upon your business -- to connect the dots between similar sets of requirements and identify areas that are unique to each.
This isn't exactly a new problem in the history of human thought. In fact, Jewish scholars living in the Middle Ages had a very similar problem. They had a defined body of Jewish law rooted in three texts: the Bible (or Torah); the Mishnah, a codification of Biblical law dating to the third century; and the Talmud, a kind of extended Rabbinic commentary on those laws. The problem was the source documents were unwieldy: loosely coupled collections of stories, laws and then reflections on those laws from which it was difficult to extract clear guidance. There might be dozens of direct or indirect discussions of dietary laws, for example, but those discussions were sprinkled through numerous texts in different places. Some prescriptions might contradict others. Lots of gray area. Starting to sound familiar?
A solution came in the 12th century in the form of the Mishneh Torah, a work of the famous medieval scholar Maimonides. Working for more than a decade, he consolidated the sum of those three source texts and other important works of Jewish thought at the time into 14 volumes, organized by topic (knowledge, law, observance, etc.) and subdivided those into sections, chapters and paragraphs that could be easily referenced.
With the Mishneh Torah (which translates, literally, as "repetition of the Torah"), a scholar who wanted a question answered about dietary laws or a civil dispute could go to the appropriate section and find a clearly worded compendium of laws and rulings culled from all the relevant source documents that spoke -- directly or indirectly -- to the issue at hand.
My mind turned to Maimonides and his massive project the other day when I was speaking with a company, Network Frontiers LLC. It has undertaken a very similar project with the Web of laws, industry and government regulations that, increasingly, resemble a kind of secular religion for the enterprise.
Untying the compliance knot
Working over the past couple of years with a team of linguists, lawyers, compliance experts and practitioners, Network Frontiers created the Unified Compliance Framework (UCF), a database that distills 450 regulatory and legal authority documents (U.S. and international) into a set of 30,000 unique citations and 2,500 distinct controls, each with a unique and persistent ID.
Controls are grouped into 13 high-level "impact zones" -- records management, technology acquisition, human resources management, systems continuity, physical security and so on. The controls are published in a series of spreadsheets with pivot tables and links back to the original source material, allowing practitioners to ground controls in chapter and verse.
For example, you know that changing vendor default settings is a requirement of PCI, but did you know that it's also called for by NERC, the Federal Financial Institutions Examination Council and in guidance from the National Institute of Standards and Technology and the IRS? Probably not, but UCF connects the dots. Moreover, because each control is assigned a unique ID (UCF ID 00877, in the case of "always changing vendor defaults"), suddenly practitioners have a common language to talk about a requirement that may be framed differently in different compliance frameworks.
Finally, Network Frontiers offloads the task of keeping current with changes to existing regulations as well as pulling in and correlating new regulations and laws. (Consider the job of parsing multiple state data privacy laws and the federal data privacy laws working their way through Congress.)
In short, UCF is an incredibly useful tool that security vendors, especially those targeting governance, risk and compliance, have started to seize on. Vendors such as CA Inc., Archer Technologies LLC, McAfee Inc., Lumension Security Inc. and OpenPages Inc. have all licensed UCF content for use in their risk management products in recent months, and we expect more to sign on in 2010, as customers look for help cutting through the Gordian Knot of compliance mandates. Network Frontier makes money by licensing its spreadsheet on an annual subscription model, and also provides various compliance toolkits for a fee. But its UCF spreadsheets are available for viewing free through its website. Check them out.
Paul Roberts is a senior analyst at The 451 Group. Let us know what you think about the story; email firstname.lastname@example.org.