Welcome to the SecAware blog

I spy with my beady eye ...

27 Jul 2012

Trailblazing the compliance jungle

I first came across the Unified Compliance Project (UCP) about 5 years ago when it was run by Dorian Cougias for the IT Compliance Institute (ITCi).  While information security-related compliance obligations were mushrooming, UCP aimed to simplify, harmonize and perhaps even unify the laws, standards and regulations in this area. 

ITCi evidently turned up its toes in 2008, passing the UCP baton to Network Frontiers LLC where it became the UCF (Unified Compliance Framework).

Fast forward to 2012.  Dorian remains in the driving seat for UCF along with lawyer Marcelo Halpern and Network Frontiers CEO Craig Isaacs.  

Having apparently invested around $9m pulling together the content from a wide variety of laws, regulations, standards etc., plus $1m for the database to amalgamate, analyze and regurgitate requirements, UCF is now in a position to sell the information and expertise to bewildered organizations that are keen to identify and fulfill their compliance obligations.  UCF's business model seems straightforward enough: they specialize in obtaining and maintaining the compliance information on behalf of their customers who are busy doing whatever they do.  It's an added-value subscription service.

UCF's 'prime directive' is expressed as "We don't invent stuff", in other words UCF simply consolidates the requirements documented in the multitude of laws, regulations and standards they track, warts and all.  On the whole, they act as an honest broker, merely passing-on requirements and obligations imposed by others.  However, the added-value aspects of their service include:

  • Painstakingly analyzing the legalese small print in a multitude of formal documents to determine, precisely, what the requirements are;
  • Classifying and cataloging the requirements in a structured manner;
  • Clarifying compliance terms and acronyms, identifying different terms for the same thing and vice versa;
  • Consolidating equivalent compliance requirements from multiple sources, such that satisfying one should satisfy them all;
  • Pulling various kinds of requirement out in forms useful for those aiming to comply - metrics for example, implied by many compliance reporting requirements;
  • Maintaining this vast edifice as things constantly change.
To get a feel for the breadth and depth of the service, browse through the UCF controls spreadsheets or search the UCF database to find out what "authority documents" they are tracking (that's their term for the original laws, regulations, standards etc.).  If you have the time, read the Science of Compliance eBook for clues on structuring your own compliance program.  If not, try their Science of Compliance webinar.

Finally, I heartily recommend contacting UCF if you are sufficiently serious about compliance to consider subscribing.  The UCF people I spoke to recently were extraordinarily helpful and passionate about this stuff.  It's what they do.  

Gary Hinson (Gary@isect.com)

PS  I gather legislators are also starting to approach UCF for advice, raising the intriguing prospect that future infosec/privacy laws and regs introduced in various jurisdictions might actually converge on common terms and language, if not common requirements.  Now there's a bright idea.  

No comments:

Post a Comment