When it Comes to Controls and Compliance, Fix Once and Comply with Many

Brian Musthaler
By | November 14, 2012

Posted in: Network Security Trends

Fix once and comply with many! This is the holy grail of both controls and compliance for organizations that need to comply with multiple regulations and standards. For example, a large enterprise might have to assure that it’s fully in compliance with SOX, HIPAA, COBIT, PCI and ISO 27001. Determining and implementing the proper controls and validating compliance for all those regulations puts a strain on both the CISO and the corporate compliance officer and their respective teams.

In the early days of compliance exercises, those responsible for compliance sifted through all of these regulations to identify the “thou must…” and “thou shall…” requirements from each of these regulations. Then they translated these requirements into controls that must be implemented. Then the controls were implemented and tested. How long did this take and how much did it cost? For the typical business—a long time combined with a lot of capital resources.

While companies and compliance professionals have gained valuable experience in understanding their current compliance landscapes, the reality is the world of regulations isn’t static. There will always be new regulations and changes to existing ones.

Even with knowledge and experience as a guide, there are organizations that still rely on compliance programs that have teams that operate in silos. These efforts are not only manually intensive as well as very capital intensive, but they often result in duplicative work. Working in this isolated manner conflicts with a common management mantra: find a way to reduce expenses and get more for less.

In a forward-looking effort to address these realities and unify IT compliance, the compliance marketplace responded with the development of the Unified Compliance Framework (UCF). The UCF was spearheaded by IT compliance mapping vendor Network Frontiers and it has been collaboratively improved since its inception by numerous compliance and controls vendors. The UCF is an ongoing initiative to support IT compliance management by focusing on commonalities across regulations, standards-based development, and simplified architectures.

The UCF approach helps organizations simplify and reduce the cost of compliance, and ultimately limit their compliance risk exposures. From the perspective of both the vendors and users of compliance solutions, the UCF increases the intrinsic value of compliance and control technologies with its industry-vetted compliance database that translates regulations, standards and control frameworks into a simplified, unified set of recommended controls.

The UCF organizes real-world IT processes into what it calls “IT Impact Zones.” Each zone deals with one area of policies, standards and procedures:

  • Audits and risk management

  • Configuration management

  • Design and implementation

  • Human resources management

  • Leadership, high level objectives

  • Monitoring and measurement

  • Operational management

  • Physical, environmental protection

  • Privacy protection (information, data)

  • Records management

  • Systems continuity

  • Technical security

  • Technology and services acquisition

Organizations that embrace UCF practices – either by implementing them directly or by engaging vendors that have built UCF into their tools DNA – comply with a given rule one time and attest to the control requirements for more than 900 global regulations, standards and control frameworks. UCF-enabled tools help organizations see where global, state and industry regulations overlap. The result for the organization is a dramatic reduction in time, effort and cost associated with regulatory compliance requirements.

The controls recommended by the UCF can be an organization’s foundational blueprint for creating and maintaining a successful compliance framework. Such a framework can integrate compliance silos and governance efforts, and reduce the total number of controls. From a senior management perspective, the end result can be simplified compliance management resulting from a comprehensive centralized compliance program that uses a common language across the entire organization. This should help the organization reduce its total cost of compliance.

UCF has become a recognized industry standard regulatory framework for vendors that offer compliance tools. For example, it’s common to find tools such as GRC (Governance Risk and Compliance) that use the UCF as their foundation.

Even though IT compliance isn't something an organization can simply buy, UCF helps organizations through solutions from compliance vendors that offer ways to automate the implementation and verification of required practices. For those that are looking for a way to ease their compliance burden, UCF enables solutions that run the gamut of a managed software-as-a-service (SaaS) deployment to in-house software solutions. Using UCF as a universal framework may be the best way to implement a control that will satisfy many regulations at the same time.

You May Also Be Interested In: