Nobody thinks about compliance frameworks in terms of modularity – except the Unified Compliance team.
This is an “artist view” of the Unified Compliance Framework. It is built out as a suite of compliance elements, each of which perform a specific function to aid you in organizing your compliance content, interpreting your compliance content, or auditing your compliance content. Because the UCF is element-based, it can be rearranged or extended as needed.Hover and click the elements to learn more:
Statutes, regulations, directives, principles, standards, guidelines, best practices, policies, and procedures.
The specific steps or actions within a compliance mandate that must be met to fulfill a compliance requirement. Common Controls harmonize wording across Authority Documents so you can compare Authority Documents or track your compliance status.
A service or thing owned by an organization or person that falls under the purview of an Authority Document's controls either because of its value or its configuration properties.
A part of an asset specifically called out during the audit process.
An object that can be used to modify software functionality.
A modifiable element within a Configurable Item that can affect performance and system function.
A compliance document comprised of controls within an organization, such as a checklist, framework, plan, policy, standard, procedure, template.
The organization that creates an Asset.
Compliance Dictionary gives the people writing compliance guidelines and those tasked with understanding and implementing them, a way to efficiently check their language choices and standardize terminology.
A word or phrase that represents the function an individual, process, organization, etc. is supposed to achieve.
The activities and actions an organization must track to comply with various controls.
A unique activity within a given process or state that causes an event or situation to happen.
A systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.
A named organized body of people with a particular purpose, especially a business, society, association, etc. For generic, unnamed, organizations see Group designator.
A division within an organization or a formation of individuals outside an organization. A generic, unnamed organization.
The high level administrative departments of an organization.
An individual process or task and organization performs.
A class, grouping, or set of records.
An individual record within a Record Category.
A field within a record.
A framework is an extensible structure for describing a set of concepts, methods, and technologies as an integrated set of policies and procedures designed to assist organizations to achieve their goals and objectives. Frameworks have become a necessary means to distill and harmonize the various controls forced upon us because of the increasing number of regulatory guidelines burdening today’s organizations. It is not uncommon for a single mid-sized organization to fall under Gramm-Leach-Bliley, HIPAA, PCI-DSS, and multiple state and international privacy regulations. We covered the three steps you need to comply above. What a framework allows you to do to is to add one more step; de-duplication of effort. Any organization that falls under multiple regulatory guidelines will fall prey to overlapping Mandates (how many ways can you say “protect the information”?). Your compliance framework should not only cover how to organize your Authority Documents and interpret their Mandates, it should also provide a methodology for de-duplication of those Mandates as well as provide a methodology to add or clarify audit questions when they are unclear or missing. Therefore, a compliance framework is the structure you build around your compliance program so that you