Unified Compliance Framework
The Unified Compliance Framework (UCF) is a complex database with multiple elements. These elements reflect over 400 authority documents and are beneficial as stand-alone references, or as intertwining templates that address requirements through the linking of sources to harmonized controls. For example, the information is beneficial as a framework in a Governance, Risk, & Compliance (GRC) program.
The UCF corporate package is distributed with files stored in eleven folders that represent core elements. Below is a description of each element in the directory:
- Research Sites Report
The Research Sites report contains the list of all online compliance sites used to investigate UCF content. The report summarizes information by category, and is sorted by each individual site and document type. This information is a great reference guide for researching compliance issues.
- Authority Documents
The Authority Document List includes every statute, regulation, safe harbor, audit guideline, best practice, and any other documents mapped in the Unified Compliance Framework (UCF), whether redacted or current. This list includes the Authority Document name, the number of citations mapped to UCF controls, and the release date.
In addition, the Authority Documents In-Depth Reports offer comprehensive information tracked by the UCF. Each report provides an overview of the Authority Document, as well as various charts and lists depicting practices.
- Language of Compliance
The Language of Compliance harmonizes compliance terms for hundreds of international standards and regulations, including HIPAA, SOX, CobiT, other regulatory bodies and agencies. The Language of Compliance resource provides the opportunity to standardize written and spoken compliance language throughout the university, including acronyms.
Another quick resource for compliance definitions is the following: compliancedictionary.com. This dictionary is also managed by the UCF.
- Controls Spreadsheets
The Controls Spreadsheets identify each control listed in the Authority Documents. The “UCF Controls.xls” spreadsheet includes every control in hierarchical order. The other spreadsheets are subsections of controls, divided into the top thirteen levels of the UCF hierarchy.
- Metrics Management Standards
Metric Management Standards define each of the metrics specified by the Authority Documents mapped to the Unified Compliance Framework. The metrics reports include the applicable controls as well as an explanation of the metric formula, the calculation used to define the metric, how the metric should be displayed, and where to find the data or information that feeds the metric calculation.
- Roles Descriptions
Roles Descriptions identify each functional role described within the Authority Documents mapped into the Unified Compliance Framework. The UCF favors the functional roles employees play over job titles because functions can be standardized, and roles makes responsibilities more clearly understood.
- Monitored Events
The Monitored Events documents link each of the Monitored Events to Controls that either call for the event to take place, react to the event taking place, or both call for and react to the event taking place.
- Compliance Documents
Compliance Documents are all-encompassing files such as policies, standards, procedures, and checklists required across industries, regulations, and regions.
- Information Classification
Information Classification includes three documents that aid in the development and assessment of an Information Classification regime. The Record Category worksheets describe each record example, their associated Controls, data elements that are subject to breach notification laws, labeling instruction, retention schedule and more. Task and Record Classifications describe the confidentiality, integrity, and availability ratings for each task and record example within the record category. The Business Function Standard includes all business functions and their descriptions.
- Configuration Management
Configuration Management provides individual checklists for targeted assets; each checklist includes three parts: the Key Asset information, the Configurable Items for the Asset, and the Controls associated with the asset.
- Audit Guidelines
Audit Guidelines cover each of the published Compliance Documents as well as a master Audit Guideline that covers known controls. Each audit question is linked directly to an individual Control promoting flexibility while maintaining direct links to individual auditable items referenced.