I’m working on just such a project right now and have created a matrix demonstrating the many commonalities between the regulatory/industry compliance frameworks that the company operates under. What I committed to and am in the midst of delivering is a series of recommendations, control by control, where the client is able to consolidate multiple initiatives to reduce effort and cost. I’ve worked with clients in the past who wanted to build out change management programs, software development methodologies and network infrastructures that factored in all required activities.

The mapping by itself has little value and can almost be developed with minimal effort (Unified Compliance Framework and Symantec have products that already provide this information). Where the real effort comes into play is how to apply that information to pursue productivity gains and cost reductions while keeping the regulators, examiners and auditors happy.

Best regards,
David Schneier

Great post, and I just wanted to echo your opinion of the UCF. When we found it about a year ago, it did feel like we had located the Holy Grail, and we have worked closely with Network Frontiers over the last year to support the UCF within our product, CA GRC Manager. In my opinion the best part of the experience has been how the UCF has continued to expand, both in term of the number and type of regulations tracked as well as the depth of the information provided.

Not to recklessly combine ancient artifacts, but while it may be the governance Holy Grail it is also the compliance Rosetta Stone – in that it allows you to translate HIPPA to PCI to SOX. That by itself is pretty special, but even better is the ability to rationalize and reduce your efforts once that translation is made.

For example, we have one customer that provides infrastructure and services to several agencies and other organizations. The customer is not subject to any specific mandate themselves as a company, but they have adopted an ISO 27002 framework as a best practice for IT security. Each of their customers that they provide services to has their own compliance mandates that they are subject to, e.g. FISMA for federal organizations, privacy regulations for other groups, etc.

What our customer wants to do is when they have a new customer with a compliance mandate, e.g. FISMA, is see what controls they already have in place to satisfy that regulation. Since they know what controls they have in place for ISO 27002, and 27002 is mapped to the UCF, they can easily see which of their existing controls map to any new regulation that they onboard, whether it’s FISMA, SOX or any other reg in the UCF. This has been a huge benefit to them as a service provider, just as it would be to the internal compliance group at an organization who suddenly had a new regulation come into scope.

I enjoy the blog – thanks!

Peter Stapleton
CA, Inc.
[A href="http://blog.ca-grc.com"]http://blog.ca-grc.com[/A]