Regulatory Reality

May 14 2009   6:38PM GMT

Who put the G in GRC?

David Schneier David Schneier Profile: David Schneier

I’m something of an advocate for Governance, Risk and Compliance (GRC) and have been for several years.  I’ve been known to rant a bit how it’s not properly organized as an acronym because everyone who knows knows that risk comes first and so it should’ve been RGC.  But as a discipline and as an approach to designing and implementing controls I’m all for governance being used as the driver to assess, measure and manage risk.  And of course if you’re properly managing risk you’re also naturally falling into alignment with all things compliance.

For the most part whenever I see references to GRC in the marketplace it almost always is associated with a software product and not a discipline or a methodology.  And in those rare instances where it is in reference to something being practiced it’s often depicted as an advanced formulaic concept that requires a PHD to understand, let alone practice.  But I’m certain that’s going to change.  With all of the layers of regulatory requirements already placed upon Corporate America and with the very real threat of even more looming large on the horizon I know that eventually companies and institutions are going to be forced to abandon their all-too-common one-off, silo-centric approaches to compliance and commit to a single, well thought out governance program.  My best guess is that once the economy begins the slow, steady climb out of its current abyss we’ll start seeing signs of progress on the this front.

And so I’m always monitoring the GRC landscape looking for subtle shifts and changes that may indicate a new advance or important discovery.

Two weeks ago one of those subtle shifts landed tap-dead center on my GRC tracking radar only it wasn’t so subtle.

While working for a client who is suddenly confronted with the demands of a brand new set of regulations I committed to building out a cross-reference matrix by which they can identify commonalities between their different frameworks and look for economies of scale in the work required to comply.  But I’m sometimes lazy and decided that somebody somewhere must have already done something like this; I’m smart but I’m not often the first one to think of something.  And so a-Googlin’ I went.  Imagine my surprise when I not only found what I was looking for but also found that there was a company that created a product that incorporates pretty much every regulation currently known to civilized man and developed a master cross-reference to illustrate all of their interdependencies.

The product is called the “Unified Compliance Framework” and for those people who understand governance and are committed to advancing it from theory to practice this is something akin to the Holy Grail.  Simply put UCF monitors the regulatory and industry landscape, identifies emerging requirements/frameworks as well as modifications to those that already exist and conducts an analysis to identify how it relates to other frameworks.  This allows any organization to take their existing control framework and use UCF to map those controls across the entire compliance spectrum identifying where one control satisfies multiple frameworks.

Think about that for just a minute.  If for example you’ve designed a control for password rules as part of your SOX framework you can use UCF to quickly identify which of the other frameworks that control addresses (several, by the way).  If your company conducts business in states that have or are about to have their own data privacy laws with which you have to comply (Massachusetts is the most recent) it’s very likely that not only don’t you have to re-invent the wheel but already have one to use.  UCF makes it easy to identify points of intersection thus making the impossible possible.  Or rather, it allows you to kill two (or more) birds with one stone (so-to-speak).

I’ve been railing for years against the common approach most companies use in which they design one-off solutions to align with the myriad frameworks they operate under.  But it’s been a difficult argument to establish and until finding UCF I’ve had to struggle to make my case.  But not any longer.

To validate my take on UCF I showed it to a colleague who is in senior management at a Fortune 500 company and who is himself responsible for IT Governance.  He immediately saw its potential and wanted to know who else was using it and how so.  I fear I’ve opened up a can of worms though because when I mentioned that I was researching early adapters of UCF he asked if he could join in on the interviews so that he can pick their brains and leverage off of their success.  I was looking for validation and instead inherited a partner.  But I feel as if though I’m helping create a mini-wave of excietment  in the governance space and I’m OK with that.

I’ll have more to share with you over the next few months as I continue to dig into how UCF is being used in support of GRC initiatives.  But in the meantime I encourage you to
check them out for yourself.  If you’re someone who has a governance role, hopes to have a governance role or simply wants a glimpse into the future of GRC it’s well worth your time.

3  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Pstapleton
    Hi David, Great post, and I just wanted to echo your opinion of the UCF. When we found it about a year ago, it did feel like we had located the Holy Grail, and we have worked closely with Network Frontiers over the last year to support the UCF within our product, CA GRC Manager. In my opinion the best part of the experience has been how the UCF has continued to expand, both in term of the number and type of regulations tracked as well as the depth of the information provided. Not to recklessly combine ancient artifacts, but while it may be the governance Holy Grail it is also the compliance Rosetta Stone – in that it allows you to translate HIPPA to PCI to SOX. That by itself is pretty special, but even better is the ability to rationalize and reduce your efforts once that translation is made. For example, we have one customer that provides infrastructure and services to several agencies and other organizations. The customer is not subject to any specific mandate themselves as a company, but they have adopted an ISO 27002 framework as a best practice for IT security. Each of their customers that they provide services to has their own compliance mandates that they are subject to, e.g. FISMA for federal organizations, privacy regulations for other groups, etc. What our customer wants to do is when they have a new customer with a compliance mandate, e.g. FISMA, is see what controls they already have in place to satisfy that regulation. Since they know what controls they have in place for ISO 27002, and 27002 is mapped to the UCF, they can easily see which of their existing controls map to any new regulation that they onboard, whether it’s FISMA, SOX or any other reg in the UCF. This has been a huge benefit to them as a service provider, just as it would be to the internal compliance group at an organization who suddenly had a new regulation come into scope. I enjoy the blog – thanks! Peter Stapleton CA, Inc. [A href=""][/A]
    0 pointsBadges:
  • Cpowers99
    What is the by product you'd expect from a firm that promises to come in to your organization to conduct a compliance mapping of all your regulatory controls?
    5 pointsBadges:
  • Makking
    Regarding expectation for a mapping project, it depends on the goals of the organization. I'm working on just such a project right now and have created a matrix demonstrating the many commonalities between the regulatory/industry compliance frameworks that the company operates under. What I committed to and am in the midst of delivering is a series of recommendations, control by control, where the client is able to consolidate multiple initiatives to reduce effort and cost. I've worked with clients in the past who wanted to build out change management programs, software development methodologies and network infrastructures that factored in all required activities. The mapping by itself has little value and can almost be developed with minimal effort (Unified Compliance Framework and Symantec have products that already provide this information). Where the real effort comes into play is how to apply that information to pursue productivity gains and cost reductions while keeping the regulators, examiners and auditors happy. Best regards, David Schneier
    220 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: