The first step in your analysis will be to determine if you have defined your framework correctly. We'll walk through each of the phases, beginning with scoping and ending with the selection of controls (and the documentation thereof).

Gathering of the documents

Has the organization collected a full list of all regulations, standards, guidelines, MOUs, SLAs, letters of agreement, and contracts that could influence the compliance framework control list?

If you are not sure whether you have all of the correct documents, you'll need to gather them together in one spot. Which also means that you'll need to find them - meaning that you'll need to be talking to the people in your organization who will know where they are. Be sure to gather documents from all countries where you do business, have customers, or outsource your data processing and customer service activities.

Contact your legal representative, HR representative, Disaster Recovery representative, your CIO, compliance staff (if you have them), and most importantly the business group owners who will know where those elusive MOUs, SLAs, contracts, and letters of agreement are.

Creating your control list matrix

Has the organization listed all of these controls in a hierarchical manner and cross referenced them for clarity of understanding? A great example of this is the spreadsheet that follows which is taken from the IT impact zone tables available from the Unified Compliance Framework [1] .

Sample list of controls

Each of the regulatory groups can be expanded to show each guideline document with the relevant paragraph or section citation.

Individual citation expanded from overall list

If you want to know more about any of the controls, each of the Control IDs is an active link to the Unified Compliance Framework's website where that control is spelled out in great detail, along with any pertinent commentary from our vast field editor audience.

Sample control commentary found at the UCF website

You can use any of the starter sets of controls available through the Unified Compliance Framework's website online - as a way to document the publicly available authority documents that we track. However, we can't list the MOUs, SLAs, contracts, etc. that are applicable to your organization. Therefore, you'll want to list all of your internal authority documents on the spreadsheet as well - ensuring that you synchronize each of your authority documents with the starter matrix that we've provided for you.

Once you've listed all of your documents along with the publicly available documents, you are ready to begin scoping which controls are right for your organization.

Have you gone through the list of controls to determine if processes, policies, standards, and procedures are in place that match the controls being called for?

The next step is to gather all of your IT documentation and determine what you have already accomplished - and have documented - that you can say "yes, this assurance activity we are currently doing fits the criteria of the control listed in the control matrix." If the first step is to ensure that your internal authority documents align with the control matrix, this second step is to ensure that your internal control documents align with what the controls are asking for.

Are there whole impact zones that you can ignore? The Unified Compliance Framework is broken down into twelve impact zones, listed below. If your authority documents don't call for controls in any of the impact zones listed, you can ignore that impact zone. In addition, even if the authority documents call for controls in a specific impact zone, such as Design and implementation, and you aren't creating your own software or hardware, then you can ignore the impact zone as it doesn't apply to you. Otherwise, you'll want to ensure that you are covering each of the impact zones that you are called upon to support.

Leadership and high level objectives

Audit and risk management

Monitoring, measurement, and reporting

Technical security

Physical security

Systems continuity

Human resources management

Operational management

Records management

Design and implementation

Acquisition of technology and services

Privacy protection for information and data

You can obtain matrices for each of the impact zones (or an über matrix of all of them) from both websites we've already mentioned.

Has the organizational leadership formalized its scoping authority document to ensure that you can defend your position regarding whether or not you wish to accept certain controls and ignore others? If not, go back and reference A guideline for scoping controls. If you don't have an internal scoping document, you can use the one that we've provided as a sample in the book called Authority Guidance criteria.

Has the organization stepped through the process of accepting (or not) each control in the master control list? There are five choices for each of the controls:

1. Accept the risk and ignore the control

2. Decide the control is not applicable

3, Decide the listed control is a duplicate of a pre-existing control

4. Decide to implement an alternate control

5. Implement the control as stated

This decision should be documented along with your complete control list. The documentation can be as simple as filling out the completed CMMI checklist in the control matrices as shown below.

Documenting the control framework