search:
               

• Acquisition of technology and services
• Audits and Risk Management
• Design and implementation
• Human Resources Management
• Leadership and High Level Objectives
• Monitoring and Measurement
• Operational Management
• Physical and environmental protection
• Privacy protection for information and data
• Records Management
• Systems Continuity
• Technical security
• FAQs
• FAQ - What happens after the first year?
• FAQ: Will we get updates for the matrices?
• FAQ: Can we upgrade from the "Single User" to the "Corporate" Edition?
• FAQ: What is the difference between "Single User" and "Corporate" Editions?
• Single User Edition License Agreement
• Corporate Edition License Agreement

The Unified Compliance Framework helps you divide and conquer your compliance challenges by organizing real-world IT processes into 12 IT Impact Zones. Each impact zone deals with one area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc. Each IT Impact Zone can be used online in HTML format, or purchased and downloaded in Excel format.

Simplify and centralize your compliance efforts by using these 12 IT Impact Zones to:

• Create a single point of control over hundreds of complex regulations, requirements, and guidelines
  
  
• Assert compliance across multiple authority documents simultaneously
  
  
• Clarify conflicts created by multiple overlapping documents
  
  
• Drill down for explanations and sources for each control

Get Started

• Watch an introduction to compliance and the UCF
  
  
• Review the Using the UCF Spreadsheets within Your Compliance Framework quick start guide.
  
  
• View a sample matrix to see how the UCF data is organized.
  
  
• See the complete list of currently tracked regulations, guidelines, and requirements.
  
  
• Review the 12 Impact Zones below.

12 Impact Zones

Acquisition of technology and services

This impact zone contains the controls necessary for the planning and documentation necessary when acquiring new hardware and software, including the assurance controls, cost controls, licensing controls, and testing controls necessary for compliance.

Audits and risk management

These are the necessary requirements for establishing your internal audit and risk teams, conducting internal audits, and audit reporting.

Design and implementation

Whereas the acquisition impact zone covered what you need to know before you purchase hardware and software, the design and implementation impact zone covers all aspects of the design and implementation processes from the full project management standpoint to ensure that compliance is built in to the software or systems being designed.

Human Resources Management

Many requirements now call for a full blown description of the IT organizational structure, and additional hiring practices such as security requirements. This impact zone begins with the hiring process and then moves through training, job descriptions, job performance, and the eventual end of cycle for staff members and third parties.

Leadership and high level objectives

Beginning with the alignment of IT with the organization's strategies and tactics, this impact zone moves through the definitions of information classification, systems, organizing the compliance framework, and establishing a high level strategic plan for IT.

Monitoring and measurement

One of the keys to a successful compliance campaign is tracking your compliance. This means gathering the necessary evidence that you are doing your job. Therefore, this impact zone is concerned with monitoring and logging operations; risk, performance, and compliance monitoring and reporting.

Operational management

Operational management, as you might have guessed, is huge. It covers everything from roles and responsibilities though help desk operations, managing the IT configurations (systems hardening), capacity management, allocating costs, accountability, and all other day-to-day processes that keep an IT organization on track.

Physical and environmental protection

This impact zone covers the IT facilities, the physical security of distributed IT assets, and the environmental controls necessary (such as power and air) for maintaining IT availability.

Privacy protection for information and data

Privacy is one of our most cherished and valued assets. And yet, privacy breaches abound. This impact zone has the most controls (about a quarter of the total controls we have mapped so far!), and the most international controls by far. It covers the establishment of personal information collection boundaries, what you can and can't do with the information, and how you have to provide for the integrity and security of the information.

Records management

This impact zone covers computerized records as an integral part of each and every system. It also covers the definition and maintenance of your organization's records discovery program.

Systems continuity

Availability is one of the most critical aspects of information -- if it isn't available, the organization can't depend upon it. Therefore, this impact zone focuses on maintaining the continuity framework, establishing a continuity strategy, documenting continuity plans, alternate site preparations, and maintaining the continuity plan itself.

Technical Security

This impact zone begins with the need for establishing an access classification scheme, and moves through policies and procedures, network access point management, operating system access management, information flow enforcement, remote access management, encryption management, and managing intrusion detection/response.