search:
               

• Acquisition of technology and services
• Audits and Risk Management
• Design and implementation
• Human Resources Management
• Leadership and High Level Objectives
• Monitoring and Measurement
• Operational Management
• Physical and environmental protection
• Privacy protection for information and data
• Records Management
• Systems Continuity
• Technical security
• FAQs
• FAQ - What happens after the first year?
• FAQ: Will we get updates for the matrices?
• FAQ: Can we upgrade from the "Single User" to the "Corporate" Edition?
• FAQ: What is the difference between "Single User" and "Corporate" Editions?
• Single User Edition License Agreement
• Corporate Edition License Agreement

This impact zone begins with the need for establishing an access classification scheme and moves through policies and procedures, network access point management, operating system access management, information flow enforcement, remote access management, encryption management, and managing intrusion detection/response.

How would using this matrix save me time and money?

Simplify and centralize your compliance efforts by using this Impact Zone to:

• Create a single point of control over hundreds of complex regulations, requirements, and guidelines

• Assert compliance across multiple authority documents simultaneously

• Clarify conflicts created by multiple overlapping documents

• Drill down for explanations and sources for each control

What Authority Documents does it cover?

The U.S. Tab covers all of the authority documents within the following categories:

• Sarbanes Oxley (PCAOB, SAS 94, AICPA, Sec 17, COSO ERM, A123)
• Banking and Finance (Basel II, Gramm Leach Bliley, GLBA, FFIEC)
• NASD NSYE (Sec 17)
• Healthcare and Life Science (HIPAA, NIST, CMS, FDA)
• Energy (FERC, NERC)
• Credit Card (PCI DSS, Visa CISP, Amex, MasterCard, BBB)
• Federal Security (E Sign, UETA, FISMA, FISCAM, FIPS, Clinger Cohen Act, GAO, DOD, CISWIG, OMB, NCUA, CTPAT, more)
• IRS (Rev Proc 97 22, 98 25, 501c3)
• Records Management (ISO, DIRKS, Sedona, more)
• NIST (800 14, 18, 26, 30, 33, 34, 40, 41, 53, 60, 61, 64)
• General (Cobit 3 & 4, NFPA, ISF, ISSA, CERT, IIA, more)
• US Federal Privacy (Cable, Telemarketing, SPAM, COPPA, Drivers, Family, Video Privacy, Spector Leahy, more)
• US State Laws (all states)
• System Configuration (CI Security for Solaris, HP UX, Red Hat, SuSE, AIX, NIST Novell, Apple OS X, Vista, DISA, more)

The International tab covers all of the authority documents we are tracking from around the world (in English) and is broken up into the following categories:

• EU (Data protection, SafeHarbor, EC ECNS DPP, OECD, more)
• UK, Canadian (Turnbull, Smith, Data Protection, Business Continuity, more)
• Latin American (Argentina and Mexico Personal Data)
• Other Europe (22 countries)
• Asia and Pacific Rim (9 countries)
• ITIL (Infrastructure, Service, Application, Security)
• ISO (13 controls)

How do I keep up-to-date on new regulations?

You don't have to - we do it for you!

Regulations, standards, guidelines, and other authority documents that we track change over time. And new documents come out that might or might not affect your organization. How do you keep track of them? When you purchase one of our matrix spreadsheets, we'll keep track of them for you. Each month we'll send you a new version of the spreadsheet along with an email detailing which authority documents we've added that month. That's a whole year's worth of updates included for free! Click the Buy Now button to purchase the Excel version and sign up for free updates.

And, as a customer, you'll have direct access to our team to submit requests for adding IT related authority documents to the Unified Compliance Framework that directly affect you and your team.

If you're not sure you're ready to purchase the Excel version but are interested in receiving updates on this Impact Zone, please submit your name and E-mail address and we'll send you updates by E-mail. Then, when you're ready to purchase, just click the Buy Now button and you'll receive free updates for a year and access to the UCF team.

About the Format

The primary goal of the Unified Compliance Framework is to help your organization harmonize its compliance efforts across multiple authority documents (regulations, standards, contractual agreements) so that you can ensure when you are employing one control, that same control can "count" for all of the compliance initiatives you fall under.

To that end, we provide all of our reports in a spreadsheet table format, (also called an impact matrix), for each and every IT Impact Zone we track. These matrices cross-reference the authority documents (listed across the top of the screen) with each of the controls that they call out (listed in the left hand column).

By default the Excel version of the IT Impact Matrices are shown with all of the authority document groups collapsed and showing a boolean value of either the group supporting the control or not (marked by an "X") . Any group may be expanded to see each authority document entry by clicking the small plus sign () next to the group's name. You can see these plus signs if you click the image of the spreadsheet (which will give you a full size view of several rows in the U.S. authority document's tab).

Each spreadsheet also acts as your personal table of contents to our in-depth control-by-control research. Every control listed in the spreadsheet has its own permanent Control ID, with an embedded hyperlink to our research pages that you can't get to any other way. For instance, clicking the link for Control ID 00597 brings you to an in-depth research page that explains the control, presents the control statement, shows how many different guidelines call for the same control, and then presents a synopsis of each of the findings listed.

Four tabs of information!

There is so much information in the spreadsheets that we literally ran out of room within Excel and had to split the spreadsheets into four individual tabs!

The Vendors Tab

A developing part of our spreadsheets is that we are tracking vendors that we have validated to meet the criteria listed in the control.

The term validation does indeed imply a third party process by which criteria selection methods are applied to demonstrate empirical evidence of support. And that is exactly what the Unified Compliance Framework team is doing before we enter any product or service into our database.

Our methodology is to ensure, first of all, that we are using documentation that is admissible to auditors, adjudicators, and in this case, end users. We know from experience as expert witnesses in court cases that product manuals from shipping products, barring a public outcry that they are false, are admissible evidence.

The second part of our methodology then entails our staff examining the submitted manuals and other documentation to ensure that what the vendor submitted can be verified in publicly accessible documentation that demonstrates empirical evidence matching the criteria under investigation.

This demonstrates with reasonable assurance that the products in question either do or do not support the claims. And this would hold up under audit or adjudication (as we know well being expert witnesses).

The CMMI Tab

In addition to tracking the laws, regulations, standards, and guidelines, your Excel spreadsheet can act as a simple compliance framework checklist for auditing and analysis purposes. We've listed the audit questions for each of the associated controls on this tab and have built in calculations so that you can track your control compliance accomplishments according to the following levels:

• Acceptance
1. Accept risk
2. Not applicable
3. Duplicate control
4. Implementing alternate
5. Implement as stated
• Awareness
1. Recognition of the need for the process is emerging
2. Management are firmly aware of the need to act
3. Formal communication from management exists
4. Management are leveraging communication tools and techniques
5. Management are proactively communicating
• Policies and Procedures
1. The approach to processes and practices are adhoc
2. Informal processes exist
3. Policies and procedures are defined
4. Policies and procedures are fully disseminated
5. Policies and procedures are becoming automated
• Tools and Automation
1. No planned approach to tool usage
2. Some users are leveraging tools
3. A plan has been created for tool usage
4. Tools are being related and implemented according to plan
5. Tools are fully integrated and related
• Skills and Expertise
1. Required skills are not identified
2. Minimum skill sets are identified for key areas
3. All skill requirements are defined and a training plan has been developed
4. Mature training techniques are being applied
5. Continuous improvement training is underway
• Responsibility and Accountability
1. Ownership is based upon personal pride
2. Informal responsibility has been assigned
3. RACI charts have been defined
4. Process owners have full authority to exercise initiative
5. Process owners are taking charge and making their own decisions
• Measurement
1. No trusted metrics
2. Metrics are binary
3. Tolerances of change for metrics are defined
4. Metrics are now statistically valid
5. Metrics are being used adaptively

US Tab

This tab covers all of the authority documents within the following categories:

• Sarbanes Oxley related Guidance
• Banking and Finance Guidance
• NASD NSYE Guidance
• Healthcare and Life Science Guidance
• Energy Guidance
• Credit Card Guidance
• Federal Security Guidance
• IRS Guidance
• Records Management Guidance
• NIST Guidance
• ISO Guidance
• ITIL Guidance
• General Guidance
• US Federal Privacy Guidance
• US State Laws Guidance
• System Configuration Guidance

International Tab

This tab covers all of the authority documents we are tracking from around the world (in English) and is broken up into the following categories:

• EU Guidance
• UK, Canadian Guidance
• Latin American Guidance
• Other Europe Guidance
• Asia and Pacific Rim Guidance