• UCF Products
• UCF Spreadsheets
• UCF Toolkits
• Currently Tracked Authority Documents
• FAQs
• Using the Impact Matrices
• FAQ - What happens after the first year?
• FAQ: Will we get updates for the matrices?
• FAQ: Can we upgrade from the "Single User" to the "Corporate" Edition?
• FAQ: What is the difference between "Single User" and "Corporate" Editions?
• Single User Edition License Agreement
• Corporate Edition License Agreement

Unified Compliance Framework Spreadsheets

Organizations which strive to reduce the cost and complexity of their compliance or audit programs and processes often start with the Unified Compliance Framework spreadsheets, avaialble as a bundle for all areas of IT compliance.

Hundreds of organizations, small and large, have used the spreadsheets to evaluate their existing programs or as a basis to begin a harmonized approach to compliance and audits.

IT Impact Zones

Each impact zone deals with one area of policies, standards, and procedures. Each IT Impact Zone can be viewed online in HTML format. Or, purchase the UCF spreadsheets to quickly and easily determine the minimum set of controls you need to examine to meet your compliance requirements.

Get Started

• Review the Using the UCF Spreadsheets within Your Compliance Framework quick start guide.
  
  
• View a sample matrix to see how the UCF data is organized.
  
  
• See the complete list of currently tracked regulations, guidelines, and requirements.
  
  
• Review the Impact Zones below.
  
  
• Bonus: Watch an introduction to compliance and the UCF

More Information

• UCF Spreadsheet list and description
• Authority Documents Covered
• Updates to the UCF
• Spreadsheet Format information

Unified Compliance Framework Spreadsheets

Each of the Impact Zones can be viewed independently on our web site. If you purchase the UCF Spreadsheets, you get all Impact Zone spreadsheets, a single spreadsheet with all the controls, and a full year of updates.

Complete UCF Bundle Includes all Unified Compliance Framework controls, a list of all current Authority Documents and their sources, and a year subscription to UCF updates. Acquisition of Technology and Services This impact zone contains the controls necessary for the planning and documentation necessary when acquiring new hardware and software, including the assurance controls, cost controls, licensing controls, and testing controls necessary for compliance. View Audits and Risk Management This impact zone contains the controls necessary for establishing your internal audit and risk teams, conducting internal audits, and audit reporting. View Configuration Management This impact zone includes all the controls required for hardware and software configuration. View Design and Implementation Whereas the Acquisition impact zone covered what you need to know before you purchase hardware and software, the Design and Implementation impact zone covers all aspects of the design and implementation processes from the full project management standpoint to ensure that compliance is built in to the software or systems being designed. View Human Resources Management Many requirements now call for a full blown description of the IT organizational structure and additional hiring practices such as security requirements. This impact zone begins with the hiring process and then moves through training, job descriptions, job performance, and the eventual end of cycle for staff members and third parties. View Leadership and High Level Objectives Beginning with the alignment of IT with the organization's strategies and tactics, this impact zone moves through the definitions of information classification, systems, organizing the compliance framework, and establishing a high level strategic plan for IT. View Monitoring and Measurement One of the keys to a successful compliance campaign is tracking your compliance. This means gathering the necessary evidence that you are doing your job. Therefore, this impact zone is concerned with monitoring and logging operations; risk, performance, and compliance monitoring and reporting. View Operational Management Operational management, as you might have guessed, is huge. It covers everything from roles and responsibilities though help desk operations, managing the IT configurations (systems hardening), capacity management, allocating costs, accountability, and all other day-to-day processes that keep an IT organization on track. View Physical and Environmental Protection This impact zone covers the IT facilities, the physical security of distributed IT assets, and the environmental controls necessary (such as power and air) for maintaining IT availability. View Privacy Protection for Information and Data Privacy is one of our most cherished and valued assets. And yet, privacy breaches abound. This impact zone has the most controls (about a quarter of the total controls we have mapped so far!) and the most international controls by far. It covers the establishment of personal information collection boundaries, what you can and can't do with the information, and how you have to provide for the integrity and security of the information. View Records Management This impact zone covers computerized records as an integral part of each and every system. It also covers the definition and maintenance of your organization's records discovery program. View Systems Continuity Availability is one of the most critical aspects of information -- if it isn't available, the organization can't depend upon it. Therefore, this impact zone focuses on maintaining the continuity framework, establishing a continuity strategy, documenting continuity plans, alternate site preparations, and maintaining the continuity plan itself. View Technical Security This impact zone begins with the need for establishing an access classification scheme and moves through policies and procedures, network access point management, operating system access management, information flow enforcement, remote access management, encryption management, and managing intrusion detection/response. View

How do I keep up-to-date on new regulations?

You don't have to - we do it for you!

Regulations, standards, guidelines, and other authority documents that we track change over time. And new documents come out that might or might not affect your organization. How do you keep track of them? When you purchase one of our spreadsheets, we'll keep track of them for you. Once every quarter we'll send you a new version of the spreadsheet along with an email detailing which authority documents we've added that month. That's a whole year's worth of updates included for free! Click the Buy Now button to purchase the Excel version and sign up for free updates.

And, as a customer, you'll have direct access to our team to submit requests for adding IT related authority documents to the Unified Compliance Framework that directly affect you and your team.

If you're not sure you're ready to purchase the Excel version but are interested in receiving updates on this Impact Zone, please submit your name and E-mail address and we'll send you updates by E-mail. Then, when you're ready to purchase, just click the Buy Now button and you'll receive free updates for a year and access to the UCF team.

About the Format

The primary goal of the Unified Compliance Framework is to help your organization harmonize its compliance efforts across multiple authority documents (regulations, standards, contractual agreements) so that you can ensure when you are employing one control, that same control can "count" for all of the compliance initiatives you fall under.

To that end, we provide all of our reports in a spreadsheet table format, (also called an impact matrix), for each and every IT Impact Zone we track. These matrices cross-reference the authority documents (listed across the top of the screen) with each of the controls that they call out (listed in the left hand column).

By default the Excel version of the IT Impact Matrices are shown with all of the authority document groups collapsed and showing a boolean value of either the group supporting the control or not (marked by an "X") . Any group may be expanded to see each authority document entry by clicking the small plus sign next to the group's name. You can see these plus signs if you click the image of the spreadsheet (which will give you a full size view of several rows in the U.S. authority document's tab).

Each spreadsheet also acts as your personal table of contents to our in-depth control-by-control research. Every control listed in the spreadsheet has its own permanent Control ID, with an embedded hyperlink to our research pages that you can't get to any other way. For instance, clicking the link for Control ID 00597 brings you to an in-depth research page that explains the control, presents the control statement, shows how many different guidelines call for the same control, and then presents a synopsis of each of the findings listed.