search:
               

• A Case for the UCF
• Network Frontiers
• IT Partner Center
• PolicyTech
• ControlPath
• Princeton Softech
• SafeNet
• Compliance Spectrum
• CA
• SecureState

The Unified Compliance Framework seeks to achieve 7 objectives that are in line with what any vendor that cares about compliance also wants to achieve.

1. Establish a clearing house for tracking all significant IT authority documents worldwide.
   Tie your product to standards and regulations
   
   
2. Harmonize the language between all of the IT authority documents.
   Speak the same language as your customers
   
   
3. Harmonize the controls between all of the IT authority documents.
   Demonstrate how your product satisfies multiple regulations and standards
   
   
4. Harmonize process methodologies between all of the IT authority documents.
   Show how your product satisfies a diverse target audience
   
   
5. Harmonize presentation methodologies between all of the IT authority documents.
   Maintain a clear and consistent position for addressing standards and regulations
   
   
6. Present this information to organizations for their use in achieving IT compliance.
   Show how your products solve your clients' compliance requirements
   
   
7. Present this information to vendors for their use in creating and maintaining IT compliance products.
   Integrate standards and regulatory controls into your products immediately
   
   

---

Establish a clearing house for tracking all significant IT authority documents worldwide

Prior to the UCF, there wasn't a single location to act as a clearinghouse for tracking IT compliance authority documents. At this writing, the UCF is currently tracking over 250 authority documents worldwide. You can check out our Authority Documents page by clicking HERE.

Because of the reach of our audience, we are normally able to "put on our radar screen" new IT compliance-related authority documents within 1 month of their publication.

Through active partnerships with ISACA, ISSA, ISSF, CERT, the Center for Internet Security, the BSI, BCI, IETC, and the ISO, we are being made aware of, or are actively participating in, the development of new IT compliance-related authority documents.

The authority documents have been segmented into their appropriate categories, such as Sarbanes-Oxley related documents, Payment Card documents, State Laws, etc.

We also actively maintain hyperlinks to each of these documents.

What's in it for you?

We will maintain a listing of all authority documents brought to our attention, and will include them in the mapping of harmonized controls. We'll assign each authority document to a category ID that you can reference in your applications or documentation, and we'll also assign each authority document an ID as well, so when the authority document is updated, we'll notify you as well as provide you with the updated information.

Vendor participants also have the opportunity to suggest new IT compliance-related authority documents be put on "the hot list" of new documents to track and inculcate into the UCF's list. Once the document has been nominated, it will be reviewed and slotted for addition as appropriate.

Vendor participants may elect to receive a monthly download of the list of authority documents we are tracking, along with their URLs, in XML format.

Contact Dorian Cougias for more information through E-mail by clicking HERE.

Harmonize the language between all of the IT authority documents

If the United States and the United Kingdom are two countries separated by the same language, think of what is happening within the world of IT compliance when hundreds of authorities in scores of countries are writing their control lists?

To that end, the UCF has created, and actively maintains, a fully harmonized glossary of IT compliance-related terms.

This book is published to end users as The Language of Compliance in eBook, print book, and Word format.

What's in it for you?

Vendors who participate in the program may have a monthly download in XML of the contents of the glossary. The glossary fields are:

1. Title
2. Acronym
3. Definition
4. Authority source documents (where the terms were officially defined within a published glossary).

Contact Dorian Cougias for more information through E-mail by clicking HERE.

Harmonize the controls between all of the IT authority documents

Before the UCF there were a smattering of organizations and documents that sought to cross reference (not really harmonize) their IT control lists with other documents' control lists. The problem was that each document or author sought to cross reference those lists from their own point of view.

The UCF started from scratch and have built our list organically and hierarchically as the regulators intended. To date, we have harmonized over 175, 000 controls into a list of 1,500 unique controls.

The harmonization process is quite in-depth (if printed in book form, this would be at least 2,000 pages worth!) and is proprietary to the UCF. It is done, as much as possible, with the direct input of the original authors of the control documents. With respect to such organizations as the ISSF, NetFocus, and the Center for Internet Security, our harmonized control lists are being developed in conjunction with those organizations to ensure that our lists and their lists not only mesh from the beginning, but stay meshed throughout their lifecycle.

What we can create out of this harmonization process is a set of tables, or XML outputs, that are unique in the industry. A great example of one of the HTML tables which is automatically created from an XSL translation file is the PCI audit matrix that you can find by clicking HERE.

We also have in-depth commentaries in the database for each of the controls listed in the table (1600 of them)! You can see a great example of the depth that we cover in each control by clicking HERE.

If you would like a sample of one of the Excel files that we can create using the XSL translation method, click HERE and E-mail Dorian and ask him for a copy.

What's in it for you?

Vendors who participate in the program may have a monthly download in XML of the contents of the control list. The control fields are:

1. Persistent ID - this ID never changes. Controls that are later retired retain their IDs and are annotated as being retired or being merged into other control IDs.
   
2. Per control, we have a list of all Parent IDs and direct Children IDs.
   
3. Short (255 characters or less) harmonized control title.
   
4. Short (255 characters or less) audit question where applicable. To date, we have roughly approved (by a panel of CISAs and CIAs) half of the controls in our list.
   
5. Short (255 characters or less) control statements where applicable. These match the approved audit questions.
   
6. A cross reference of all pertinent authority document citations - which are at the individual subsection, paragraph, or page level, whichever is most appropriate for that authority document type.
   
7. Where applicable, our editors have added authority document segment commentaries, listing more in-depth information from, as an example, all NIST guidance, or Records management guidance, etc. Not all controls have in-depth commentary added as some of the controls are blatantly obvious. Some controls, because of the nature of discussion involved with the harmonization process, might have pages of individual commentary.

Contact Dorian Cougias for more information through E-mail by clicking HERE.

Harmonize process methodologies between all of the IT authority documents

It has become obvious that even the most basic processes of developing a control list standard, a policy, or even a procedure have become obfuscated. There are some authors on the market that purport to have whole books worth of "policies" only to produce a short policy statement. Others have books on the market about what material constitutes a standard or procedure that are completely inaccurate.

The UCF team spent a little over two years working with various groups around the world to harmonize the look and feel of an IT control standard, the proper contents of policies, standards, and procedures, and more importantly, the approval and change management process documentation that must be in place to support their lifecycle and obtain auditor approval.

Volume two of the UCF book series is Say What You Do: Building a framework of IT controls, policies, standards, and procedures. This book has over 350 pages of documentation on how to do exactly this.

The UCF is also constantly developing and maintaining templates for policies, standards, procedures, configuration management information, etc. There are over 25 system documentation templates alone; as well as a 19 category, 100 information type classification standard.

What's in it for you?

Vendors who participate in the program may have a monthly download in XML of the contents of the policies, standards, and procedures, as well as may have in Word and HTML format a monthly download of all templates.

Contact Dorian Cougias for more information through E-mail by clicking HERE.

Harmonize presentation methodologies between all of the IT authority documents

Inexplicably, prior to the UCF there was never a standard presentation or authority methodology for displaying an organization's IT control list and CMMI reference model.

It took almost 3 years to produce the in-depth, multiple tab Excel file that has become the signature hallmark of the UCF control list and CMMI presentation methodology.

It took almost a year to produce the templates used by the UCF for presenting policies, standards, and procedures.

And it took a heck of a lot of smart XML engineers to be able to export this information from our databases into Excel and HTML format.

What's in it for you?

Vendor participants in the program may have the XSL translation files for creating their own export of the UCF signature Excel or HTML table, as well as may have in Word and HTML format a monthly download of all templates being developed and maintained.

Contact Dorian Cougias for more information through E-mail by clicking HERE.

Present this information to organizations for their use in achieving IT compliance

Many of our key authors (Dorian J. Cougias, Marcelo Halpern, Karsten Koop, E. L. Heiberger) are prolific speakers.

On average, our team members are asked to individually speak at roughly 10 - 15 events per year. On average, our team members write 5 - 10 articles a piece per year.

On average, the UCF (in conjunction with Schaser-Vartan Books), publishes 2 - 3 books per year.

What's in it for you?

Vendor participants in the program will be alerted to all speeches and articles, and if applicable, the writing team will either incorporate, or mention, their products in those speeches or write about them in those articles.

If appropriate, vendors will have placement in the UCF library of books.

Vendor participants are also allowed to reproduce select chapters of any of the books within the UCF library.

Vendor participants in the program may elect to have either Dorian, Marcelo, or Lynn Heiberger present up to 5 (total) Webinars or half-day in-person seminars for them regarding unified compliance as it applies to the vendors' products and services. For any seminar or recorded webinar that involves travel or other out-ofpocket expenses, those expenses must be borne by the vendor. The vendors may then reproduce and redistribute the contents or recordings of the webinars and seminars.

Vendor participants in the program may also purchase Schaser-Vartan print books at 50% off list price (which is a better deal than Amazon gets).

Contact Dorian Cougias for more information through E-mail by clicking HERE.

Present this information to vendors for their use in creating and maintaining IT compliance products

In short, all of the material being created by the UCF team is being made available to the vendors in the program. There isn't anything that we are holding back - not even our key players' time.

The price is also simple.

$100,000 per year for a two-year minimum for licensing for a single product, and $150,000 per year for a two-year minimum for an unlimited number of products. During the two years, you may have updates once per month and "emergency updates" as necessary (unless it becomes obvious that you are having way too many emergencies). After the two years, if you do not renew your license, you may continue to utilize the last update you received forever.

You may elect to only have the control tables delivered to you monthly. If all you want is the control tables, and you don't want the glossary, authority documents list, sample policies and templates, XSL output files, or speaker's time, the licensing fee is $80,000 per year for a two year minimum. If you choose this reduced plan, no we won't give you the extra material just because we like you. Don't even ask - its been tried, and denied, before.

In addition, there is an initial $200 per hour for setup time (50 hours is recommended for all preliminary setup) is required for our programmers to deliver the XML material in the structure and format that you desire. Trust us, we've done this enough that we know you are going to come in at around 50 hours of time.

Contact Dorian Cougias for more information through E-mail by clicking HERE.