Go Back

What is Unified Compliance?

Many organizations are starting to promote their “Unified Compliance” approach without really knowing what it means. Here’s the real definition of Unified Compliance.

The official definition of Unified Compliance is elementary, and one that you can leverage when deciding whether a vendor is providing a true Unified Compliance approach.

Unified Compliance is the integration of processes and tools to aggregate and harmonize all compliance requirements applicable to an organization. The defining requirements include the ability to:

  1. Extract Mandates: Define rules to extract Mandates from Citations within Authority Documents.
  2. Map Mandates to Common Controls: Map Mandates from all Citations to Common Controls and when necessary create new Common Controls.
  3. Report Mapping Accuracy: Calculate the percent of match accuracy when tagging Mandates and mapping them to Common Controls.
  4. Standardize Audits: Leverage a standardized structure for auditing the implementation of the Common Controls.

In order to call an approach Unified Compliance, an organization’s approach must include all four requirements, and must continue to address these requirements efficiently and accurately as new Authority Documents are published and old Authority Documents are revised. Without these four capabilities, Unified Compliance can’t take place. This white paper explains the defining requirements.

Extract Mandates

All Authority Documents that you care about have Mandates in them. Those Mandates are buried within the various Citations. Those Citations are buried within, and strewn throughout, the Authority Documents. To get to the Mandates, you must find the relevant Citations.

This means that a Unified Compliance approach will have documented rules that extract the Mandates, and leave the extraneous information behind. The approach must identify the sections of an Authority Document that should be excluded. Then, the approach must identify the parts of each Citation that should be excluded. Knowing what is detritus and what is usable is very important; a Unified Compliance approach must have documented rules for Citation extraction.

Map Mandates to Common Controls

There are currently only two methodologies for mapping Citations to each other: simple crosswalking or harmonization to Common Controls. We’ll cover both.

Mapping Using Simple Crosswalking

Simple crosswalking is what you see in most spreadsheets, and in very simplistic mappings of an Authority Document to other Citations. You’ll see the Authority Document’s Citation and then a table of other Citations that are supposedly mapped to that Citation. This supposes that the person who performed the exercise examined each Citation in relation to the other Citations in a matrix form as shown in the diagram below.

On the surface this sounds easy – read and interpret the Citation and determine if it matches another Citation. But the reality is much different because each Citation must be matched to each of the other Citations. There is a mathematical formula that will tell you the number of combinations it takes to do this. You can easily calculate the number of calculations in Excel by typing =COMBIN(N,2) into any cell, wherein N stands for the total number of Citations in both documents being compared.

Here’s a real-world example. NIST’s Framework for Improving Critical Infrastructure Cybersecurity has 94 Mandates. ISACA’s CobiT 4.1 has 264 Mandates. Using this method, 63,903 mapping tasks would be required to crosswalk the NIST CyberSecurity to CobiT 4.1. At 5 minutes per mandate, that’s 5,325 hours of work. At a cost of $60 an hour, that’s a total of $319,515! It’s highly unlikely that this method could be applied in such a situation as the number of tasks is overwhelming and both the time and costs are prohibitive.

Mapping Using Harmonization to Common Controls

The other methodology is to define Common Controls to map against. In this methodology, each Citation is examined once. It is either found to match an existing Common Control, or a new Common Control is created. Instead of mapping each Citation to every other Citation, each Citation is mapped to a Common Control. As a result, matching Citations are found to match the same Common Control. This is shown in the diagram below.

The mathematical formula is 1 mapping task per Mandate. It either matches or it doesn’t. If it doesn’t, a new Common Control is created. You can recognize this approach because the mapping will show the Common Control that links the Citations together.

Using the same real-world example of mapping NIST’s Framework for Improving Critical Infrastructure Cybersecurity with 94 Mandates and ISACA’s CobiT 4.1 with 264 Mandates, the total number of mapping tasks equals 358. The time it would take to map is 30 hours. And at the same rate of $60 an hour the cost would be $1,790. A much more likely scenario. Below is an Excel spreadsheet sample that shows this calculation and comparison. Click HERE to get to the calculator yourself.

Comparison Calculator

Report Mapping Accuracy

Whether a team is using the simple crosswalking method or the harmonization to Common Control method, the team should be able to clearly demonstrate how each Citation is mapped. The International Standards Organization has published a couple of guidelines on how to do that (ISO 704 and 860). In a nutshell, the methodology should be able to demonstrate the terms being tagged in each Citation and Common Control, and how each term is semantically linked to the Citation or Common Control it is mapped to. The diagram below shows the Unified Compliance Framework® version of that linkage.

Not only should a Unified Compliance method show the semantic relationships, it should also show the Erdős distance number between each term selected for mapping. It’s one thing to say that two phrases match each other because of a semantic relationship. It’s something completely different to say that they match with 80% match accuracy versus 20% match accuracy. If there is no accuracy reporting for a “Unified Compliance method, you won’t have enough information to decide whether the mapping has been performed adequately.

Standardize Audits

Over 90% of Authority Documents lack audit questions. The only way to achieve auditability for Unified Compliance is to establish and maintain a methodology to create standardized Audit Questions.

If you think about it, Citations reference people (either individually, in groups, or corporately), records (paper or electronic), assets (whether buildings or computers), and processes (whether formal or informal). People can be interviewed. Records can be examined. Assets can be tested for compliance. Processes can be observed.

These four audit methods (interview, examine, test, observe) can be added to every Common Control that exists. And once created for a Common Control, the audit methods can be applied to each Citation that maps to that Common Control.

For two documents of 25 Citations each, 1,225 Citation-to-Citation potential audit questions are created without Common Controls. Using the Common Controls method, 50 potential audit questions are created. It’s obvious that the Common Controls approach creates a much more realistic and manageable audit process.

How to Evaluate a “Unified Compliance” Approach

Here are some questions to ask a service provider.

Question UCF Others
Do you catalog Authority Documents?
Do you have a documented Citation extraction methodology?
Can you demonstrate your Mandate tagging methodology?
Do you match Citations to Citations?
Do you match Citations to Common Controls?
Can you demonstrate your matching process?
Do you track the % of semantic relationship accuracy of each mapping?
Do you have a standardized Audit Question methodology?

If the provider can’t answer at least seven of these questions with a “yes,” they do not have a Unified Compliance offering. And if they checked Citation to Citation mapping, ensure that they can prove they are really checking each and every Citation to Citation pairing possible. We’ve never seen that to be a workable solution, but then again, we’ve never seen a Unicorn either – maybe they exist.

For more information on the Unified Compliance Framework, click HERE