Compliance Critical Mass
In the spring of 2004, Unified Compliance co-founder, Dorian Cougias sat in a Miami conference room as blue-chip CIOs cited eerily similar complaints about the crushing mass of compliance mandates they had to address.
Globalization, regulation, and increasing business complexity made their compliance challenges a nightmare. Sarbanes-Oxley was law. HIPAA was coming. It seemed like new laws and requirements were popping up every day. The process was manual and the risk of error was enormous. Project silos. Duplication. Skyrocketing costs. Uncertain results. Like an overtaxed transit system, each route traveled from A to B, but the network as a whole was hugely inefficient.
Why, Dorian asked, should companies waste time and money starting from scratch each time a new regulation was introduced? Why should they handle each regulation separately when they had already addressed it in a previous requirement?
If you could find the common elements between compliance mandates and show where they overlapped, why couldn’t you leverage the pieces you already had in place? You could select the new mandates, see the immediate impact, and easily assess the risk.
That would dramatically simplify the process of scoping, defining, and maintaining compliance. It would save companies millions of dollars in time and resources. And that would be the ultimate game changer.
Compliance Meets Courtroom
The idea of “harmonized compliance” wasn’t new. There were a few attempts to harmonize compliance controls, but none actually solved the two biggest challenges: making harmonized audits legally defensible and maintaining the control lists as new requirements became law.
Dorian sought out Marcelo Halpern, a partner at Latham and Watkins (now a partner at Perkins Coie). They examined other frameworks and discovered that very specific controls were combined with more general controls. This made it next to impossible to identify specific requirements for different subsets of mandates from the original laws and standards. Even worse, as each new Authority Document was added, the controls became even less accurate and more difficult to maintain.
After much research, Dorian and Marcelo theorized that the only way to ensure a legally defensible compliance process was to create a unified framework with a maintainable set of harmonized controls, based 100% on compliance mandates.
Testing the Hypothesis
In science, a hypothesis is used to predict an outcome. If the hypothesis holds up to testing, it is repeatable. Like scientists seeking a cure, they followed a rigorous scientific methodology to determine what rules must be in place in order to create and maintain a legally defensible, unified framework for all the mandates from any Authority Document.
Over the next 6 months, Dorian and Marcelo discovered 270 separate rules for creating the framework, including roles for subject experts, lawyers, and glossarists. They researched, measured, and tested each rule until it could be proven to support this new compliance framework.
When the scientific method was applied and the methodology determined, Marcelo and Dorian created the Unified Compliance Framework® (UCF).
The Science of Compliance®: Understanding the Structure and Elements of the UCF
In Chemistry, everything can be reduced down to base elements. The same is true for compliance. The UCF team determined that each Authority Document contained individual mandates, and each mandate contained specific elements.
Mapping any Authority Document into the UCF begins with breaking it into specific mandates and then determining exactly what each mandate requires by looking at the specific parts of speech used. The Science of Compliance® categorizes each noun-verb combination separately, allowing each mandate to be placed correctly within the Unified Compliance Framework’s legal hierarchy.
Over the next ten years, the UCF team was able to leverage the language elements to more than just Common Controls by connecting the Common Controls to other elements of compliance. When a Common Control requires someone to take an action, that action is connected to a role. When a Common Control includes a directive about an asset or record, it is connected to the asset or record.
By deconstructing the elements of compliance into their most basic “components,” we identified 19 core governance and compliance elements that form the bedrock of the Unified Compliance Framework. Simply put, these sources define the common language and content of all governance and compliance controls, fully connected in a top-down hierarchy that actually works in the real world.
This connected hierarchy allows the UCF to identify overlapping compliance requirements across hundreds of different regulations so you can “comply once and demonstrate many” requirements simultaneously—dramatically reducing the number of controls you need to ensure compliance.
We call this proven methodology the Science of Compliance®, and it provides the robust foundation that enables the UCF to deliver a single integrated view of compliance requirements across your organization.
Applied Science: The Unified Compliance Framework®
The UCF makes it easy for any organization to scope, define, and maintain their compliance requirements, as well as gather evidence to provide proof.
Scope: The UCF is the only compliance database that fully integrates critical legal and technical data to meet the needs of compliance officials, subject area experts, and lawyers. Creation of customized controls lists takes only seconds by selecting the specific industries, market segments, and geographies that apply to your organization.
Define: The UCF is built completely upon the mandates themselves, and each mandate is transparently presented to allow you to customize any Common Control to meet your specific geographic and vertical requirements.
Maintain: Due to the interconnected requirements established by the UCF methodology, you can automatically track the changes required by new or updated laws and quickly assess any incremental changes required, rather than having to complete an entirely new assessment. In addition, the UCF team continues to map new Authority Documents every day.
Gather Evidence: The UCF is the only patented framework that enables any GRC solution to automatically gather evidence from any security solution. This allows for the continuous monitoring, reporting, and audit data collection.
The UCF Today
The Unified Compliance Framework is used by leading organizations in every sector of business and government and is the most widely used GRC framework in the world. Using the UCF, our customers make faster and more informed decisions, streamline compliance initiatives, and net a 40% to 50% reduction in compliance-related costs. Thousands of companies rely on the Unified Compliance Framework to streamline their GRC initiatives. Leading software partners like HP, RSA Archer, MetricStream, McAfee, IBM and Software AG use the UCF as the foundation of their GRC applications.
Your job is complex and the stakes are high. We can make it easier.
Take a closer look at what UCF has to offer. Can you really afford not to?