Official UC blog

IMPORTANT Updates to the Unified Compliance Framework®

Written by Vicki M. | Aug 27, 2020 5:38:29 PM

Here is the list of the updates carried out in August 2020, in preparation for the twentieth anniversary of the UCF®.

Merging and Retiring Common Controls

Changed CC_ID Changed Control Name Change Type Surviving CC_ID Surviving Control Name

5569

Enable or disable the caching of RBAC exec_attr, as appropriate. Merge 5568 Configure role-based access control (RBAC) caching elements to organizational standards
5570 Enable or disable the caching of RBAC user_attr, as appropriate. Merge 5568 Configure role-based access control (RBAC) caching elements to organizational standards
10054 Assign accountability for the Information Governance Plan to senior management Merge 609 Involve the Board of Directors in Information Governance.
12672 Include a description of the personal data processing operations in the Data Protection Impact Assessment has merged with 12673 Merge 12673 Include the description and purpose of personal data processing in the Data Protection Impact Assessment.
2051 Report on the percentage of audit findings that have been corrected since the last audit. Merge 1678 Report on the percentage of audit findings that have been resolved since the last audit.
754 Review and update the continuity plan. Merge 752 Establish and maintain a continuity plan and associated continuity procedures.
13300 Review and update the recovery plan, as necessary. Merge 13288 Establish and maintain a recovery plan.
4498 Update the system's backup procedures after an approved change has occurred. Merge 1258 Establish and maintain backup procedures for in scope systems.
6259 Update the privacy policy, as necessary. Merge 6281 Establish and maintain a privacy policy.
13310 Conduct external audits of the organization's risk assessment within any mandated timeframes. Merge 13308 Conduct external audits of the organization's risk assessment.
13263 Include addressing telecommunication diversity in the business continuity testing strategy. Merge 13252 Include addressing telecommunications circuit diversity in the business continuity testing strategy.
1755 Record actions taken to contain and limit a data loss event in the incident response report. Merge 12708 Include corrective action that was taken to eradicate the security incident in the incident response report.
7048 Update the information classification standard regularly or when new threats are discovered. Merge 601 Establish and maintain an information classification standard.
528 Include access control procedures in the access control program. Merge 11663 Establish and maintain access control procedures.
1121 Conduct a management level post implementation review. Merge 1003 Conduct a post implementation review when the system design project ends.
1750 Establish electronic authentication before transmitting restricted data or restricted information between devices. Merge 1429 Require the system to identify and authenticate approved devices before establishing a connection to restricted data.
12934 Identify and document conditions of non-compliance with the organizational compliance framework. Merge 6499 Identify and document instances of non-compliance with the organizational compliance framework.
1082 Implement security controls into the system during the development process. Merge 6270 Implement security controls when developing systems.
6652 Change cipher lock codes upon authorized personnel status change or termination. Merge 6651 Change cipher lock codes, as necessary.

Moving Common Controls in the Hierarchy

Changed CC_ID Changed Control Name Change Type New Parent CC_ID New Parent Control Name
689 Establish and maintain an Information Technology inventory with asset discovery audit trails. Hierarchy Move 6631 Establish, implement, and maintain an asset inventory database.
653 Disseminate and communicate the reviews of audit reports to organizational management. Hierarchy Move 6731 Establish and maintain organizational audit reports.
6371 Install and maintain remote control software and other remote control mechanisms on critical systems. Hierarchy Move 7117 Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list.
6371 Install and maintain remote control software and other remote control mechanisms on critical systems. Hierarchy Move 1421 Control remote access through a network access control.
12339 Include the information flow of restricted data in the risk assessment program. Hierarchy Move 687 Establish, implement, and maintain a risk assessment program.
6447 Include the need for risk assessments in the risk assessment program. Hierarchy Move 687 Establish, implement, and maintain a risk assessment program.
13093 Refrain from adopting impromptu measures when continuity procedures exist. Hierarchy Move 10604 Implement the continuity plan, as necessary.
12324 Prohibit remote access to systems processing cleartext restricted data or restricted information. Hierarchy Move 1421 Control remote access through a network access control.
11677 Evaluate and react to when unauthorized access is detected by physical entry point alarms. Hierarchy Move 1639 Monitor physical entry point alarms.
6365 Build the Information Technology facility with fire resistant materials. Hierarchy Move 6366 Build the Information Technology facility according to applicable building codes.
12571 Monitor and review environmental protections. Hierarchy Move 12570 Employ environmental protections.
13236 Include testing cycles and test scope in the business continuity testing policy. Hierarchy Move 13235 Establish, implement, and maintain a business continuity testing policy.
1369 Include a system acquisition process for critical systems in the emergency mode operation plan. Hierarchy Move 11694 Include emergency operating procedures in the continuity plan.

1369

Include a system acquisition process for critical systems in the emergency mode operation plan. Hierarchy Move 11694 Include emergency operating procedures in the continuity plan.