Let me start by asking a question: How many authority documents relating to IT are there in the world?

By “authority documents” I mean documents that set the rules for IT, i.e. they describe statutory or regulatory compliance requirements, or specify standards or guidelines that have an impact on IT.  These authority documents may be international, national, local or for a specific industry-sector, such as, ISO 27002, Sarbanes-Oxley Act, ITIL V3 or PCI DSS. Compliance with these rules can be demonstrated to an auditor by following controls that have been set by the rules.

I don’t think there would be many of us, certainly not me, who would guess that over 600 authority documents exist, containing well over 18,000 overlapping controls between them. And that’s solely those documents written in English!

The situation here is an order of magnitude more complex than the over 50 ITSM frameworks that I used as my introduction to my Lesser-spotted frameworks - 1 article. Of course, there is not a business in the world that needs to comply with all 600 authority documents, let alone all 18,000 controls!  However, inevitably many of these authority documents overlap and considerable work and expense is needed to ensure that an organisation complies with each applicable authority document.

However, there is now an approach available that looks like it can streamline compliance with multiple authority documents.  A small American company, Network Frontiers LLC together with an international legal firm, Latham and Watkins LLP, took the initiative a couple of years ago to classify all of these authority documents within a single framework – a major challenge, but they seem to have pulled it off.

The framework is IT Universal Compliance Framework (IT-UCF).

IT-UCF in a nutshell
It harmonises controls, making it easier to assert compliance across multiple authority documents. It shows exactly which controls need to be implemented and avoids the need to analyse authority documents yourself; IT-UCF has done this work already for 500+ authority documents that are written in English.

What did the IT-UCF developers do?
The IT-UCF team recognised that the rules contained in all authority documents can be expressed as controls that themselves can be broken down into two parts: actions (or methods) and parameters associated with the actions (or methods). A simple example: If the control is “passwords must be assigned to all users”, then the action is “assign” and the parameter is “all users”.

So a control = an action + parameters

However, many authority documents include hierarchical lists of controls – particularly statutory documents.

So they devised a seven level deep hierarchy for the IT-UCF controls, but with flexibility so that as new authority documents are added, the hierarchy can be modified. The organisation of the hierarchy of controls is broken down into twelve IT impact zones, e.g:

• auditing and risk management
• monitoring and measurement
• leadership and high level objectives

They devised a set of nine rules that they have used to rigorously work through 500+ authority documents extracting from each authority document every single control text, then allocating it a unique and persistent control-id and storing a commentary on the control text plus its allocated control-id in IT-UCF. Then they harmonised controls that have the same effect even when the methodologies or targets are different and they linked parent and child control-ids.

They have discovered that with just ten types of parameters they can specify all controls and reduce the total control set from 18,000 to about 2500.

Here is some of the key information included in the IT-UCF framework:

• A set of hierarchical harmonised controls that are mapped across multiple authority documents.
• Definition of each authority document that tracks: type, URL, date created/last modified and cost/free.
• A glossary that harmonises terminology by mapping specific terminology in each authority document to the IT-UCF harmonised definitions.

What can IT-UCF do for your organization?
Purchasing IT-UCF gives you access to the IT-UCF harmonized control list. This can be viewed as an Excel spreadsheet or as tables in HTML.

The spreadsheet contains rows organized by hierarchical harmonized controls. Against each harmonised control is its unique persistent control-id. Clicking on a control–id links to the IT-UCF website and displays a control commentary document that specifies the control (altogether there are 15,000 pages of control commentary it is claimed).

Columns of the spreadsheet show each of the 500+ authority documents indicating which UCF hierarchic harmonised controls are applicable (by checkmarks that can be expanded to indicate the actual section of the authority document that is relevant). Further, each authority document name heading a column of the spreadsheet  (e.g. Sarbanes-Oxley provides a link to the actual section of the Sarbanes –Oxley Act).

So, quickly and efficiently you are able to extract each and every control your organisation needs to meet its compliance requirements without spending weeks analysing the text of the actual authority documents. It’s a pity it has taken so long for someone to come up with this approach.

IT-UCF is a database in XML with easy to use HTML and Excel formats for viewing and tracking controls. Version 2 was issued in September 2009.  You can buy the complete IT-UCF spreadsheet bundle for a single user for $1000 which includes a one year subscription to updates.  Corporate-wide licence is $10,000.  Most organizations would only need a single user licence, I assume.

Need to understand more? Watch their one hour free online webinar  or visit the IT-UCF website where a sample of the spreadsheet data can be accessed.