This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Does the term regulatory compliance make your stomach churn? If so, you certainly aren't alone. In the recent CSO article 'Compliance fatigue' sets in, author Taylor Amerding writes, "many organizations feel like they are drowning in such a sea of regulations that constant compliance with them all doesn’t give them much time to run their usual business."
Because many regulations pertain to information systems, it's all but impossible for IT to escape involvement in implementing and maintaining controls and participating in audits that verify the veracity of those controls. In fact, technologists and corporate lawyers can find themselves working closely to interpret a regulatory mandate and ensure the chosen IT control (for example, system logging) is sufficient to meet the mandate.
Depending on the size, industry and nature of a business, a company may need to comply with just a handful of mandates, or possibly with dozens. Multinational corporations also have to comply with numerous country or region specific regulations. For example, even though the European Union has an overarching privacy law, several individual countries within the EU have additional regulations pertaining to the privacy of personal data—and these laws differ significantly from privacy laws in the U.S. A company with offices throughout Europe and the U.S. would have a lot of regulations to keep track of.
Harmonizing a host of government and industry regulations, internal policies and general best practices can be a challenge for an enterprise, but now there is a SaaS application that addresses that very problem. Unified Compliance recently launched a service called the Common Controls Hub built on the Unified Compliance Framework (UCF).
The UCF was put together several years ago by Dorian Cougias, a compliance scientist, and Marcelo Halpern, a partner in an international law firm. Their company has pulled together more than 800 authority documents (e.g., regulatory mandates, compliance frameworks, contractual obligations and standards) into one database. These documents cover all the laws and frameworks from around the work that deal with five primary areas, including information technology, physical security, records management, privacy and supply chain.
Unified Compliance pulls out all the mandates dealing with those five areas and creates what the company's CEO, Craig Isaacs, calls a "super mashup" of all the frameworks in a single legal framework. From this mashup a mapper pulls out each mandate into a separate citation record. The 800 authority documents yield some 90,000 individual citation records which are then harmonized down to about 9,000 common controls. Some of the controls are rather general while others are quite specific.
A compliance officer can go into the Common Controls Hub application and check the regulations for his business. For example, a healthcare corporation might check HIPAA, PCI, SOX and any others that apply. The Hub will build a list of the controls that apply to the overall checklist of authority documents. If the company addresses all of the controls on this list, it will have completed all the requirements for its specific list of regulations.
While the Common Controls Hub tells the company what controls to implement, it won't verify those controls are in place. That's what auditors are for. In fact, many auditing firms utilize the UCF to do multiple audits simultaneously and attest to all of the regulations at once. Unified Compliance has also partnered with a number of GRC vendors who have incorporated the UCF into their products. According to Isaacs, Unified Compliance is the only entity that has a legal framework that maintains a connection between the controls and the original mandates from the source agencies.
There is a free version of the Common Controls Hub for anyone to do basic research and cross-map up to five different authority documents. Watch a short demo video to see how to get started.
The Common Controls Hub lets companies define, scope and maintain their harmonized control sets, regardless of which regulations from around the world they need to comply with. It greatly simplifies the process of managing compliance, saves time and money for those involved in researching citations and controls, and reduces audit overload and compliance fatigue.