Governance and compliance are some of the least glamorous and most arduous parts of the identity management field. It's thankless work with little reward. Especially hard is the seemingly simple job of deciding which regulations apply to your enterprise, and what new things you need to implement as new regulations are promulgated and old ones are revised. And, of course, no one is subject to only one set of regulations, are they? What can you do about gaps and overlaps - and how can you find them? That's a lot of lemons, so it's not surprising that someone is making lemonade out of it.

With a name like Network Frontiers, you might expect a company to be on the cutting edge of technology. In fact, the company has been around for over 15 years and when I had the chance to talk to Network Frontiers CEO Dorian Cougias a couple of weeks ago, all he wanted to talk about were spreadsheets and a database. Hardly cutting edge, but very important, he wanted to emphasize, when dealing with regulatory compliance.

Now whenever we talk about regulatory compliance, names and acronyms like Sarbanes-Oxley, Graham-Leach-Bliley, PCI, HIPAA and one or two others dominate the discussion. But there are many more which we don’t mention. Network Frontiers has identified over 200! See the current list of the so-called “authority documents” (the documents which define the regulations) that Cougias’ database is currently tracking.

It’s nice to track the regulations, of course, but Network Frontiers does even more. They collate, cross-check, synthesize and synchronize all of these regulations after first cutting out the verbiage and rhetoric and getting down to the nitty (what information they apply to) and the gritty (what you have to do to comply). Dorian calls the result the Unified Compliance Framework (UCF).

In a nutshell, the UCF is the largest independent initiative to map IT controls across international regulations, standards, and best practices. It does this by “harmonizing” (Cougias’ term, I’d say “normalizing”) terms and controls against the backdrop of a master hierarchical list. Or, as Dorian finally said: “In simple terms this means that we can present the complex rules, standards, and policies you must follow in a simple spreadsheet format with in-depth links for you to drill down for as much information as you need.” (I like simple terms.)

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.