Tracking regulatory changes without the eye-strain

Network Frontiers' Unified Compliance Framework

The foundation for security and enterprise management

Governance and compliance are some of the least glamorous and most arduous parts of the identity management field. It's thankless work with little reward. Especially hard is the seemingly simple job of deciding which regulations apply to your enterprise, and what new things you need to implement as new regulations are promulgated and old ones are revised. And, of course, no one is subject to only one set of regulations, are they? What can you do about gaps and overlaps - and how can you find them? That's a lot of lemons, so it's not surprising that someone is making lemonade out of it.

With a name like Network Frontiers, you might expect a company to be on the cutting edge of technology. In fact, the company has been around for over 15 years and when I had the chance to talk to Network Frontiers CEO Dorian Cougias a couple of weeks ago, all he wanted to talk about were spreadsheets and a database. Hardly cutting edge, but very important, he wanted to emphasize, when dealing with regulatory compliance.

Now whenever we talk about regulatory compliance, names and acronyms like Sarbanes-Oxley, Graham-Leach-Bliley, PCI, HIPAA and one or two others dominate the discussion. But there are many more which we don’t mention. Network Frontiers has identified over 200! See the current list of the so-called “authority documents” (the documents which define the regulations) that Cougias’ database is currently tracking.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Governance and compliance are some of the least glamorous and most arduous parts of the identity management field. It's thankless work with little reward. Especially hard is the seemingly simple job of deciding which regulations apply to your enterprise, and what new things you need to implement as new regulations are promulgated and old ones are revised. And, of course, no one is subject to only one set of regulations, are they? What can you do about gaps and overlaps - and how can you find them? That's a lot of lemons, so it's not surprising that someone is making lemonade out of it.

With a name like Network Frontiers, you might expect a company to be on the cutting edge of technology. In fact, the company has been around for over 15 years and when I had the chance to talk to Network Frontiers CEO Dorian Cougias a couple of weeks ago, all he wanted to talk about were spreadsheets and a database. Hardly cutting edge, but very important, he wanted to emphasize, when dealing with regulatory compliance.

Now whenever we talk about regulatory compliance, names and acronyms like Sarbanes-Oxley, Graham-Leach-Bliley, PCI, HIPAA and one or two others dominate the discussion. But there are many more which we don’t mention. Network Frontiers has identified over 200! See the current list of the so-called “authority documents” (the documents which define the regulations) that Cougias’ database is currently tracking.

It’s nice to track the regulations, of course, but Network Frontiers does even more. They collate, cross-check, synthesize and synchronize all of these regulations after first cutting out the verbiage and rhetoric and getting down to the nitty (what information they apply to) and the gritty (what you have to do to comply). Dorian calls the result the Unified Compliance Framework (UCF).

In a nutshell, the UCF is the largest independent initiative to map IT controls across international regulations, standards, and best practices. It does this by “harmonizing” (Cougias’ term, I’d say “normalizing”) terms and controls against the backdrop of a master hierarchical list. Or, as Dorian finally said: “In simple terms this means that we can present the complex rules, standards, and policies you must follow in a simple spreadsheet format with in-depth links for you to drill down for as much information as you need.” (I like simple terms.)

But wait, there’s more.

Knowing what you need to do to comply with the regulations is a decided plus, of course, but you still have to actually do it. Network Frontiers won’t do that work for you, but they do the next best thing by tightly integrating with compliance management platforms (such as CA’s GRC Manager and NetIQ's Secure Configuration Manager) to keep them on target and up to date.

Read more at the Web site (start with “What is UCF?”) and see how this could save you a lot of time as well as a fair bit of money both for clerks to track regulatory changes as well as for medical bills to treat their eye-strain!

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.