The Need
Organizations are responsible for complying with a variety of various local, national, and international laws, policies, rules, and regulations. Failure to comply with such requirements can lead to sanctions such as fines, loss of certifications, and disqualification from certain business activities. On a constant basis new New laws are being passed, and existing regulations are being amended on a continuous basis. Organizations need to keep abreast of these changes, and their compliance programs must be updated in order incorporate the changes for them to remain compliant. To say that the compliance process can be complicated is an understatement.
Laws, policies, rules, and regulations are published in the form of Authority Documents. Each Authority Document contains mandates that must be interpreted and applied. Although mandates often overlap, their wording can (and does) vary across documents. Furthermore, it isn't always enough to merely comply with a mandate. In most cases, evidence must be gathered and conveyed that signifies that the organization has implemented methods and practices to achieve compliance.
The tools and resources provided by Unified Compliance The UCF is a tool provided by Unified Compliance. are designed to simplify the process of scoping, defining, and maintaining compliance and provide proof that a compliance methodology has been implemented. The Unified Compliance Framework (UCF) is an information framework designed to help client organizations achieve compliance. The UCF Mapping Team builds and maintains the UCF data through compliance mapping. Once an Authority Document is mapped, it is published to the Common Controls Hub (CCH), where subscribers can view and interpret the Authority Documents that are relevant to them.
Our Approach
In the most basic sense, the UCF Mapping Team is tasked with analyzing and interpreting the language of an Authority Document in order to identify the mandates within. We then look for a shared compliance requirement – or Common Control – that will satisfy the mandate's requirement(s) and then link the mandate to an audit question through the matched control, which illustrates the evidence that auditors will look for to determine that control practices have been implemented.
When interpreting an Authority Document, the complexity associated with achieving compliance can become apparent. Often a single Authority Document is written by a variety of different authors – many of whom use industry-specific or proprietary language and do not always provide sufficient context. Additionally, many Authority Documents are translated to English from another language. This further complicates the process of interpretation, especially for lay audiences. I get the sentiment, but can we rewrite in a way that make this a bit more light hearted and gives more grace to the authors?The UCF mapping process is designed with this in mind, and for this reason utilizes a three-pronged approach with two lines of defense. The Compliance Mapper deciphers the citations, extracts mandates, and matches mandates to controls; the Reviewer examines the Mapper's work to ensure that no egregious errors were made and the Approver (a subject matter expert member of the Mapping Team) takes a final look to make sure that nothing is missed. This provides assurance to clients that the UCF's mapping process will allow them to achieve compliance while also taking the guess work out of interpreting the Authority Document.