Compliance is hard. Globalization, an ever-growing corpus of regulations and increasing business complexity all conspire to make it challenging to understand, implement and prove regulatory compliance. With the Compliance Dictionary, Unified Compliance Framework (UCF) is aiming to change that.
Most authority documents — laws, regulations, international standards, contractual obligations, etc. — use custom terms. For instance, 'Personally Identifiable Information' (PII) was defined legally in a 2007 memorandum from the Executive Office of the President, Office of Management and Budget (OMB) and later adopted in the National Institute of Standards and Technology (NIST) Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). But other regulatory and standards bodies frequently refer to PII as 'identifying information,' 'personal information' or 'private information.' In the European Union, EU directive 95/46/EC refers to it as 'personal data.'
While it may seem innocuous, it's no laughing matter for auditors or employees responsible for implementing compliance mandates. Small variances in language, even misspellings and typos, can make it difficult or even impossible to properly configure automated compliance tools. If one compliance control refers to an "active recovery site" and then a new control refers to a "mirrored site" — in reality the same thing — companies have to start from scratch each time a new regulation is introduced, even if the issue was already addressed in a previous requirement.
Complying in harmony
For more than a decade, UCF has pursued the idea of "harmonized compliance" by mapping authority documents to identify overlaps between compliance mandates, thereby dramatically simplifying the process of scoping, defining and maintaining compliance.
"Over 75 percent of the authority documents mapped in the last decade by the Unified Compliance Framework team contain terms unique unto that document, that are not defined in the document, nor were they defined anywhere else at the time of the document's authoring," says Dorian Cougias, lead analyst of the UCF and author of The Compliance Book: A Unified Framework for IT Controls and Regulations. "It seems that authority document authors are so caught up in wanting to make their specific point and wanting to create terms of art that they often forget they are writing documents to be shared by a world-wide community. These documents call organizations to action while at the same time they also create maximum opportunities for misinterpretation."
UCF's answer is the Compliance Dictionary, a lexicon that standardizes and unifies compliance terms and governance requirements. The idea is to create a concrete methodology to determine when a citation's mandate can (or can't) be mapped to a common control — a shared compliance requirement written in plain language and connected to the original mandates an organization must follow.
Sign up for CIO Asia eNewsletters.