The Unified Compliance Framework (UCF) reduces the regulatory tornado to a much smaller set of harmonized controls, giving you a single point of control over hundreds of complex compliance requirements from around the world.

The UCF harmonizes controls across hundreds of different regulations: comply with a given rule once and attest to the control for many different regulations, including PCI-DSS (Payment Card), Sarbanes-Oxley, HIPAA, CobiT, NIST and hundreds more.

 Visit the Unified Compliance Framework web site.

We have to stop improperly referring to information assurance as information security.

Yes, I know that many of us who grew up in the world of ISO 17799 have based our language on the language found there, where the ISO team bulked information confidentiality, information integrity, and information availability into one group and called it information security. But security is only one facet of protecting information.

Security still applies, but there's more to it.
If you think about securing (locking down) information, then yes, ensuring privacy and soundness are about security. Accessibility isn't as much about locking down as making available. But the thought pattern of information security doesn't bring to the forefront of our minds the additional aspects of assurance through confidence based on measurement metrics and accountability reporting. And that is why I'd like all of us to change our language and talk more about information assurance than information security.

The move toward information assurance is found in organizational accountability
We will begin changing our thought patterns and changing our language as we begin to re-think security in terms of measured confidence in our accountability. And we can only do that when we start to add the proper metrics and reporting to our information assurance plans. And that's another thing that ISO 17799 left out -- metrics and reporting of accountability for compliance with its own ruleset.

Information assurance is about defining rules for maintaining information privacy, protecting information soundness, and ensuring information accessibility by mandating that someone (or multiple people) are held accountable that organizational policies, standards, and procedures are created to match the mandatory regulatory controls, and are properly paired to the information systems within the organization.

It is assurance through accountability that we want to espouse.

That's the mindset we want to build.

The Language of Compliance: a glossary of acronyms, terms, and extended definitions

Have you ever read a regulation, standard, or best practice and wondered what they were talking about?

Would you like to know the difference between personal data, electronic protected health information, confidential information, and sensitive information?

Would you like the definition of materiality? How about what a regulation, standard, and safe harbor really are?

If your organization is involved with compliance at all, then this is the glossary book for you.

We've gone through every major compliance and IT related glossary we could find and then harmonized all of the terms so that you know when this regulation is calling for "confidentiality" and that standard is talking about "confidentiality," what they both really mean.

This book has more terms in it than any other regulatory compliance glossary. In addition, it has references to where each of the terms can be found, as well as a great many "spotlight definitions" that add more information to the terms and really do make them all more understandable.

Click HERE to go to the book's web page, or HERE to order it from Amazon.