About a week or so ago, I posted a short piece on CIO.com about the need for organizations to understand what an authority document is. I explained there, as on the UCF's website before, what Authority Documents are -- they are all of the rule sets (from laws through regulations, standards, and contractual obligations) that set down the controls we have to follow if our organizations are to be compliant. So now you know what an authority document is -- SOX, the act, and 12 CFR the regulation version of it are both authority documents. PCI-DSS, as a contractual obligation, is an authority document if your organization takes credit cards. So why should you care? You should care because not knowing the law can hurt you. Let's say that you were driving to your friend's house at about 30 miles an hour. A reasonable speed and surely slow enough to react to anything adverse. You don't see a speed limit sign, as there aren't any. You get pulled over by Johnny Law and given a ticket for going 32. You plead "I didn't see a sign." The answer is, of course, you should have known that the speed limit is 25 in all residential areas, and should have known that driving seven miles over the limit can get you a ticket. That whole "should have known" thing is the basis for all laws all around the world. You can't plead not guilty of breaking a law you didn't know about. Simple as that. So, yes, you in your organization could very well be doing something that could get you into trouble if you aren't versant in those laws. Which then brings us to why this post. I wouldn't leave you in a lurch and tell you about this and then give you no where to go. The Unified Compliance Framework has put together a list of all of the authority documents that we know about today. You can have that list for free. Click HERE to get the list.