Within the Unified Compliance Framework, we don't talk much about job titles such as CIO, CISO, etc., as what we've found is that titles don't matter in the world of compliance as much as the functional roles people play.

What we mean by that is within one organization the CIO might be in charge of security, while, in another organization, it is the CISO, and in yet another organization it is the Director of IT.

Therefore, we've pretty much thrown titles out of what we write about and instead cover roles. In so doing, we are closer to Microsoft's Operational Management Framework than any other system we've seen so far.

The NIST authority documents that focus on metrics, among the many documents that contain roles and responsibilities guidelines, assigns their responsibilities to titles instead of functional roles. For instance, they state that the Senior Agency Information Security Officer should be assigned the responsibility for

integrating information security measurement into the process for planning, implementing; evaluating, and documenting remedial actions to address any deficiencies in the information security policies; procedures, and practices of the organization.

Because each organization might not have someone of that title, and we at the UCF have to map to as broad an audience as possible, we've chosen to map such responsibilities to roles instead of titles. We've mapped the same type of responsibility to the role called Define Security Requirements and Implement Security Solutions. We've found that it is much easier for people involved in compliance projects to refer to common roles than titles. By focusing on roles, rather than titles, multi-disciplinary teams within medium to large sized organizations can:

• • clearly understand their functional roles and responsibilities within the project or operational environment, and

  • bring clarity to operational projects that involve partners and customers who might also have differing titles, but can clearly understand functional roles.

Notice that we said roles above instead of job descriptions. The UCF team has adopted and further developed one of the Microsoft Frameworks for dealing with the assignment of IT controls, namely, its IT Occupation Taxonomy version 3.0. Within the document the masterminds have identified critical roles as those baseline functions performed by the various members of the organization or its extended third parties. To a degree we share their views, but have chosen a different level of mapping activities to each role.

The basis of roles

We agree with Microsoft that, regardless of a person's title that labels a job role, it is the critical tasks performed that determine which job roles are the right match for anyone to participate as a team member on any given compliance effort. Therefore, instead of assigning an individual control to a job title, the UCF assigns the control to any number of roles that apply. As an example, for the control of "Report on the percentage of policy compliance reviews where there were no violations of compliance noted," we have assigned the responsibility for carrying out that control to the role of "perform monitoring and management."

Each role's title represents what that function is supposed to achieve. Remember that this is much different than a job title, such as CIO, Database Administrator or Security Manager. This doesn't describe a person. It describes the collective set of responsibilities that are assigned to the role. Hence, Role Titles are represented as "Define and Manage Business Value," "Conduct Security Administration," or "Manage IT and Compliance Policies and Standards." As such, any number of roles can be assigned to any different IT title to which the organization sees fit to assign the role.

Ensuring that roles are assigned

One of our key tenets also follows directly in line with Microsoft's views. Anyone can perform multiple roles. In addition, multiple people may perform the same roles. For example, most CIOs will be assigned multiple roles such as "Provide Strategic Business Direction for Technology", "Identify and Select Strategic Partners" and "Manage IT and Compliance Policies and Standards (by either editing or approving them)." At the same time, multiple people might also be assigned the same role of "Manage IT and Compliance Policies and Standards" through writing them, providing technical edits to them, etc.

One thing that is for certain: every organization should be able to identify at least one person to perform each of the roles. If an organization does not have at least someone on staff whom is assigned and can carry out the role, then that role would be a candidate for either recruiting or outsourcing.

3.1 For each metric you want to choose, assign your work functions and RACI info

With this information in hand, you'll want to go through each of the metrics in question and ensure that you have matched the various RACI categories to the work functions that your organization is working with.

You will undoubtedly end up with many people in your organization who are assigned work functions that don't know about the metrics they are tasked with. You'll want to go back to your awareness campaign and ensure that you are now communicating with everyone who has been assigned a task associated with the metrics you are choosing to employ. This might determine whether or not you will indeed employ those metrics, modify the metrics, or modify the work functions and their respective RACI assignments associated with those metrics.

You cannot move on to creating or editing your policies and procedures assigned to your metrics program until you have assigned the work functions for those metrics, as those are the folks who will help you create or edit your policies and procedures.

We've done the leg work for you

If you are wondering whether or not this is a lot of work, the answer is yes, but only if you had to start from scratch. We know there's no way you'd like that, so we've included in the implementation toolkit a suite of work functions already pre-defined and linked directly to the controls.

One of the pre-defined job functions

As we update them, you'll receive quarterly updates with the rest of the material that we have.