It is high time that we've had a normative standard for composing and linking Compliance Documents to their original sources and controls. This document acts as the UCF's Compliance Documents description standard for defining how to craft organizational Compliance Documents from a list of harmonized controls.

The cDoc standard is designed to be linked directly to the UCF XML database so that each Compliance Document can be updated as new, modified, or deleted controls are assigned to the document.

The Compliance Document

A sample Compliance Document can be downloaded from HERE.

The contents of any given Compliance Document is as follows:

1. Compliance Document type designator. As of now, this can be Policy, Standard, Checklist, Procedure, or Plan. The UCF team will add more Compliance Document types as our XML Licensee demand dictates.

2. The Title of the particular Compliance Document, which comes from the base control the document is founded on.

3. The Compliance Document ID for the particular document. Each Compliance Document ID is a seven digit number.

4. The Revision Date reflects the most recent date that the Compliance Document was updated in any form or fashion, including spelling, description changes, and changes in assigned controls.

5. The Compliance Document Description, which is a brief and to the point version of the Control Title that the Compliance Document is based upon.

6. The Scope, which is a roll up of all of the Assets assigned to each of the controls within the document, as well as the Assets assigned to the base control the document is founded on.

7. The Role Assignments, , which is a roll up of all of the Roles assigned to each of the controls within the document, as well as the Roles assigned to the base control the document is founded on.

8. The Description, or core content, of the document, which is a taxonomically adjusted list of selected controls mapped to the Compliance Document. The description has several sub-parts:

8.a Control Title, which is derived from the linked Control ID.

8.b. Control ID Reference which is a hyperlink that brings the end user to an online repository of all citations for that control.

8.c The list of assigned Roles for that particular control.

8.d. The list of mapped Assets for that particular control.

9. A link to the Definition of Key Terms, which is the UCF's online glossary. We chose to use this method instead of listing all of the terms, as some times the term sheet gets to be as long as the Compliance Document in question.

Where does this information come from?

The information in the Compliance Document Description standard comes from the UCF's XML database. We'll repeat each of the fields here with a descriptor for where the information can be found within the XML specification documents. The cDoc XML specification can be found HERE.

Information	Method	XML Source Field
Type Designator	Direct	UCF_cDoc_Type
Title	Linked from the UCF_Controls List	UCF_CE_Control_Title through UCF_cDoc_Primary_CE_ID
Compliance Document ID	Direct	UCF_cDoc_ID
Revision Date	Direct	UCF_cDoc_Date_Modified
Description	Direct	UCF_cDoc_Description
Scope	Calculated List of all Assets assigned to the Controls associated with the document linked through the Assets to Controls join list	UCF_Asset_Name through UCF_CE_ID
Assignments	Calculated List of all Roles assigned to the Controls associated with the document linked through the Roles to Controls join list	UCF_Role_Name through UCF_CE_ID
Content	Linked and calculated from the UCF Controls List	Various parts of the Content complex element