hdr_logo_top.gif
hdr_logo_bottom.gif

The support site for the Unified Compliance Framework


The UCF Controls XML specification

This describes the XML representation of the UCF's main controls database. Each of the elements, types, and attributes that make up the format are described in detail. As such, it is the centerpiece of the UCF's xml list.

The URL for the Controls XML structure is as follows:

http://unifiedcompliance.com/NFI/XSDs/UCF_Controls_v2_1.xsd

UCF_CE_Item (UCF_CE_Item_Type)

The UCF_CE_List is comprised of the UCF_CE_Item containers. Each container is split into three key elements that must be present at all times:

    • UCF_Meta_Data

    • UCF_Basic_Info

    • UCF_References

UCF_Meta_Data (UCF_Meta_Data_Type)

For detailed documentation of Meta Data fields, please refer to the Meta Data documentation. Below is a list of the meta data fields that are included in the Controls list.

    • UCF_CE_ID

    • UCF_CE_ID_CheckDigit

    • UCF_CE_Genealogy

    • UCF_CE_Sort_ID

    • UCF_CE_Live_Status

    • UCF_CE_Deprecated_By

    • UCF_CE_Deprecation_Notes

    • UCF_CE_Date_Added

    • UCF_CE_Date_Modified

    • UCF_CE_Release_Version

UCF_Basic_Info (UCF_Basic_Info_Type)

The UCF_CE_Basic_Info element has exactly what you'd expect - the most critical information that pertains to all types of controls, whether those controls are also metrics or those controls are also audit questions.

UCF_CE_Control_Title (xs:string)

This is a 255 character or less harmonized control title. Each time a unique control is added to the database, it must have a control title. Each time a matching control is threaded into the database, the control title is again checked to ensure its continued accuracy.

The text formatting for the control titles is presented as a traditional sentence case format.

UCF_CE_Control_Statement (xs:string)

Control Statements are a calculated algorithm based on the various assigned entities linked to each control. Each control can be assigned to one or more metrics, compliance documents (policies, standards, procedures, etc.), assets (and their configurable items), roles, data (think data field), and associated files or record types.

[image]

Controls assigned to various entities

Because of this linkage between a control and its assigned entities, what the control is trying to achieve can be derived automatically from those assignments by making the control statement element a text-based algorithm.

For example, lets say that the control is linked to a metric. The control's statement would be calculated by pulling information from the metric and stating the objective as:

"The organization will report on the percentage of individuals whose access privileges have been reviewed [00004]."

Notice that the linked metric has been identified by its ID field. This is done for cross-reference purposes.

If the control has multiple assignments, the Control Statement would reflect each one, such as this statement that shows the control is linked to assets, a specific metric, and has been assigned to various roles.

"The organization will properly configure all asset artifacts tied directly to this control and establish and maintain an event and activity logging and monitoring metrics management program [00636]. As such, this control should be assigned to Perform Monitoring and Management [0000046], Perform Administration and Maintenance [0000047], and Perform Security Administration [0000077].

The only difference here is that the assets listed aren't linked by their IDs, as the list of configurable items for each asset can get quite long.

Our algorithm rules for this element are as follows (and in order):

1. If the control is one of the top-level controls, the statement will read in its entirety: This control demarcates one of the UCF's Impact Zones and as such, has no auditable value.

2. If the control is assigned to the creation and maintenance of a Compliance Document (a policy, standard, procedures, checklist, plan, etc.), the control statement will contain the text: the organization should create and maintain suitable compliance documents such as and will then provide a comma delimited list of all compliance documents that the control is directly assigned to.

3. If the control is assigned to being a sub-part of a Compliance Document, the control statement will contain the text: the organization should ensure this control is maintained as an integral part in compliance documents such as and it will then provide a comma delimited list of all compliance documents that the control is assigned as a sub-part.

4. If the control is assigned to configuring one or more assets and their configurable items, the control statement will contain the text: the organization should properly configure all asset artifacts tied directly to this control. Because we have found that the configurable items list can be quite long some times, we have currently elected to not list each of the assets and their configurable items. If this poses a problem, please contribute to the forum and let us know and we will adjust the rule as necessary.

5. If the control is assigned to one or more data elements, record types, or record categories, the control statement will contain the text: the organization should properly protect the data elements/record types/record categories of with a list of all assigned data elements, record types, and record categories.

6. If the control is assigned to one or more roles, then the control statement will conclude with: The organization should assign this control to the role(s) of and it will then provide a comma delimited list of all roles that assigned to the control.

UCF_CE_Policy_Statement (xs:string)

This is a 255 character or less harmonized policy statement that expresses the intent of the control in a policy format. This field only became mandatory around 2006. We are slowly backfilling all controls without policy statements.

This element is being phased out and being replaced by the UCF_CE_Control_Statement element. Until the new element has been fully populated, we will retain this older element.

UCF_CE_Impact_Zone (UCF_CE_Impact_Zone_Type)

The UCF_CE_Impact_Zone denotes one of the thirteen IT Impact Zones, or logical demarcation points, that the UCF team uses to organize controls in the UCF controls library. This element can be used when separating the controls into their own zones, or creating separate output reports based upon those zones. This is an enumerated list and is currently as shown below.

    • Acquisition of, facilities, technology, and services

    • Audits and risk management

    • System Hardening through configuration management

    • Application design and implementation

    • Human resources management for the IS staff

    • Leadership and high level objectives

    • Monitoring and measurement

    • Operational management

    • Physical and environmental management

    • Privacy protection for information and data

    • Records management

    • Systems continuity

    • Technical security

UCF_References (UCF_References_Type)

UCF_Citation_ID (UCF_ID_Type2)

This is the ID for the matching citations found within the Authority Documents by linking to the Citations Mapping list.

UCF_Record_ID (UCF_ID_Type2)

This is the ID for the matching records types found within the Information Classification list.

UCF_Metric_Info (UCF_Metric_Info_Type)

This area of the database was added in Q1 of 2008 and tracks the various authority document's take on the types of metrics information that should be used within a compliance program. In partnering with the MetricsCenter.org, SecurityMetrics.org, and the Center for Internet Security, the UCF is mapping a wealth of metric information.

UCF_Metric_ID (UCF_ID_Type)

This is the UCF's unique and persistent identifier that we test for. The ID is a text-based numeric identifier that is currently five characters in length, and with the advent of moving to version 2 in Q1 of 2010, will be seven characters in length (e.g., 0000597). These IDs, as with other records within the UCF's tables, are expressed as numbers with leading zeroes, and because of that, have to be tracked as text for use in sorting, etc. so that the leading zeroes aren't dropped accidentally.

UCF_Metric_Title (xs:string)

This is the title of the metric report being created.

UCF_Metric_Calculation (xs:string)

This is the calculation used to define the metric. A sample calculation that fits the above formula might be "# of key IT assets for which an assurance strategy has been implemented / # IT assets."

UCF_Metric_Information_Source (xs:string)

This is where the person(s) creating the metric would need to go to find the data to support the calculation. A sample that fits the above metric might be "The assets in your CMDB as the base / # of assets that have assigned configuration standards and controlling procedures."

UCF_Metric_Target_Result (xs:string)

This is usually indicated by "low is good" or "low is bad."

UCF_Metric_Presentation_Format (UCF_Metric_Chart_Type)

This element defines the chart type that should be used when presenting the metric in question. It uses the list format for the chart type defined by the UCF_Metric_Chart_Type.

Posted on December 11, 2009 2:54 PM |

Post a comment
 
 
 
Recent Site Updates
The Asset taxonomy
The Vendor taxonomy
Minimum requirements for a valid Asset entry
Reviewing the Vendor List
The UCF Vendor XML format and schema
Privacy Policy