Details on Common Control Modifications

Changed Common Control (CC) Titles

This occurs when language is standardized.

Why?

The UCF is constantly evolving, where the best-of-class noun and verb phrases evolve. For example, establish, implement, and maintain was the replacement for any variation of the three verbs. Who would establish something not to implement and maintain it?

Upon review or based on guidance, the UCF team determines standardized language.

Impact

  • New language in the CC

Hierarchy Changes

This occurs when a CC is moved to a new place in the CC Hierarchy.

Why?

The UCF’s CCs are organized in a hierarchy broken down from general, widely applicable CCs to those that satisfy specific compliance requirements. The highest level CCs represent the categories or Impact Zones under which each CC set will fall.

Upon review or based on guidance, the UCF team determines a more CC placement.

Impact

  • New Implied CCs
  • New Implementation CCs
  • New sibling CCs

CC Merges

This occurs when two or more CCs are merged into one surviving CC.

Why?

With the vast number of CCs that the UCF manages, a degree of overlap is anticipated and sometimes necessary. Occasionally, based on changing requirements, enhanced conceptualization, or even a change in preferred word usage, two CCs may satisfy the same specific requirement. To eliminate CC redundancy, the CCs will be merged. When merging CCs, the Mapping Team will compare the two similar CCs through the Citations tab in the Research Portal by searching the CC IDs. Typically, the CC that is linked to the most Mandates will be the surviving CC.

Example: CC 1 - Control access to personal data. - Linked to 18 Citations *surviving CC Control

2 - Allow or disallow access to personal data. - Linked to 6 Citations *deprecated CC

If both CCs are linked to the same number of mandates, the Mapping Team will deliberate in order to determine the surviving CC based on the wording. After merging the CCs, the citations linked to the deprecated CC will be linked to the surviving CC on the back end.

Impact

  • New CC to Mandate mapping
  • Old CC deprecated
  • New Implied CCs
  • New Implementation CCs
  • New sibling CCs

CC Deprecated

This occurs when the UCF Team deprecates a CC.

Why?

This will occur when all ADs are deprecated that map to a CC.

Impact

  • No impact

New CC Mapped

This occurs when the UCF Team creates a new CC that is a better matched CC. This change rarely takes place. It preferable to match to the new CC when a new version of the Authority Document is released.

Why?

As new regulations are passed and Unified Compliance’s coverage expands, the need will arise for new CCs. The need for a new CC is generally considered on a document-by-document basis, as most regulations currently served by Unified Compliance are covered by our current CCs. New CCs are generally created when no established CCs will satisfy a compliance requirement. The need for a new CC is determined after careful examination of current CCs. Mapping to a new CC to an existing Mandate in a published Authority Document is rarely done.

Impact

  • New CC to Mandate mapping
  • New Implied CCs
  • New Implementation CCs
  • New sibling CCs

CC Split

This occurs when an existing CC is split into more than one CC.

Why?

When CCs are created, they are worded to satisfy a requirement in full without leaving gaps. This requires the CC’s wording to reflect the language of the Mandates at the time of the mapping. As Authority Documents are amended, updated, or replaced, and requirements change, and the language of the Mandates will also change. This can cause a CC to over-apply to a particular Mandate or cover only elements of a Mandate while leaving coverage gaps. When this happens, it is sometimes necessary to split one CC into multiple CCs.

Example:

CC Title - Test risk controls for effectiveness and provide results to management

Mandate 1 - Evaluate the effectiveness of risk control measures

Mandate 2 - Provide the results of control assessments to management

In this case, the CC would need to be split to satisfy each requirement.

New CC 1 - Test risk control measures for effectiveness

New CC 2 - Share the results of control assessments with organizational management

One CC will remain linked to the CC ID and the other CC will be net new with its own new CC ID.

Impact

  • New CC to Citation mapping
  • New language in the CC
  • New Implied CCs
  • New Implementation CCs
  • New sibling CCs

Actions to Take

  • A generated Build is static, so a new Build will need to be generated to reflect the CC changes.
  • Lists sent to GRC solutions will need to be resent for the changes to take effect in the GRC solution.