Unified Compliance, the premier provider of IT compliance mapping and creators of the Unified Compliance Framework® (UCF), announced UCFinterchange (UCFi) at the PCI Security Standards Council 2013 Community Meeting.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
The UCF® Announces UCFinterchange to Support Cybersecurity
1. The UCF® Announces UCFinterchange to Support Cybersecurity
New Interchange Format Enables Automated Audits with Continuous Monitoring
When UCF developers leverage UCFi, their customers will be able to automatically apply any audits to any
systems in the enterprise -- and then maintain those audits through continuous monitoring. It's win-win.
Las Vegas, NV (PRWEB) September 24, 2013
Unified Compliance, the premier provider of IT compliance mapping and creators of the Unified Compliance
Framework® (UCF), announced UCFinterchange (UCFi) at the PCI Security Standards Council 2013 Community
Meeting.
Developed to support new global security regulatory demands as well as the U.S. Cybersecurity Initiative, UCFi
enables Secure Configuration Management (SCM) and Configuration Auditing (CA) tools to communicate directly
with Governance, Risk and Compliance (GRC) tools for security and compliance monitoring and reporting.
Continuous monitoring enables real-time response to new security threats and compliance demands. Without an
interchange format such as the UCFi, continuous monitoring and cybersecurity are siloed operations, incapable of
communicating in a meaningful way. This isolation approach has proven to be ineffective in securing systems, as
well as being costly, unnecessarily complex, and time-consuming.
“We fully expect UCFi to have an impact on all aspects of the compliance industry. When something that saves
significant time, costs, and effort becomes possible and is then implemented by industry leaders, regulators move
to adopt those requirements and insist the features be included in solutions so they can also get those results,”
said Craig Isaacs, CEO of Unified Compliance.
At this time, participating UCF partners include Qualys®, LockPath, MetricStream, NetIQ®, RSA Archer®, Allgress,
BWise®, CAaNES®, eGestalt Technologies, Lumension®, TraceSecurity, and Wolters Kluwer.
INSIDE THE UCFi
2. The systems that run many nations’ critical infrastructure -- such as the electric grid, drinking water, airports,
trains, and other transportation systems -- are increasingly networked. As with any networked system, these
systems are potentially vulnerable to a wide range of threats. Protecting these systems from cyber threats is
obviously critical to maintaining safety, essential public services, the economy, and homeland security.
In 2013, U.S. President Obama signed an Executive Order designed to increase the level of core capabilities for our
critical infrastructure to manage cyber risk. A key part of that initiative are the guidelines calling for continuous
monitoring and auditing of these essential, intricate networked systems.
Cybersecurity guidelines such as FedRAMP, CAESARS, and SAIR Tier III in the US, as well as an increasing number of
global cybersecurity initiatives such as the BSI Act in Germany and CIP/CIIP in Australia, all call for Secure
Configuration Management (SCM) and Configuration Auditing (CA) tools to communicate directly with
Governance, Risk and Compliance (GRC) tools.
UCFinterchange (UCFi) format facilitates that communication.
UCFi utilizes a guideline set of XML specifications which allow UCF XML licensees to share information between
Governance, Risk and Compliance (GRC) tools and Secure Configuration Management (SCM) or Configuration
Auditing (CA) tools, using the existing UCF data structures and content.
UCFi is slated to go live early 2014.
“The UCF is best known for making compliance with regulatory demands much easier,” said Isaacs. “But we’ve
been enabling more effective security processes as well. UCFi is a great example of how compliance supports
cybersecurity and vice-versa. When UCF developers leverage UCFi, their customers will be able to automatically
apply any audits to any systems in the enterprise -- and then maintain those audits through continuous
monitoring. It's win-win."
UCF PARTNERS SHOW THEIR SUPPORT
eGestalt Technologies (http://www.eGestalt.com)
“We welcome the UCFi initiative from Unified Compliance,” said Anupam Sahai, eGestalt Co-Founder and
President. “This aligns quite well with eGestalt’s vision to provide a unified security monitoring and compliance
management solution through an easy-to-use cost-effective Cloud-SaaS solution. We like the ability of UCFi to help
promote the interoperability of various GRC and Security monitoring tools, thereby benefiting the end customers.
eGestalt is an SMB market leader in IT-GRC and security monitoring and this initiative will help us to further solidify
our ability to better serve our customers through interoperability with other solution(s).”
Qualys® (http://www.qualys.com)
“Unified Compliance Framework has built a comprehensive compliance database that unifies controls across all
authority documents, thus simplifying and centralizing compliance efforts,” said Philippe Courtot, chairman and
CEO for Qualys. “With the integration of the UCF into QualysGuard®, customers are now able to quickly map
technical standards to their internal policies or regulations and report on them through QualysGuard and GRC
solutions."
LockPath (http://www.lockpath.com)
"The UCF has become an integral part of IT GRC initiatives. As Unified Compliance continues to innovate, its UCFi
format will enable GRC platforms like Keylight to form a deeper and more meaningful relationship within IT GRC
ecosystems,” said Chris Caldwell, LockPath CEO. “This important context will benefit our customers who have
adopted the UCF by providing powerful data correlation, enabling them to make better and faster business
decisions."
MetricStream (http://www.metricstream.com)
“When deploying a GRC solution, mapping policy and regulatory requirements to security configurations for
continuous monitoring requires significant effort. UCFi provides the first standards based approach where security
configurations can be directly mapped back to policy and regulatory requirements in an automated manner,” said
Vasant Balasubramanian, VP of Product Management at MetricStream. “MetricStream is delighted to work on this
3. important initiative as we are witnessing a growing demand from customers for this. UCFi will enable our solutions
to seamlessly exchange information with solutions like NetIQ and Qualys to provide real-time visibility into the
state of information security and compliance related risks while keeping up with evolving regulations and
standards.
NetIQ® (http://www.netiq.com)
“Given the complexity of today’s IT environments and regulatory landscape, IT organizations need visibility –
derived from consistent, actionable intelligence – so that they can accurately report on business risk,” commented
Michael Colson, senior product manager at NetIQ. “Participating in the UCF interchange ensures that we further
our mission of helping IT demonstrate business value in a consistent manner across the IT domain. By
standardizing how we report data the business uses to make decisions, organizations will be in a more
advantageous position to manage risk, better understand security, and meet compliance demands.”
Allgress (http://www.allgress.com)
“The information security industry is going through a major paradigm shift today from IT security centric
organizations to risk management organizations. This requires CISOs and security leadership to work with business
owners to automate their continuous monitoring efforts. Allgress is delighted to be part of the introduction and
ongoing evolution of the UCFi initiative with Unified Compliance, the industry authority in IT compliance mapping.
UCFi further extends unifying the interchange of configuration data along with standards, frameworks, best
practices in a common way so that business leaders can make educated decisions when used in conjunction with
the Allgress Insight Risk Management Suite,” said Gordon Shevlin, CEO at Allgress, Inc.
BWise® (http://www.bwise.com)
“The BWise® GRC Platform is designed to cover all aspects of a company’s GRC needs: tracking, measuring, and
managing key organizational risks. By integrating the UCF, BWise customers can easily select the set of regulations
that it must comply with and immediately execute IT controls,” said Luc Brandts, CTO and Founder of BWise, a
NASDAQ OMX company. “UCFi combined with BWise Data Analytics for Continuous Monitoring and Continuous
Auditing provides even more value by enabling information sharing between our GRC platform and Secure
Configuration Management or Configuration Auditing tools. This provides even more accurate and immediate risk
reporting and auditing.”
CAaNES® (http://www.caanes.com)
“RiskSense® is one of the first risk prioritization and attack mitigation platforms to leverage the power of UCFi to
provide contextual awareness and address compartmentalized and silo approaches to risk management,” said
Mark Fidel, president of CAaNES. “RiskSense facilitates communication between all levels of an organization, from
upper management to IT technicians, providing users with a holistic and succinct assessment of their security
posture and risks. Leveraging the power of UCFi, RiskSense automates a portion of the compliance process, easing
the burden at all levels of an organization so users have more time to focus on improving their security posture.”
Lumension® (http://www.lumension.com)
“Lumension® Risk Manager consolidates multiple sources of IT risk information and correlates this assessment data
across all IT assets, providing trending analysis and security posture scores,” said Chris Andrew, Vice President,
Security Technologies, Lumension. “UCFi integration is a welcome addition for LRM and Lumension® Endpoint
Management and Security Suite customers because it further streamlines the compliance process and increases
overall visibility.”
TraceSecurity (http://www.tracesecurity.com)
“TraceCSO was built with open architecture to accommodate the integration of other technologies and point
solutions. The UCFi aligns with this long-term strategic vision for TraceCSO, our flagship IT GRC software solution,
and gives TraceSecurity the ability to expedite integration with other UCF-based systems, eliminating the need for
complicated data model adaptation,” said Peter Stewart, president and CEO of TraceSecurity. “We see the UCFi as
an essential addition to our TraceCSO toolset for enabling customers to realize more effective IT GRC programs in
their organizations.”
4. Wolters Kluwer (http://www.wolterskluwer.com)
“Our customers value the UCF’s integrated and harmonised control content and will welcome an initiative such as
UCFi, that will simplify the process of integrating information from the systems used to define, manage and
monitor cybersecurity with their ARC Logics risk and compliance platform,” said Mike MacDonagh, Content
Director, Enterprise Risk and Compliance.
# # #
About Unified Compliance and the UCF
Since 1992, Unified Compliance has developed ground-breaking tools to support IT best practices, with a focus on
solutions and processes that further the science of compliance, including harmonization methods, metrics, systems
continuity and governance. The UCF was created by Dorian Cougias and his research partner, Marcelo Halpern of
the international law firm Perkins Coie, which oversees all legal aspects of the UCF. More information can be found
at http://www.unifiedcompliance.com.
About eGestalt Technologies
eGestalt (http://www.egestalt.com) is a world-class, innovation driven, leading provider of cloud-computing based
enterprise solutions for information security and IT-GRC management. eGestalt is headquartered in Santa Clara,
CA, and has offices in the US, Asia-Pacific and Middle East. eGestalt was named a 2013 'Emerging Vendor' by CRN
and UBM Channel in July 2013. eGestalt was named the Winner of TiE50 2013, a prestigious award for enterprising
technology startups worldwide, May 2013. eGestalt SecureGRC was given a rating of 4.5 stars (out of a maximum
5) with 5 stars for Features, Support and Value for money by SC magazine in June 2012. In Feb. 2012 and 2013,
eGestalt President Anupam Sahai was named a Channel Chief by Everything Channel's CRN. eGestalt has been
ranked in the Top 10 Vendors for Compliance Management and Data Access & Security by Hypatia Research, Q4
2011.
Read more on - IT Security and compliance, HIPAA/HITECH Compliance