News

IMPORTANT Updates to the Unified Compliance Framework®

August 27, 2020

Here is the list of the updates carried out in August 2020, in preparation for the twentieth anniversary of the UCF®.

Merging and Retiring Common Controls

Changed CC_IDChanged Control NameChange TypeSurviving CC_IDSurviving Control Name

5569

Enable or disable the caching of RBAC exec_attr, as appropriate.Merge5568Configure role-based access control (RBAC) caching elements to organizational standards
5570Enable or disable the caching of RBAC user_attr, as appropriate.Merge5568Configure role-based access control (RBAC) caching elements to organizational standards
10054Assign accountability for the Information Governance Plan to senior managementMerge609Involve the Board of Directors in Information Governance.
12672Include a description of the personal data processing operations in the Data Protection Impact Assessment has merged with 12673Merge12673Include the description and purpose of personal data processing in the Data Protection Impact Assessment.
2051Report on the percentage of audit findings that have been corrected since the last audit.Merge1678Report on the percentage of audit findings that have been resolved since the last audit.
754Review and update the continuity plan.Merge752Establish and maintain a continuity plan and associated continuity procedures.
13300Review and update the recovery plan, as necessary.Merge13288Establish and maintain a recovery plan.
4498Update the system's backup procedures after an approved change has occurred.Merge1258Establish and maintain backup procedures for in scope systems.
6259Update the privacy policy, as necessary.Merge6281Establish and maintain a privacy policy.
13310Conduct external audits of the organization's risk assessment within any mandated timeframes.Merge13308Conduct external audits of the organization's risk assessment.
13263Include addressing telecommunication diversity in the business continuity testing strategy.Merge13252Include addressing telecommunications circuit diversity in the business continuity testing strategy.
1755Record actions taken to contain and limit a data loss event in the incident response report.Merge12708Include corrective action that was taken to eradicate the security incident in the incident response report.
7048Update the information classification standard regularly or when new threats are discovered.Merge601Establish and maintain an information classification standard.
528Include access control procedures in the access control program.Merge11663Establish and maintain access control procedures.
1121Conduct a management level post implementation review.Merge1003Conduct a post implementation review when the system design project ends.
1750Establish electronic authentication before transmitting restricted data or restricted information between devices.Merge1429Require the system to identify and authenticate approved devices before establishing a connection to restricted data.
12934Identify and document conditions of non-compliance with the organizational compliance framework.Merge6499Identify and document instances of non-compliance with the organizational compliance framework.
1082Implement security controls into the system during the development process.Merge6270Implement security controls when developing systems.
6652Change cipher lock codes upon authorized personnel status change or termination.Merge6651Change cipher lock codes, as necessary.

Moving Common Controls in the Hierarchy

Changed CC_IDChanged Control NameChange TypeNew Parent CC_IDNew Parent Control Name
689Establish and maintain an Information Technology inventory with asset discovery audit trails.Hierarchy Move6631Establish, implement, and maintain an asset inventory database.
653Disseminate and communicate the reviews of audit reports to organizational management.Hierarchy Move6731Establish and maintain organizational audit reports.
6371Install and maintain remote control software and other remote control mechanisms on critical systems.Hierarchy Move7117Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list.
6371Install and maintain remote control software and other remote control mechanisms on critical systems.Hierarchy Move1421Control remote access through a network access control.
12339Include the information flow of restricted data in the risk assessment program.Hierarchy Move687Establish, implement, and maintain a risk assessment program.
6447Include the need for risk assessments in the risk assessment program.Hierarchy Move687Establish, implement, and maintain a risk assessment program.
13093Refrain from adopting impromptu measures when continuity procedures exist.Hierarchy Move10604Implement the continuity plan, as necessary.
12324Prohibit remote access to systems processing cleartext restricted data or restricted information.Hierarchy Move1421Control remote access through a network access control.
11677Evaluate and react to when unauthorized access is detected by physical entry point alarms.Hierarchy Move1639Monitor physical entry point alarms.
6365Build the Information Technology facility with fire resistant materials.Hierarchy Move6366Build the Information Technology facility according to applicable building codes.
12571Monitor and review environmental protections.Hierarchy Move12570Employ environmental protections.
13236Include testing cycles and test scope in the business continuity testing policy.Hierarchy Move13235Establish, implement, and maintain a business continuity testing policy.
1369Include a system acquisition process for critical systems in the emergency mode operation plan.Hierarchy Move11694Include emergency operating procedures in the continuity plan.

1369

Include a system acquisition process for critical systems in the emergency mode operation plan.Hierarchy Move11694Include emergency operating procedures in the continuity plan.