IMPORTANT Updates to the Unified Compliance Framework®
Here is the list of the updates carried out in August 2020, in preparation for the twentieth...
Here is the list of the updates carried out in August 2020, in preparation for the twentieth anniversary of the UCF®.
Merging and Retiring Common Controls
| Changed CC_ID | Changed Control Name | Change Type | Surviving CC_ID | Surviving Control Name |
| 5569 |
Enable or disable the caching of RBAC exec_attr, as appropriate. | Merge | 5568 | Configure role-based access control (RBAC) caching elements to organizational standards |
| 5570 | Enable or disable the caching of RBAC user_attr, as appropriate. | Merge | 5568 | Configure role-based access control (RBAC) caching elements to organizational standards |
| 10054 | Assign accountability for the Information Governance Plan to senior management | Merge | 609 | Involve the Board of Directors in Information Governance. |
| 12672 | Include a description of the personal data processing operations in the Data Protection Impact Assessment has merged with 12673 | Merge | 12673 | Include the description and purpose of personal data processing in the Data Protection Impact Assessment. |
| 2051 | Report on the percentage of audit findings that have been corrected since the last audit. | Merge | 1678 | Report on the percentage of audit findings that have been resolved since the last audit. |
| 754 | Review and update the continuity plan. | Merge | 752 | Establish and maintain a continuity plan and associated continuity procedures. |
| 13300 | Review and update the recovery plan, as necessary. | Merge | 13288 | Establish and maintain a recovery plan. |
| 4498 | Update the system's backup procedures after an approved change has occurred. | Merge | 1258 | Establish and maintain backup procedures for in scope systems. |
| 6259 | Update the privacy policy, as necessary. | Merge | 6281 | Establish and maintain a privacy policy. |
| 13310 | Conduct external audits of the organization's risk assessment within any mandated timeframes. | Merge | 13308 | Conduct external audits of the organization's risk assessment. |
| 13263 | Include addressing telecommunication diversity in the business continuity testing strategy. | Merge | 13252 | Include addressing telecommunications circuit diversity in the business continuity testing strategy. |
| 1755 | Record actions taken to contain and limit a data loss event in the incident response report. | Merge | 12708 | Include corrective action that was taken to eradicate the security incident in the incident response report. |
| 7048 | Update the information classification standard regularly or when new threats are discovered. | Merge | 601 | Establish and maintain an information classification standard. |
| 528 | Include access control procedures in the access control program. | Merge | 11663 | Establish and maintain access control procedures. |
| 1121 | Conduct a management level post implementation review. | Merge | 1003 | Conduct a post implementation review when the system design project ends. |
| 1750 | Establish electronic authentication before transmitting restricted data or restricted information between devices. | Merge | 1429 | Require the system to identify and authenticate approved devices before establishing a connection to restricted data. |
| 12934 | Identify and document conditions of non-compliance with the organizational compliance framework. | Merge | 6499 | Identify and document instances of non-compliance with the organizational compliance framework. |
| 1082 | Implement security controls into the system during the development process. | Merge | 6270 | Implement security controls when developing systems. |
| 6652 | Change cipher lock codes upon authorized personnel status change or termination. | Merge | 6651 | Change cipher lock codes, as necessary. |
Moving Common Controls in the Hierarchy
| Changed CC_ID | Changed Control Name | Change Type | New Parent CC_ID | New Parent Control Name |
| 689 | Establish and maintain an Information Technology inventory with asset discovery audit trails. | Hierarchy Move | 6631 | Establish, implement, and maintain an asset inventory database. |
| 653 | Disseminate and communicate the reviews of audit reports to organizational management. | Hierarchy Move | 6731 | Establish and maintain organizational audit reports. |
| 6371 | Install and maintain remote control software and other remote control mechanisms on critical systems. | Hierarchy Move | 7117 | Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. |
| 6371 | Install and maintain remote control software and other remote control mechanisms on critical systems. | Hierarchy Move | 1421 | Control remote access through a network access control. |
| 12339 | Include the information flow of restricted data in the risk assessment program. | Hierarchy Move | 687 | Establish, implement, and maintain a risk assessment program. |
| 6447 | Include the need for risk assessments in the risk assessment program. | Hierarchy Move | 687 | Establish, implement, and maintain a risk assessment program. |
| 13093 | Refrain from adopting impromptu measures when continuity procedures exist. | Hierarchy Move | 10604 | Implement the continuity plan, as necessary. |
| 12324 | Prohibit remote access to systems processing cleartext restricted data or restricted information. | Hierarchy Move | 1421 | Control remote access through a network access control. |
| 11677 | Evaluate and react to when unauthorized access is detected by physical entry point alarms. | Hierarchy Move | 1639 | Monitor physical entry point alarms. |
| 6365 | Build the Information Technology facility with fire resistant materials. | Hierarchy Move | 6366 | Build the Information Technology facility according to applicable building codes. |
| 12571 | Monitor and review environmental protections. | Hierarchy Move | 12570 | Employ environmental protections. |
| 13236 | Include testing cycles and test scope in the business continuity testing policy. | Hierarchy Move | 13235 | Establish, implement, and maintain a business continuity testing policy. |
| 1369 | Include a system acquisition process for critical systems in the emergency mode operation plan. | Hierarchy Move | 11694 | Include emergency operating procedures in the continuity plan. |
| 1369 |
Include a system acquisition process for critical systems in the emergency mode operation plan. | Hierarchy Move | 11694 | Include emergency operating procedures in the continuity plan. |