I think that Eramba does not support UCF by default. But i was wondering if anyone has implemented it by using custom fields and custom templates?
What i have in mind is having a structure like below and being able to create filters and views on each of these columns. or maybe something more efficient like drag and drop or link to multiple compliance packages against one requirement.
UCF (and SCF and all other canned packages like that) are “problems” per the problems vs solutions principal in my opinion.
Therefore, you would create a compliance package for UCF and map your controls to it, but I don’t see how it would give you any value as your ultimate need is to determine your compliance with an actual requirement to your organization like PCI.
Therefore, my suggestion here is to use UCF as a guide to help you with mapping your controls to compliance packages instead…
It’s because our management wants to see that if I cover one compliance gap how much coverage would that control give me for other similar compliance gaps?
Like I have a gap of not doing risk assessments for new projects in regulation no1. If I comply with this regulation no1. would that help me comply with regulation no.2 or regulation no. 3. even partially?
effort estimation you can say. Helps to push the controls to the business.
I understand the value part . I don’t see it either in some cases from an actual work perspective. but its one of the management’s ask to get that sort of a view. and the idea behind UCF is to guide mainly. it becomes a good selling point to business. that if you do this one control you can comply with this many requirements of compliance sort of a thing and having a place where i can show them this. mapping.
So, I think I got distracted by the UFC/UCF reference - thinking about this a bit more, this is exactly what Eramba does and can report on.
Specifically, you’d want to load each “thing” you want to be compliant with as a compliance package (i.e. ISO, PCI, etc.) and then perform a compliance analysis on each of the packages using your controls that you have in place. In there, you can evaluate the efficacy of the solution - i.e. Control A that 100% meets ISO but only meets 70% of a PCI requirement is set during the compliance analysis. Then you should be able to run reports, showing the “problems” that are solved by the control, whether they meet it fully, etc.
If you need extra fields, you can always add custom fields to the package or analysis to help with reporting.