📆 Following the demand, we extended our free trial to 30 days! No automated billing/upgrade. You decide!  

Compliance

Requirements

Role Specific Access

The vucavoid requirements feature is accessible to users with the following roles:

  • Compliance Manager: Users with this role have comprehensive access to manage, create, and oversee requirements within the system.
  • Requirement Manager: This role focuses on the management and organization of specific requirements, including the creation and modification of requirement details.

Overview

Requirements are at the core of compliance management and often times overlooked or not taken care of sufficiently.

To quote our founder Alexander Clemm:

Tell compliance from front to back, not in reverse.

Requirements are where compliance starts, it is setting the baseline to what needs to be done. Compliance management does not have an inherent purpose, it needs external guidance.

So, telling compliance from front starts with requirements. Telling compliance from the back would start with risks, incidents and findings that an organization reacts to. For a proper, resilient compliance posture, organizations need to proactively plan instead of planning along the way by reacting to hits taken.

In vucavoid, requirements are built in a two layer model that is important to understand. Application of both layers exploits all advantages of vucavoid's features. Still, vucavoid can be used with a simplified approach even though it is not recommended to do so.

Overview over the requirements feature in vucavoid (demo data).
Overview over the requirements feature in vucavoid (demo data).

Two layer model

Requirements are built as clusters in vucavoid. Clusters of references. References are the actual requirements an organization is facing.

Before this gets too complicated, let's start with an example of how these two layers interact.

Example

There is an organization that is confronted with multiple requirements from internal and external sources. See the following table for a sneak peak:

ID Requirement Source
1 The Service Provider must enforce role-based access control, allowing only authorized personnel access to sensitive systems. Quarterly reviews and Client approval are required for any changes. Contract (SLA)
2 Access to personal data must be restricted to necessary personnel, with technical measures like encryption in place. Access logs should be maintained and reviewed regularly. Law (e. g. GDPR)
3 Access is granted on a least-privilege basis, requiring approval from a supervisor and the Information Security team. Annual reviews are mandatory to ensure compliance. Internal policy
4 The Service Provider must maintain an updated inventory of all assets related to service delivery, ensuring they are adequately protected. Quarterly audits must be conducted, and the results shared with the Client. Contract (SLA)
5 All financial data-related assets must be tracked and managed securely, with controls in place to prevent unauthorized access or alteration. Regular reviews are required to ensure asset integrity. Law (e. g. SOX Act)
6 All company assets, including hardware, software, and data, must be recorded in the asset management system. Access to assets is restricted and monitored, with annual reviews to ensure accuracy and security. Internal policy

Now, IDs 1 to 3 are all related to access management and have clear overlaps in their details.

Also, IDs 4 to 6 are all related to asset management - also with clear overlaps in their details.

vucavoid recommends to add IDs 1 to 6 as references to vucavoid and build two requirement (clusters), one for access management with IDs 1 to 3 attech to it and one for asset management with IDs 4 to 6 attached to it.

The requirement clusters need an (cluster) objective in vucavoid, which could read like the following two.

Access Management: Access to all systems, data, and assets must be governed by role-based controls, ensuring that only authorized personnel have access based on their job responsibilities. Access rights must be regularly reviewed and approved by designated authorities to maintain compliance with contractual, legal, and internal policy standards.

Asset Management: All assets, including hardware, software, and data, must be accurately inventoried, secured, and regularly audited to ensure they are protected and aligned with contractual, legal, and internal policy requirements. Access to these assets should be restricted to authorized personnel, with periodic reviews to maintain integrity and compliance.

In the fictive example, there are only three requirements (in fact references) that overlap content-wise. In reality, there could be way more (partly) overlapping requirements. Handling all of these requirements individually, can easily overstrain an organization in its capacities for compliance management. There needs to be a consolidation layer. In vucavoid, this consolidation is the two layer model.

The level of detail chosen for requirement clusters is fully up to the tenant's organization, there is no perfect ratio for that.

Pooling references in requirements

Based on the two layer model, vucavoid expects multiple references to be connected to one requirement.

Since, the requirement (cluster) is a purely virtual construct, the actual compliance requirements are coming from the (real) references. The (cluster) requirement pools the attributes of the references and uses that (consolidated) aggregate for further compliance management.

Each reference points to a particular source of requirements, such as a section of a law, a policy, a contract or a standard. By pooling attributes from all references tied to a requirement, vucavoid allows the requirement to serve as an umbrella for all similar references, simplifying management and overview. For some values, attributes are combined (e. g. for affece meta model objects), for some only the highest value (maximum approach) is assumed by the (cluster) requirement (e. g. for business criticalities of references, only the highest one is inherited by the requirement).

Requirement Attributes

vucavoid organizes requirement information into clear, structured attributes, making it easier to define, manage, and understand each requirement.

Requirement Basics

  • Title: Choose a title that encapsulates the essence of the requirement cluster.
  • Cluster Objective: Provide a description of the cluster's objective to ensure clear understanding of the nature and content of the bundled references.

Also, vucavoid provides a clear overview over affiliation of a requirement (cluster) with controls. Controls are the back-to-back implementation of requirements, a reflection of an organization's actual compliance.

In the requirement basics, users can see what controls are linked to the requirement - and also how many control objectives come along with that (indicator of complexity for the affiliation)

By using the "Manage links" button, users can manage the links to controls.

vucavoid requirements: Requirement basics
vucavoid requirements: Requirement basics

Owner

  • Owner: Assign a vucavoid user account responsible for overseeing this requirement.
  • Watchers: Read-only access to the requirement (and its references).
vucavoid requirements: Requirement management
vucavoid requirements: Requirement management

Status

  • Manual Status Setting: The status of a requirement can be manually adjusted.
    • To activate a requirement, use the button in the top right corner of the form. Active requirements are usable across various application functions, like challenges.
    • Similarly, requirements can be set to inactive or manually archived using designated buttons on the top right of the form page.
vucavoid requirements: Requirement status
vucavoid requirements: Requirement status

Connected (pooled) attributes

Once a reference is attached to a requirement, the requirement inherits values such as (read left to right, per row, from the view):

  • Business Criticalities
  • SMEs (Subject Matter Experts)
  • Object Types
  • Expiration Dates
  • Sources
  • Criteria
  • Standards
  • Categories
  • Assurances

Each new reference updates these connected attributes, providing a comprehensive overview of all relevant values or the span of values within the requirement cluster.

vucavoid requirements: Pooled attributes from multiple references into a single requirement (cluster) of a tenant (demo data).
vucavoid requirements: Pooled attributes from multiple references into a single requirement (cluster) of a tenant (demo data).

References

References are critical components within vucavoid's Requirements feature, providing detailed information about specific compliance and security expectations derived from various sources.

vucavoid requirements: Overview of references for a specific requirement in vucavoid (demo data).
vucavoid requirements: Overview of references for a specific requirement in vucavoid (demo data).

Basics

  • Title: Choose a concise title that reflects the reference's purpose or objective.
  • Specification: Detail what is required in the reference. This may include directly copying the requirement from its original source (e.g., a standard or contract).
vucavoid requirements: Basic attributes of a reference.
vucavoid requirements: Basic attributes of a reference.

Reference Details

  • Type of Reference: Select from options like Standard, Law, Contract/Engagement, or Policy/Other. Additional details can be added depending on the type selected.
  • Business Criticality: Determine the importance of the reference, choosing from options like Low, Medium, High, or Essential.
  • Expiry Date: Set an expiry date if applicable, especially for references derived from time-bound sources like contracts.
vucavoid requirements: Detailed attributes of a reference, showing different detail field based on its main source (Contract/engagment as demo value selected in screenshot).
vucavoid requirements: Detailed attributes of a reference, showing different detail field based on its main source (Contract/engagment as demo value selected in screenshot).

Affected Object Types

  • Object Type: Specify object types that the reference pertains to, aligning it with relevant elements in your organization's meta model.
vucavoid requirements: Affectred object types for a reference - could be related to all available types of objects in a tenant's meta model in vucavoid.
vucavoid requirements: Affectred object types for a reference - could be related to all available types of objects in a tenant's meta model in vucavoid.

Categorization

  • Criteria, Domains, Categories & Standards: Select all relevant criteria, domains, categories, standards, and assurances (structures) for proper categorization and easier reporting.
vucavoid requirements: Categorization of a reference.
vucavoid requirements: Categorization of a reference.

Reference Status

  • Status Options: Choose between Active, Archived, or Inactive.
    • Active: Standard status, actively influencing the requirement.
    • Archived: For references that are no longer in use but retained for information purposes.
    • Inactive: Temporarily irrelevant references, similar in effect to Archived but indicating a potential for future relevance.
vucavoid requirements: Reference status
vucavoid requirements: Reference status

Management

  • Owner: Assign a vucavoid user responsible for the reference.
  • SMEs: Select Subject Matter Experts from vucavoid users, who can provide expertise on the reference.
vucavoid requirements: Reference management
vucavoid requirements: Reference management

Requirements List

The requirements list in vucavoid provides a comprehensive view of all requirements, allowing for efficient management and oversight.

To facilitate a comprehensive management of requirements (including references), vucavoid offers insightful widgets/charts above the table view on the following parts:

  • Number of requirements and references (in total)

  • Degree of fulfilment for all requirements based on challenge slots

  • Visible Information: For each requirement, the list displays:

    • Title
    • Status
    • Business criticality
    • Fulfilment
    • Expiration date
    • Control indicator
    • Finding indicator
    • Number of Attached References
  • Search and Filter: Utilize the search field and filters to quickly find specific requirements.

  • Pagination: Manage the display of numerous requirements using the pagination feature at the bottom of the list.

Statistics

Above the table of all requirements, vucavoid shows three different statistics (widgets):

  • Number of all requirements
  • Number of all references (supposed to always be higher than the number of requirements or at least equal)
  • Distribution of fulfilment degrees over all requirements (filterable by business criticality of requirement)

The latter statistic shows the distribution of challenge slots for requirements. Per default, the statistic is set to show all slot assessments across all of the tenant's requirements. By using the filter in the top right corner of the statistic, the user can define to only see slot assessments for requirements with a specific (maximum) business criticality.

vucavoid requirements: Overview over all requirements in vucavoid (demo data)
vucavoid requirements: Overview over all requirements in vucavoid (demo data)

References List

Each requirement's detailed view contains a list of all associated references, providing in-depth information about each one.

  • Information Displayed: The list includes:
    • Title
    • Type of Source
    • Owner
    • Business Criticality
    • Status
    • Expiry Date
  • Adding References: To add a new reference:
    1. Select the desired requirement.
    2. Scroll to the relation manager at the bottom of the form.
    3. Click "New reference" and fill out the necessary details in the slide-over window.
    4. Select "Create" or "Create & create another" for consecutive additions.
vucavoid requirements: Overview over all references for a specific requirement in vucavoid (demo data).
vucavoid requirements: Overview over all references for a specific requirement in vucavoid (demo data).

Additional Information

This section offers further insights and tips to enhance your experience with the vucavoid Requirements feature:

  • Understanding the Big Picture: By effectively using requirement clusters and references, organizations can gain a comprehensive view of their compliance landscape, ensuring that all relevant requirements are identified and managed efficiently.
  • Integration with Other vucavoid Features: The requirements and references you define can be integrated with other aspects of vucavoid, such as challenges, to create a cohesive and comprehensive compliance management system.
  • Continuous Updating: It's important to regularly review and update your requirements and references to reflect changes in the regulatory environment, business processes, and technological advancements.
  • Leveraging Expertise: Utilize the SME (Subject Matter Expert) feature to involve knowledgeable personnel in the management of specific requirements, enhancing the quality and relevance of your compliance efforts.
  • Collaborative Management: Encourage collaboration among Compliance Managers and Requirement Managers to ensure a well-rounded approach to requirement definition and maintenance.
Previous
Threats

Cookie Use on Our Site

To ensure the smooth functioning of our website, we use a limited number of cookies. These cookies are essential for providing you with the services available on our website and to use some of its features. Here is a brief overview:
  • vucavoid_session: This cookie is essential for user authentication. It ensures that your session is secure and recognizes you as you navigate through our site.
  • XSRF-TOKEN: This cookie is critical for website security. It helps protect against cross-site request forgery attacks.
  • latest_marketing_banner_visible_{MARKETING_BANNER_ID}: This cookie simply remembers if you have seen our latest site banner, enhancing your browsing experience without tracking your personal data.

These cookies are strictly necessary to deliver the website, and therefore, we do not require your consent to place these cookies. For more information, please visit our Privacy Policy.