If you’ve been wondering where security practices and compliance requirements align and where they diverge, you’re not alone. Security and compliance have synergies, but they aren’t the same, and it can be challenging to tease them apart. When you are thinking about creating the strongest and most secure system for your organization’s and customers’ needs, you have to consider what protocol you must follow and whether compliance is enough to cover your needs. Read on to learn how to differentiate security vs. compliance, and how to use each to help your company best protect itself against cybersecurity threats and enhance its reputation with clients.
What Is Security?
Security refers to the systems and controls, both hardware and software, that protects your company’s assets from getting into the wrong hands, through a breach, leak, or cyber attack. From firewalls to strong password management tools to multi-factor authentication, security practices you implement are designed to prevent hackers and other threats from impacting your organization’s daily functioning and bottom line. Security tools also provide protocol for responding to a breach in a worst case scenario. Here are some common categories for security tools:
IT infrastructure is the organization of all of the components of your computing system – the hardware, software, Wi-Fi and internet connectivity, firewalls, servers, personal devices, data center and cloud computing environment. The software component includes operating systems, web servers, and antivirus and antimalware software that protect you from cybersecurity attacks.
From passwords to firewalls, network access includes any strategies to restrict access to your company’s network and to limit access to tools, apps, and folders to ensure that the right people are accessing the right data. Identity access management (IAM) tools offer strong strategies for ensuring that your network access is secure.
Authentication includes any tools that provide assurance over a user’s identity. Two-factor authentication (2FA) or multi-factor authentication (MFA) are tools that strengthen password protections; these tools can include bioinformation, keys, or confirmation of identity through an app on a separate device. 2FA and MFA offer an extra layer of protection that ensures that a user is who they say they are.
Security professionals know that human error is the cause of most information security incidents; training employees in how to identify and report phishing attacks or ensuring that they know how to create and implement a strong password. User training is an important dimension of security — luckily, security educators are developing engaging and interesting training programs to help users get more invested and to see security tools as fundamental to their work.
The Three Types of Security Controls
There are three core types of security controls: physical, technical (also known as operational), and administrative. Physical controls are security controls like locks, access cards, and bioinformatics like retinal scans which prevent users from accessing hardware and entering premises where servers are housed. Technical controls include operational measures like antimalware and antivirus software, identity and access management controls, and authentication. Administrative controls are the rules and procedures that you have set for using your computing systems and implementing security measures; these are generally set by management and IT governance.
What Is Compliance?
Compliance means taking steps to ensure your organization is in line with a set of standards established by a third party, like the International Organization for Standardization (ISO) or National Institute for Standards in Technology (NIST), or a federal law, like the Sarbanes Oxley Act (SOX) or Health Insurance Portability and Accountability Act (HIPAA). These third-party entities establish guidelines and frameworks that are designed to protect various types of data and consumers’ rights to control and access their data. Here are a few compliance frameworks that pertain to security:
The Sarbanes-Oxley Act is a federal act that was passed by Congress in 2002 in response to rampant corporate fraud at the time, including the Enron scandal. SOX compliance is overseen by the Security and Exchange Commission (SEC), and includes a variety of rules and regulations for financial reporting, record keeping, and accountability. The cybersecurity dimension of SOX includes regulatory standards for record keeping, the implementation of strong internal controls to prevent fraud, and IT infrastructure regarding financial data.
The Health Insurance Portability and Accountability Act was passed by the Department of Health and Human Services Office for Civil Rights in 1996 in order to protect citizens’ individually identifiable health information. HIPAA contains three overarching “rules”: the Privacy Rule, the Security Rule, and the Breach Notification Rule. These regulatory standards ensure that healthcare organizations and their business associates know how to handle patients’ sensitive data, which HIPAA formally defines as protected health information (PHI). It also dictates how to respond to data breaches if they do occur. The Security Rule outlines basic requirements for IT environments, but does not offer a great deal of detail – this is one situation in which compliance strategies will leave a lot of room for interpretation when it comes to actual security implementation.
The International Organization for Standardization (ISO) is a Geneva-based NGO which has published some of the most well-known standards in the world. These standards are both known to consolidate industry best-practices into clear, consistent, easy-to-understand frameworks. ISO has released about 22,000 standards, including ISO 27001, their standard for developing information security management systems (ISMS). ISO 27001 outlines very specific set of strategies and checklists for creating strong security measures across an organization
The National Institute for Standards in Technology (NIST) is a non-regulatory agency housed in the U.S. Department of Commerce. NIST has published a number of standards related to cybersecurity, including documentation related to FedRAMP (the federal government’s regulations related to security in cloud computing environments), NIST password guidelines, and the popular Cybersecurity Framework (CSF). NIST CSF is one of the most popular and well-regarded standards for designing and implementing security systems. Along with ISO 27001, NIST CSF provides very clear guidelines and checklists for designing strong cybersecurity systems across a wide variety of industries. If you’re considering whether to pursue NIST vs. ISO compliance, the overlap between the two is quite significant.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2006 by five major credit card companies (American Express, Discover, JCB International, MasterCard and Visa Inc.) to create a central standard for collecting, transmitting, and storing users’ card payment information and sensitive data. The PCI DSS is focused on protecting credit card data specifically, much like HIPAA with PHI. Security measures focus on vendor behaviors, physical tools like card readers, encrypting card data, and data storage limits.
How Does Compliance Influence Security?
Security measures are designed to protect your company’s assets and to make sure that proprietary information doesn’t get into the wrong hands. However, security teams also need to align with the compliance needs of an organization – there are numerous standards and frameworks designed specifically to enhance cybersecurity, deter fraud, and protect user data.
Compliance measures can help your organization to become more secure by providing a set of clear frameworks, checklists, and best practices that reduce risk across an industry. ISO 27001, for example, outlines all of the components of a strong information security management system (ISMS) – in doing so, it is comprehensive. In this case, a compliance framework can easily be adapted across industries to create strong security strategies, and it might benefit an organization to use ISO 27001 as a blueprint for designing its security strategy instead of a secondary process
Security vs. Compliance: Where Do They Align?
Security vs. compliance – the two are interconnected, but different from one another in a few key ways. To recap, security refers to the systems and controls that a company implements to protect its assets, and compliance refers to meeting the standards that a third-party has set forth as best practices or legal requirements. There are a number of standards that are specifically designed to help companies create secure IT systems, as well as laws like SOX and HIPAA that have been passed to ensure that companies are doing their due diligence to protect sensitive data. While your organization may automatically adopt a few security measures to help protect your business data, compliance offers strategies to bring yourself into alignment with industry best practices and to make sure that you’re following the law.
Security and compliance are both extremely important risk management tools. Whether you’re using a third-party resource or standard, running through an audit checklist for, say, ISO 28001, or you’re looking to create a robust strategy for patching a vulnerability, both security and compliance help your organization to mitigate risk.
Ideally, a business’ security measures and compliance needs will be in alignment, but that is not always the case. Sometimes, security measures have been implemented, but not all of the boxes have been checked for compliance needs. For example, maybe you’ve invested in antimalware, but you haven’t trained your employees in NIST password guidelines and best practices.
On the other hand, you may have demonstrated compliance with one standard or framework, but have some missing links across your organization. Say, for example, you have implemented the PCI DSS, which has strong requirements for multi-factor authentication when it comes to accessing card payment data, but you haven’t used those same authentication tools for other parts of your business operations. You may not have a clear authentication tool for accessing a cloud computing resource – your organization will be in compliance with PCI DSS, but may have gaps in security elsewhere. Determining security needs beyond compliance and having strong IT governance that permeates all dimensions of your business will help you to bring your compliance and security needs into alignment.
Ready to Integrate Your Security and Compliance Goals?
While you are managing your compliance needs, you’ll also want to be thinking about your company’s big-picture security goals. The process doesn’t have to be about security vs. compliance – they are not at odds. Achieving and maintaining compliance will keep you up-to-date with third-party security standards and frameworks. Be proactive about security by ensuring that compliance needs align with the security measures that your business needs to take to protect its specific set of assets. Tackle your security and compliance goals simultaneously by employing the right compliance management software.