You’re not alone if you’ve been wondering where security practices and compliance requirements align and where they diverge. Security and compliance have synergies, but they aren’t the same, and it can be challenging to tease them apart. When considering constructing the strongest and most secure system for your organization’s and customer needs, you need to determine what protocol to follow and whether compliance is sufficient to meet your requirements. Read on to learn how to differentiate security vs. compliance, and how to use each to help your company best protect itself against cybersecurity threats and enhance its reputation with clients.
What Is Security?
Security refers to the systems and controls, both hardware and software, that protect your company’s assets from getting into the wrong hands, through a breach, leak, or cyber attack. From firewalls to strong password management tools to multi-factor authentication, your security practices are designed to prevent hackers and other cyber threats such as malware from impacting your organization’s daily functioning and bottom line. Security tools also provide a protocol for responding to a breach in a worst-case scenario. Here are some common categories for security tools:
IT infrastructure is the organization of all the components of your computing system – the hardware, software, Wi-Fi and internet connectivity, firewalls, servers, personal devices, data centers, and cloud computing environment. The software component includes operating systems, web servers, and antivirus and antimalware software protecting you from cybersecurity attacks.
From passwords to firewalls, network access includes any strategies to restrict access to your company’s network and to limit access to tools, apps, and folders to ensure the right people are accessing the right data. Identity access management (IAM) tools offer strong strategies for ensuring your network access is secure.
Authentication includes any tools that assure a user’s identity. Two-factor authentication (2FA) or multi-factor authentication (MFA) are tools that strengthen password protections; these tools can include bioinformation, keys, or confirmation of identity through an app on a separate device. 2FA and MFA offer an extra layer of protection ensuring a user is who they say they are.
Security professionals know human error is the cause of most information security incidents; therefore, training employees on how to identify and report phishing attacks or ensuring they know how to create and implement a strong password is key. User training is an important dimension of security. Luckily, security educators are developing engaging and interesting training programs to help users get more invested and see security tools as fundamental to their work.
What are the Three Types of Security Controls?
There are three core types of security controls: physical, technical (also known as operational), and administrative.
- Physical controls are security controls like locks, access cards, and bioinformatics like retinal scans which prevent users from accessing hardware and entering premises where servers are housed.
- Technical IT security controls include operational measures like antimalware and antivirus software, identity and access management controls, and authentication.
- Administrative controls are the rules and procedures you have set for using your computing systems and implementing security measures; these are generally set by management and IT governance.
What Is Compliance?
Compliance means taking steps to ensure your organization is in line with a set of standards established by a third party, like the International Organization for Standardization (ISO) or National Institute for Standards in Technology (NIST), or a federal law, like the Sarbanes Oxley Act (SOX) or Health Insurance Portability and Accountability Act (HIPAA). These third-party entities establish guidelines and frameworks designed to protect various types of sensitive information and consumers’ rights to control and access their data. Here are a few compliance frameworks that pertain to security:
The Sarbanes-Oxley Act is a federal act passed by Congress in 2002 in response to rampant corporate fraud at the time, including the Enron scandal. SOX compliance is overseen by the Security and Exchange Commission (SEC) and includes a variety of rules and regulations for financial reporting, record keeping, and accountability. The cybersecurity dimension of SOX includes regulatory standards for record-keeping, the implementation of strong internal controls to prevent fraud, and IT infrastructure regarding financial data.
The Health Insurance Portability and Accountability Act was passed by the Department of Health and Human Services Office for Civil Rights in 1996 to protect citizens’ individually identifiable health information. HIPAA contains three overarching “rules”: the Privacy Rule, the Security Rule, and the Breach Notification Rule. These regulatory compliance standards ensure healthcare organizations and their business associates know how to handle patients’ sensitive data, which HIPAA formally defines as protected health information (PHI). It also dictates how to respond to data breaches if they do occur. The Security Rule outlines basic requirements for IT environments, but does not offer a great deal of detail – this is one situation in which compliance strategies will leave a lot of room for interpretation when it comes to actual security compliance implementation.
The International Organization for Standardization (ISO) is a Geneva-based NGO that has published some of the most well-known standards in the world. These standards are known to consolidate industry best practices into clear, consistent, easy-to-understand frameworks. ISO has released about 22,000 standards, including ISO 27001, their standard for developing information security management systems (ISMS). ISO 27001 outlines a specific set of strategies and checklists for creating strong security measures across an organization.
The National Institute for Standards in Technology (NIST) is a non-regulatory agency housed in the U.S. Department of Commerce. NIST has published several standards related to cybersecurity, including documentation related to FedRAMP (the federal government’s regulations related to security in cloud computing environments), NIST password guidelines, and the popular Cybersecurity Framework (CSF). NIST CSF is one of the most popular and well-regarded standards for designing and implementing security systems. Along with ISO 27001, NIST CSF provides very clear guidelines and checklists for designing strong cybersecurity systems across a wide variety of industries. If you’re considering whether to pursue NIST vs. ISO compliance, the overlap between the two is quite significant.
PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2006 by five major credit card companies (American Express, Discover, JCB International, MasterCard, and Visa Inc.) to create a central standard for collecting, transmitting, and storing users’ card payment information and sensitive data. The PCI DSS is focused specifically on protecting credit card data, much like HIPAA with PHI. Security measures focus on vendor behaviors, physical tools like card readers, encrypting card data, and data storage limits.
How Does Compliance Influence Security?
Security measures are designed to protect your company’s assets and to make sure proprietary information doesn’t get into the wrong hands. Security teams, however, also need to align with the compliance needs of an organization – there are numerous standards and frameworks designed specifically to enhance data protection, and cybersecurity, and deter fraud. When you incorporate your security and compliance teams into your IT risk assessments and security program, you are increasing your odds of success in both areas.
Compliance measures can assist your firm in improving its security posture by establishing a baseline utilizing a defined set of standards, checklists, and best practices for mitigating risk across industries. ISO 27001, for example, outlines all of the components of a strong information security management system (ISMS) – in doing so, it is comprehensive. In this case, -an IT compliance framework can easily be adapted across industries to create strong security strategies, and it might benefit an organization to use ISO 27001 as a blueprint for designing its security strategy instead of a secondary process. SOC 2, which applies to a variety of businesses including financial institutions, cloud services, and data centers, is another common compliance standard. The five service domains of security, privacy, availability, processing integrity, and confidentiality are the emphasis of SOC 2’s control implementation requirements.
Security vs. Compliance: Where Do They Align?
Security vs. compliance – the two are interconnected, but different from one another in a few key ways. To recap, security refers to the systems and controls a company implements to protect its assets, and compliance refers to meeting the standards a third party has set forth as best practices or legal requirements. There are several standards specifically designed to help companies create secure IT systems, as well as laws like SOX, GDPR, and HIPAA passed to ensure companies are doing their due diligence to protect sensitive information. While your organization may automatically adopt a few security measures to help protect your business data, compliance offers strategies to align yourself with industry best practices and to make sure you’re following the law.
Security and compliance are both essential risk management tools. Whether you’re using a third-party resource or standard, running through an audit checklist for, say, ISO 28001, or you’re looking to create a robust strategy for patching a vulnerability, both IT security and compliance help your organization mitigate risk.
Ideally, a business’ security measures and compliance needs will be in alignment, but that is not always the case. Sometimes, security measures have been implemented, but not all of the boxes have been checked for compliance needs. For example, maybe you’ve invested in antimalware, but you haven’t trained your employees in NIST password guidelines and best practices.
On the other hand, you may have demonstrated compliance with one standard or framework, but have some missing links across your organization. For example, you may have implemented the PCI DSS, which has strong security requirements for multi-factor authentication for accessing card payment data, but you haven’t used those same authentication tools for other parts of your business operations. You may not have a clear authentication tool for accessing a cloud computing resource – while your organization will comply with PCI DSS, it may have security gaps elsewhere. Determining security needs beyond compliance and having strong IT governance permeating all dimensions of your business will help you bring your compliance and security needs into alignment.
Ready to Integrate Your Security and Compliance Goals?
While you are managing your compliance needs, you’ll also want to be thinking about your company’s security program goals. The process doesn’t have to be about security vs. compliance – they are not at odds. Achieving and maintaining compliance will keep you up-to-date with third-party security standards and frameworks. Maintain a proactive stance toward security by ensuring that the compliance requirements are in line with the security measures that your company must implement to safeguard its particular collection of assets. Tackle your security and compliance goals simultaneously by employing the right compliance management software.
Brett Deemer began an extensive IT career in the United States Army, specializing in encrypted communications, and has spent the last 8 years performing security risk assessments, gap analysis, and enhancing compliance programs for businesses across multiple industries. Brett’s career is marked by a commitment to establishing and optimizing GRC frameworks, fostering a culture of compliance, and driving technological innovation. Connect with Brett on LinkedIn.