Compliance is NOT Security

Kelly O’Brien
Sep 1, 2021 3:30:00 PM

Is maintaining compliance with current regulatory laws enough to protect your business from cybersecurity attacks? If you answered no, you are correct. Although often used synonymously, compliance and security do not mean the same thing when it comes to protecting your organization. Being compliant with an industry-specific set of control standards (e.g., PCI DSS, HIPAA, FINRA, etc.) is not equivalent to having an effective information security posture.

Although compliance is a critical component of any security program, new vulnerabilities and threats continue to emerge. There are several types of laws and regulations that businesses must comply with, and they all outline minimum security standards. Organizations often focus on meeting the minimum requirements instead of implementing proper cybersecurity practices. In today's environment, that is not a good thing. This situation has been made even more complex by the migration to cloud applications and services, which has only increased during the recent shift to work-from-home.

So, what happens if your security measures do not comply with relevant standards? Your organization could suffer financial loss due to fines or potential litigation in addition to reputational damage and loss of customer confidence. While compliance and security complement each other in several ways, they are separate and distinct disciplines. Compliance requirements tend to be more predictable whereas security standards are rapidly evolving with current risks and threats. Unfortunately, even if you check off each of the compliance requirement boxes, it does not mean that your organization is secure.

What is the difference between security and compliance?

Think of compliance as a snapshot of how your security program meets a specific set of security requirements. It is not a strategic plan that will cover all security needs but represents a systematic approach to governance to ensure that an organization meets its obligations under applicable laws, regulations, best practices and standards, contractual obligations, and institutional policies. Compliance is a comprehensive set of standards that entities must meet but should be viewed as more of a baseline for security.

Let’s define some terms as they relate to security:

  • Confidentiality: controlling access to data to prevent unauthorized disclosure.
  • Integrity: ensuring that data has not been tampered with and, therefore, can be trusted. In other words, the data is correct, authentic, and reliable.
  • Availability: authorized users have timely, reliable access to resources when they are needed.

To protect the confidentiality, integrity, and availability (CIA) of resources and data, an organization needs to implement technical, administrative, and physical controls:

  • Technical controls: the IT portion of your information security and include antivirus software, permissions, passwords, multi-factor authentication, and firewalls.
  • Administrative controls: policies, procedures, or guidelines that define personnel or business practices per the organization's security goals. Examples include employee hiring and termination practices, acceptable use, data classification, and security awareness training.
  • Physical controls: describe anything tangible used to prevent or detect unauthorized access to physical areas, systems, or assets. Examples are fences/gates, guards, employee access cards/badges, security lighting, surveillance cameras, fire suppression, and HVAC.

Your corporate assets will likely be open to attacks and other security threats without all three of these controls.

Security is unique to each organization and focuses on holistically mitigating CIA risks. A robust security program makes compliance much easier to achieve. In contrast, compliance involves implementing the security practice to meet a law, regulation, best practice, or standard. By securing your information, you reduce the chances a data breach or other security threat will do significant damage to your company.

One of the biggest challenges businesses face in meeting compliance requirements is determining which standards apply to them. Once the appropriate standards are determined, organizations sometimes struggle to understand which security controls are necessary to comply fully. Compass IT Compliance partners with organizations big and small to address both IT compliance and IT security challenges. Our team of industry experts have spent the past decade assisting companies in identifying their compliance requirements and addressing gaps in controls, as well as conducting numerous assessments and audits to put security controls to the test. Contact us today to discuss your unique situation!

You May Also Like

These Stories on Compliance

Subscribe by Email

No Comments Yet

Let us know what you think