While many organizations combine Security and Compliance under a single banner, and there is nothing inherently wrong with having a Chief Security and Compliance Officer or managing risk mitigation under a single umbrella, the fact is that compliance and security measures are two overlapping but inherently different practices of information security.
Compliance standards often change quickly and require quite a bit of work to ensure enforcement across an entire organization. Audit trails, regulator inspections, minimum mandates…they have to be tracked and adhered to 24/7. But meeting compliance standards often puts blinders on a security administrator.
Simply meeting a compliance measure — or even four or five — does not mean that your infrastructure is up to snuff with security best practices. Nor does following industry standards of security guarantee that you’ll meet your next compliance audit.
Whatever the compliance standard, from PCI to HIPAA/HITECH, meeting a compliance standard mostly means that you have satisfied a specific set of security requirements at a given moment in time. Those standards may or may not apply throughout the entire year before the next audit and they may not apply to every security threat.
While compliance is necessary to encourage organizations without security measures to take at least the mandatory steps towards securing data, the only way to avoid breaches and maintain information security is to pair compliance measures with a strong security plan, anti-virus/anti-malware tools, and ongoing Intrusion Detection and Intrusion Prevention monitoring.
Ultimately compliance keeps you from having to pay often hefty fines for failure to comply when handling sensitive data, while giving you a baseline upon which to build your ongoing security measures.
Don’t use your compliance measures as a roadmap for security, however. HIPAA, for example, is a fairly broad mandate that can be interpreted in many ways for different organizations. It all starts with a risk assessment, from which you can craft a stronger security protocol.
Security should be focused around all areas of your organization and not just the data that faces compliance mandates. Include compliance as a submeasure of your overall security program, not as the foundation.
Even if you meet minimum compliance standards, you can still face lawsuits and other punitive measures for failing to secure sensitive data. In the case of the rash of retailer breaches a few years ago, the courts often found that meeting PCI compliance was not enough to consider data reasonably protected.
Different compliance standards and security plans will include different risk mitigation categories, but any strong information security plan includes a risk assessment, overall security policy, dedicated security staff and/or outsourced security assistance, asset management to track hardware, physical security, environmental mitigation in the case of disaster, a disaster recovery/business continuity plan, a breach/threat response plan, access controls in both physical and digital form, and IT lifecycle management of hardware and software.
Your security staff and protocol should always focus on the safety and availability of your data and computing resources. In other words, they are focused on mitigating risk to that data and the system’s normal course of operation 24/7.
Compliance officers should instead focus on meeting the mandate in daily operations across your entire organization. The mandated standards might or might not lead to more effective security — this is largely irrelevant. By starting with a strong security program, your compliance officers will often have an easier time meeting requirements and completing audits.