We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
4
10
2017
3.1.2023

Security and Compliance Are Different Areas of Risk Mitigation

Last updated:
9.16.2020
3.1.2023
No items found.

While many organizations combine Security and Compliance under a single banner, and there is nothing inherently wrong with having a Chief Security and Compliance Officer or managing risk mitigation under a single umbrella, the fact is that compliance and security measures are two overlapping but inherently different practices of information security.

Compliance standards often change quickly and require quite a bit of work to ensure enforcement across an entire organization. Audit trails, regulator inspections, minimum mandates…they have to be tracked and adhered to 24/7. But meeting compliance standards often puts blinders on a security administrator.

Simply meeting a compliance measure — or even four or five — does not mean that your infrastructure is up to snuff with security best practices. Nor does following industry standards of security guarantee that you’ll meet your next compliance audit.

Compliance in a nutshell

Whatever the compliance standard, from PCI to HIPAA/HITECH, meeting a compliance standard mostly means that you have satisfied a specific set of security requirements at a given moment in time. Those standards may or may not apply throughout the entire year before the next audit and they may not apply to every security threat.

While compliance is necessary to encourage organizations without security measures to take at least the mandatory steps towards securing data, the only way to avoid breaches and maintain information security is to pair compliance measures with a strong security plan, anti-virus/anti-malware tools, and ongoing Intrusion Detection and Intrusion Prevention monitoring.

Ultimately compliance keeps you from having to pay often hefty fines for failure to comply when handling sensitive data, while giving you a baseline upon which to build your ongoing security measures.

 

Going beyond compliance standards

Don’t use your compliance measures as a roadmap for security, however. HIPAA, for example, is a fairly broad mandate that can be interpreted in many ways for different organizations. It all starts with a risk assessment, from which you can craft a stronger security protocol.

Security should be focused around all areas of your organization and not just the data that faces compliance mandates. Include compliance as a submeasure of your overall security program, not as the foundation.

Even if you meet minimum compliance standards, you can still face lawsuits and other punitive measures for failing to secure sensitive data. In the case of the rash of retailer breaches a few years ago, the courts often found that meeting PCI compliance was not enough to consider data reasonably protected.

Different compliance standards and security plans will include different risk mitigation categories, but any strong information security plan includes a risk assessment, overall security policy, dedicated security staff and/or outsourced security assistance, asset management to track hardware, physical security, environmental mitigation in the case of disaster, a disaster recovery/business continuity plan, a breach/threat response plan, access controls in both physical and digital form, and IT lifecycle management of hardware and software.

 

Your security staff and protocol should always focus on the safety and availability of your data and computing resources. In other words, they are focused on mitigating risk to that data and the system’s normal course of operation 24/7.

Compliance officers should instead focus on meeting the mandate in daily operations across your entire organization. The mandated standards might or might not lead to more effective security — this is largely irrelevant. By starting with a strong security program, your compliance officers will often have an easier time meeting requirements and completing audits.

Recent Blog Posts

lunavi logo alternate white and yellow
3.27.2024
03
.
27
.
2024
Utilizing Bicep Parameter Files with ALZ-Bicep

Ready to achieve more efficient Azure Deployments? You can use Bicep parameters instead of JSON which opens new opportunities for deployment. Let Lunavi expert, Joe Thompson, show you how.

Learn more
lunavi logo alternate white and yellow
3.26.2024
03
.
04
.
2024
Anticipating Surges in Cyber Attacks and Bolstering Your InfoSec Defenses in 2024

Learn how to navigate 2024 with the right InfoSec defenses to protect your organization against a rising number of cyber attacks.

Learn more
lunavi logo alternate white and yellow
3.26.2024
01
.
03
.
2024
Microsoft Copilot is Re-Shaping the Innovation Frontier

Microsoft 365 Copilot has been released, and it's changing the way we work. More than OpenAI or ChatGPT, read how Copilot can seamlessly integrate with your workflow.

Learn more