Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
4
10
2017
12.18.2020

Security and Compliance Are Different Areas of Risk Mitigation

Last updated:
9.16.2020
12.18.2020
No items found.

While many organizations combine Security and Compliance under a single banner, and there is nothing inherently wrong with having a Chief Security and Compliance Officer or managing risk mitigation under a single umbrella, the fact is that compliance and security measures are two overlapping but inherently different practices of information security.

Compliance standards often change quickly and require quite a bit of work to ensure enforcement across an entire organization. Audit trails, regulator inspections, minimum mandates…they have to be tracked and adhered to 24/7. But meeting compliance standards often puts blinders on a security administrator.

Simply meeting a compliance measure — or even four or five — does not mean that your infrastructure is up to snuff with security best practices. Nor does following industry standards of security guarantee that you’ll meet your next compliance audit.

Compliance in a nutshell

Whatever the compliance standard, from PCI to HIPAA/HITECH, meeting a compliance standard mostly means that you have satisfied a specific set of security requirements at a given moment in time. Those standards may or may not apply throughout the entire year before the next audit and they may not apply to every security threat.

While compliance is necessary to encourage organizations without security measures to take at least the mandatory steps towards securing data, the only way to avoid breaches and maintain information security is to pair compliance measures with a strong security plan, anti-virus/anti-malware tools, and ongoing Intrusion Detection and Intrusion Prevention monitoring.

Ultimately compliance keeps you from having to pay often hefty fines for failure to comply when handling sensitive data, while giving you a baseline upon which to build your ongoing security measures.

 

Going beyond compliance standards

Don’t use your compliance measures as a roadmap for security, however. HIPAA, for example, is a fairly broad mandate that can be interpreted in many ways for different organizations. It all starts with a risk assessment, from which you can craft a stronger security protocol.

Security should be focused around all areas of your organization and not just the data that faces compliance mandates. Include compliance as a submeasure of your overall security program, not as the foundation.

Even if you meet minimum compliance standards, you can still face lawsuits and other punitive measures for failing to secure sensitive data. In the case of the rash of retailer breaches a few years ago, the courts often found that meeting PCI compliance was not enough to consider data reasonably protected.

Different compliance standards and security plans will include different risk mitigation categories, but any strong information security plan includes a risk assessment, overall security policy, dedicated security staff and/or outsourced security assistance, asset management to track hardware, physical security, environmental mitigation in the case of disaster, a disaster recovery/business continuity plan, a breach/threat response plan, access controls in both physical and digital form, and IT lifecycle management of hardware and software.

 

Your security staff and protocol should always focus on the safety and availability of your data and computing resources. In other words, they are focused on mitigating risk to that data and the system’s normal course of operation 24/7.

Compliance officers should instead focus on meeting the mandate in daily operations across your entire organization. The mandated standards might or might not lead to more effective security — this is largely irrelevant. By starting with a strong security program, your compliance officers will often have an easier time meeting requirements and completing audits.

Recent Blog Posts

lunavi logo alternate white and yellow
7.21.2021
07
.
19
.
2021
How Lunavi Approaches Digital Transformation: HostingAdvice Company Profile

For prospective clients and partners, the history, ethos, and capabilities of a vendor are paramount. HostingAdvice.com recently profiled Lunavi to explore our approach.

Learn more
lunavi logo alternate white and yellow
5.20.2021
04
.
26
.
2021
Test Automation Best Practices: Balancing Confidence with Efficiency

Automation can instill confidence to release software and improve the team’s ability to create high-quality applications in the fastest and most efficient way possible. Essentially, it eliminates the need to compromise or choose one set of priorities over another. Instead, it allows teams to strike a balance between confidence/coverage and speed/efficiency. But automation isn’t a one-size-fits-all solution.

Learn more
lunavi logo alternate white and yellow
8.17.2021
04
.
20
.
2021
Building Your Cloud Foundation Part 1: Core Configuration & Governance

This first area of focus establishes your cloud policy, or the way your organization consumes and manages cloud resources. Learn how to establish proper scope and mitigate tangible risks through corporate policy and standards.

Learn more