We're Hiring!
Take the next step in your career and work on diverse technology projects with cross-functional teams.
LEARN MORE
Mountain West Farm Bureau Insurance
office workers empowered by business technology solutions
BLOG
4
10
2017
1.24.2023

Security and Compliance Are Different Areas of Risk Mitigation

Last updated:
9.16.2020
1.24.2023
No items found.

While many organizations combine Security and Compliance under a single banner, and there is nothing inherently wrong with having a Chief Security and Compliance Officer or managing risk mitigation under a single umbrella, the fact is that compliance and security measures are two overlapping but inherently different practices of information security.

Compliance standards often change quickly and require quite a bit of work to ensure enforcement across an entire organization. Audit trails, regulator inspections, minimum mandates…they have to be tracked and adhered to 24/7. But meeting compliance standards often puts blinders on a security administrator.

Simply meeting a compliance measure — or even four or five — does not mean that your infrastructure is up to snuff with security best practices. Nor does following industry standards of security guarantee that you’ll meet your next compliance audit.

Compliance in a nutshell

Whatever the compliance standard, from PCI to HIPAA/HITECH, meeting a compliance standard mostly means that you have satisfied a specific set of security requirements at a given moment in time. Those standards may or may not apply throughout the entire year before the next audit and they may not apply to every security threat.

While compliance is necessary to encourage organizations without security measures to take at least the mandatory steps towards securing data, the only way to avoid breaches and maintain information security is to pair compliance measures with a strong security plan, anti-virus/anti-malware tools, and ongoing Intrusion Detection and Intrusion Prevention monitoring.

Ultimately compliance keeps you from having to pay often hefty fines for failure to comply when handling sensitive data, while giving you a baseline upon which to build your ongoing security measures.

 

Going beyond compliance standards

Don’t use your compliance measures as a roadmap for security, however. HIPAA, for example, is a fairly broad mandate that can be interpreted in many ways for different organizations. It all starts with a risk assessment, from which you can craft a stronger security protocol.

Security should be focused around all areas of your organization and not just the data that faces compliance mandates. Include compliance as a submeasure of your overall security program, not as the foundation.

Even if you meet minimum compliance standards, you can still face lawsuits and other punitive measures for failing to secure sensitive data. In the case of the rash of retailer breaches a few years ago, the courts often found that meeting PCI compliance was not enough to consider data reasonably protected.

Different compliance standards and security plans will include different risk mitigation categories, but any strong information security plan includes a risk assessment, overall security policy, dedicated security staff and/or outsourced security assistance, asset management to track hardware, physical security, environmental mitigation in the case of disaster, a disaster recovery/business continuity plan, a breach/threat response plan, access controls in both physical and digital form, and IT lifecycle management of hardware and software.

 

Your security staff and protocol should always focus on the safety and availability of your data and computing resources. In other words, they are focused on mitigating risk to that data and the system’s normal course of operation 24/7.

Compliance officers should instead focus on meeting the mandate in daily operations across your entire organization. The mandated standards might or might not lead to more effective security — this is largely irrelevant. By starting with a strong security program, your compliance officers will often have an easier time meeting requirements and completing audits.

Recent Blog Posts

lunavi logo alternate white and yellow
1.24.2023
11
.
18
.
2022
Business Intelligence: The Present and Future with Director of Data Analytics, Jeff Thomas

Join us as we dive into the world of data analytics with our very own, Jeff Thomas. With 18 years of experience in this field, Jeff shared valuable knowledge and insight on the current trends of data analytics and where he believes the field is headed. We also discussed the challenges and barriers that enterprises face when implementing data analytics practices, Jeff explains how to rise above these challenges and use data to your competitive advantage.

Learn more
lunavi logo alternate white and yellow
1.24.2023
02
.
15
.
2022
Service Changes Coming to Microsoft 365 & Office 365

The NCE offers new subscription terms including 12-month and 36-month plans priced lower than monthly contracts. In addition, it is easier to add seats, cancellation policies are more consistent, and there are two promotional options to lock in a better rate for your current renewal. However, the mandatory new plans do include price adjustments.

Learn more
lunavi logo alternate white and yellow
1.24.2023
01
.
21
.
2022
Automate Your Cloud with Azure Bicep

Azure Bicep is a great way to implement Infrastructure as a Code to automate the provisioning of Azure resources. In this post, I’ll get you started by describing how Bicep language works as well as key differences and similarities between Bicep and ARM Templates.

Learn more