By: Nihad Hassan
June 2, 2021
Security vs. Compliance, What Is The Difference?
By: Nihad Hassan
June 2, 2021
In today's digital age, ensuring IT systems' security is a top priority for every organization worldwide. Cybersecurity attacks are increasing in both numbers and sophistication. Organizations are working daily to deploy the most effective security solutions (e.g., Firewalls, IDS/IPS, DLP) and implement different security controls and policies to protect their precious assets. According to Cyber Security Venture, cybercrime is projected to cost the world $10.05 Trillion annually by 2025. Regulatory standards like PCI DSS, HIPAA, GDPR, and ISO 27001 are developed to suggest and enforce best security practices to protect data and enhance organizations' information security management.
Security and Compliance are two terms that are mentioned together. They complement each other to achieve a single goal: preventing risks. Handling risk is the reason that both categories exist. Security and compliance work to design, deploy and establish security controls to mitigate risks and secure information assets from unauthorized access and damage. However, we should keep in mind that Compliance doesn't mean security. For example, an organization could be compliant but not secure!
The Information Technology industry is growing rapidly due to the digital transformation efforts worldwide, which accelerated after the COVID-19 pandemic in 2020. According to Statista, the global information technology (IT) industry is estimated to value $5 trillion in 2021. The massive growth of the IT market has created various cybersecurity and compliance challenges for organizations worldwide. Executive Management realizes the importance of controlling how sensitive data, especially customer information, is stored, processed, and transferred. The regulatory compliance frameworks now exist to ensure the security implementations of data regulation.
What are the key differences between Compliance and Security?
Compliance focuses on the type of data managed by an organization and which compliance framework is applicable to protect it. In many cases, an organization could be subject to multiple compliance frameworks, and understanding all regulations is difficult. The primary goal of Compliance is to manage risks, and it goes well beyond information assets. For instance, Compliance has a holistic view on all organizational aspects that affect risks, such as legal, financial, physical, policies, regulations, and laws issues.
Security is the set of technical controls, processes, and tools used to restrict access to sensitive resources and protect the organization's IT infrastructure from both physical and cyberattacks. The ultimate goal of security is to meet Compliance, although Compliance is a critical element of any business requirement. Security includes everything a security team does to protect information assets. It includes controlling access to IT infrastructure (physical security), deploying network security appliances such as Firewalls, IDS/IPS, and content filters, setting access control lists to govern restricted access to sensitive network areas, applying network segmentation and virtual networks to isolate important data in independent network segments.
Popular compliance frameworks to protect IT assets
Compliance is derived from a third-party organization's requirements such as government, security framework, industry standards, or according to client's contractual terms. A compliance framework will measure an organization's security processes against a set of regulatory requirements at a specific point in time to see its commitment to the standard rules. For example, suppose an organization wants to do business in one of the EU countries or deal with EU citizens. In both cases, it must adhere to the GDPR that governs the storage, processing, and transmitting of EU people's data. The following list the most popular compliance frameworks concerning data security:
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed by a credit card companies group (Visa, MasterCard, American Express, Discover, and JCB) to protect cardholders. It aims to ensure that all companies accepting credit card payments are subject to proper security measures when taking, storing, processing, or transmitting credit card information. PCI DSS is designed to protect both customer payment info and e-commerce service providers.
There are four PCI compliance levels; it depends on a company's annual credit card transaction volume.
The Health Insurance Portability and Accountability Act (HIPAA) ensures patients' health data is stored securely and accessed only by authorized users in different healthcare providers (Doctors, hospitals, nursing, pharmacies, care clinics, and other entities that provide health care assistance in exchange for payment).
ISO 27000 Family
The ISO 27000 family of information security management standards is a set of security standards that define best practices when developing Information Security Management Systems (ISMS). This standard applies to all organizations sizes working in any industry. The ISO 27000 series is developed and maintained by the ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission).
SOC reports are auditing reports verified by the Certified Public Accountant (CPA) and designated by the American Institute of Certified Public Accountants (AICPA). A SOC report indicates whether financial audits are performed or not and whether this audit is performed according to the serviced company's controls.
Security and Compliance are vital components in any organization. Knowing how each one relates to the other is essential to protect your data assets. Both security and Compliance must work in harmonization. When an organization aligns its compliance framework with its internal security controls, data and other IT assets can be protected to the maximum.