May 2, 2019 / GuidesFor Team
Does Compliance Automatically Mean Security?
In IT Security, it is quite common for people to meet the terms “IT Security’ and “IT Compliance.” Most often than not, both are frequently misunderstood as one and the same. Or they are sometimes being taken as part of the same subset of Information Security. But in reality, they are two distinct and separate domains that require equal amount of importance and attention.
Ever heard of the acronyms HIPAA and SOX, or standards like PCI-DSS or ISO:27001? If you are an Information Security professional, it is almost impossible for you to miss the said regulatory acts that were passed through legislations. What do they stand for and what are their roles?
Let’s take the first one.
SearchHealthIT describes HIPAA (Health Insurance Portability and Accountability Act of 1996) as a United States legislation that provides data privacy and security provisions for safeguarding medical information. Also known as Public Law 104-191, HIPAA has two main purposes: one is to ensure continuous health insurance coverage for workers who have lost or changed their job, and to reduce the administrative burdens and cost of healthcare by standardizing the electronic transmission of administrative and financial transactions.
SOX is HIPAA’s counterpart in the financial sector.
In short, both HIPAA and SOX are laws that were passed by Congress to serve as industry standards which aim to safeguard and protect them. Companies engaged in businesses on both industries should follow the said standards to be considered compliant with government mandates. Simplifying it further, these are government requirements that aim to protect companies from identified risks.
Now, does that make those companies secure?
Short answer: no.
Long answer: It’s not that simple.
You see, security is technical in nature. When you talk about IT Security, the main objective is to ensure that the business is protected, critical data is secured, and the infrastructure has proper defense against threats and that it is capable of detecting possible incursions from the outside world (note: security breach).
To illustrate, an IT Security Professional would install a perimeter firewall to protect the internal network from unauthorized access from the outside,and then implement Endpoint Security to ensure that all internal assets are protected and are capable of defending itself from malicious software. Afterwards, he can run penetration testing to test its readiness. Yet, all of these technical things are useless unless those things that were implemented and placed in the infrastructure followed government requirements.
Let’s look at it from another perspective.
A business may have followed the letters of all IT regulatory standards to a “T” (PCI-DSS or ISO), complied with all state-mandated laws covering their industry, and has all IT policies in place following the minimum government requirements. Yet, they could end up being insecure infrastructures. Why? Simply put, industry regulations alone don’t secure a business. Industry standards and government mandated IT regulations are there to try and limit the risks for each enterprise by telling them what needs to be done to protect their most important business assets. Emphasis on the term “most important”. Why? Because it doesn’t cover every asset in the whole enterprise. And this is where the problem lies.
Compliance alone won’t secure and protect any business. Same thing that IT Security alone won’t ensure that the enterprise is risk-free. For a company to run smoothly with minimal to no risk, both IT security and compliance should be in-sync.
While compliance addresses the “business” side of the enterprise (requirements, risk mitigation, operational tools, etc.), the IT security side ensures that the “business” side has all the tools and processes in place to ensure its protection.