News Flash: Being compliant doesn’t mean you’re secure, any more than implementing security guarantees that you’re compliant. That’s right, compliance does not equal security. Compliance and security are separate and distinct goals. So, what is the difference?
Compliance requires that you meet the stated requirements or regulatory standards of a third party or accrediting authority, e.g., government agency. Some examples of compliance standards are FISMA, NIST, FedRAMP, PCI DSS, HIPAA, DFARS and ISO 27001.
Security, on the other hand, results from exercising due diligence in following a process, taking actions, and implementing tools and best practices to ensure the continual confidentiality, integrity and availability of information assets.
Compliance is a snapshot of how your security program meets a specific standard at a given moment in time. Security is an ongoing effort to safeguard and protect your information and information systems. Let’s dive deeper:
Compliance is:
- Done to satisfy external requirements
- Driven by business needs, not technical demands or events
- Checklist based
- Completed when the accrediting authority is satisfied & grants formal approval
Security is:
- Done to protect assets and resources
- Motivated by a need to defend assets against threats
- Risk-based
- Continuous and never ending
Security + Compliance
While they are separate and distinct concepts, security and compliance complement each other.
- Compliance establishes a baseline security posture
- Security identifies and addresses all known risks to assets
- Compliance is intermittent or recurring (every year, 3 years, etc.)
- Security is ongoing and continuous
- Compliance is a checklist, not a blueprint for security
- Security is facilitated through frameworks, standards, best practices, etc.
While compliance and receiving Approval to Operate can be a great first step, additional measures and best practices to achieve the maximum security posture possible should always be followed. Both compliance and security are fundamental needs and business drivers for government agencies that influence their decisions and actions.
