Security vs Compliance

For those on the receiving end of cybersecurity efforts, the terms “security” and “compliance” might seem synonymous. However, understanding the subtle, yet crucial, differences between being compliant and being secure is paramount in safeguarding an organization’s technologies and sensitive/regulated data.

Your adversaries are unrelenting, so why would you consciously choose to settle?

Misguided "Compliance Is Not Security" Debate Context

There is a long-running debate pertaining to “compliance is not security” and there is some truth to that saying. However, instead of a binary state of being compliant versus secure, it should be viewed as four (4) maturity-based quadrants where your organization is either:

1. Not secure, resilient or compliant (negligent);
2. Secure & resilient, but not compliant;
3. Compliant, but not secure or resilient; or
4. Secure, resilient & compliant.

The underlying issue in the “compliance vs security” debate is complacency and this is important for the broader concept of Integrated Controls Management (ICM). Your adversaries are unrelenting, so why would you consciously choose to settle? That is where the concept of negligence comes into play, when your failure to conduct due diligence and due care activities can be considered negligent behavior. That term tends to scare executives, and it should, but it does not change the reality that there is a negligence threshold that is specific to each organization. The question for you is, “Do you know what your negligence threshold is, based on your applicable laws, regulations and contractual obligations?”

This concept of identifying a negligence threshold is addressed in the SCF’s Cybersecurity & Data Privacy Capability Maturity Model (C|P-CMM).

Defining Compliance That Is Specific To Your Business Case

Compliance controls are viewed as “must have” requirements that are non-discretionary (e.g., not optional). These requirements directly sourced from an organization’s applicable laws, regulations and contractual obligations. From a scoping perspective, these compliance obligations may be organization-wide or narrowly scoped to a specific enclave or project. It is your organization's responsibility to properly scope the applicability of these compliance controls. The Unified Scoping Guide (USG) is an excellent resource for your scoping exercise.

The process of clearly identifying non-discretionary controls generally involves interviewing multiple stakeholders to gain appropriate situational awareness of all pertinent compliance obligations. These stakeholders with valuable insights are often:

• Governance, Risk & Compliance (GRC);
• Enterprise Risk Management (ERM);
• Procurement / Contracts Management;
• Legal;
• Physical Security; and
• Human Resources.

Statutory Obligations

Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. From a cybersecurity and data privacy perspective, statutory compliance requirements includes state, Federal and international laws:

• Fair and Accurate Credit Transactions Act (FACTA)
• Family Education Rights and Privacy Act (FERPA)
• Federal Information Security Management Act (FISMA)
• Federal Trade Commission (FTC) Act
• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability Act (HIPAA)
• Sarbanes-Oxley Act (SOX)
• California - SB 1386 / CCPA / CPRA
• Massachusetts - 201 CMR 17.00
• Oregon - ORS 646A.622
• Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
• UK - Data Protection Act (DPA)

Regulatory Obligations

Regulatory obligations are required by law, but are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements. From a cybersecurity and data privacy perspective, regulatory compliance examples include:

• Defense Federal Acquisition Regulation Supplement (DFARS) (including Cybersecurity Maturity Model Certification (CMMC))
• Federal Acquisition Regulation (FAR)
• Federal Risk and Authorization Management Program (FedRAMP)
• DoD Information Assurance Risk Management Framework (RMF)
• National Industrial Security Program Operating Manual (NISPOM)
• Financial Industry Regulatory Authority (FINRA)
• New York Department of Financial Services (NY DFS) 23 NYCRR 500
• European Union General Data Protection Regulation (EU GDPR)

Contractual Obligations

Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or data privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations. From a cybersecurity and privacy perspective, common contractual compliance requirements include:

• Payment Card Industry Data Security Standard (PCI DSS)
• ISO 27001 certification
• Service Organization Control (SOC) audits
• Generally Accepted Privacy Principles (GAPP)
• Center for Internet Security Critical Security Controls (CIS CSC)
• Cloud Security Alliance Cloud Controls Matrix (CSA CCM)

Defining What It Takes For Your Business Processes To Be Secure & Resilient

Cybersecurity and data protection controls that are not required by a law, regulation or contractual obligation are “nice to have” controls that are discretionary for an organization to implement. Any aspect of non-compliance with a discretionary control would be isolated within the realm of the stakeholder making the requirement, since the requirement is internal to your organization. The source of these discretionary requirements may be from:

• Board of Director (BoD) guidance;
• Steering Committee recommendations;
• Internal Audit findings;
• Third-party audit/assessment recommendations; and/or
• Internal staff preferences.

The importance of these discretionary controls is that those are often organization-specific considerations to mitigate risk that is specific to an organization’s business practices.?

Discretionary Cybersecurity & Data Protection Considerations

A common frustration amongst cybersecurity practitioners is about the gaps that exist in many “best practice” cybersecurity frameworks. This is often where there are complaints about organizations holding an ISO 27001 certification, SOC 2 audit or PCI DSS audit that still have breaches or security incidents, where the argument is that a certification does not mean the organization is secure. The remedy to such gaps is through discretionary cybersecurity & data protection controls that are not directly mandated by a compliance obligation, such as the requirements for:

• Data Loss Prevention (DLP)
• Network Access Control (NAC)
• File Integrity Monitoring (FIM)
• 24/7 Security Operations Center (SOC)
• Artificial Intelligence (AI) governance controls
• Sandboxing / detonation chambers
• Segmented Dev / Test / Production environments
• Cloud infrastructure-specific controls
• Embedded technology-specific controls

Discretionary Resilience Considerations

NIST defines resilience as, “The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruption. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.”[3] From a discretionary control perspective, this may require the addition of technologies and processes to help ensure the continuity of business operations, such as:

• Continuity of Operations Plan (COOP)
• Business Continuity / Disaster Recovery (BC/DR) Plan
• Failover / redundancy capabilities
• Business continuity test exercises
• Offsite, online backup storage
• Offsite, offline backup storage
• Transactional-level backups

About The Author

If you have any questions about this, please feel free to reach out. Tom Cornelius is the Senior Partner at?ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the?Secure Controls Framework?(SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.