There is some confusion in the information technology industry at times between compliance and information security. Being compliant with a certain set of standard controls such as PCI DSS, HIPPA, or NIST 800-171, is completely different than having an effective information security posture. Compliance does not equal security, and in turn, security does not equal compliance.
Compliance is a standard
Compliance measures your security program that’s working to meet a specific set of security standards at a given moment in time. Some organizations may want to use compliance requirements to build their security information program, but an effective security program should be built from scratch based on an organization’s needs. Compliance is based on a standard for all organizations and doesn’t factor in what you as an individual organization needs. An example of an ongoing compliance standard is the Payment Card Industry Security Standard (PCI DSS), which provides a baseline of technical and operational requirements designed to protect account data. This includes any entities involved in payment card processing and to be compliant with this standard there are 12 requirements that must be met. This is just one of many compliance standards that exist today.
Confidentiality, integrity, availability
Unlike compliance focusing on a standard, information security is focusing on the confidentiality, integrity, and availability of a company’s data. This includes all electronic and physical data such as printed documents that are being stored in filing cabinets for example. Anything can act as a risk or threat in information security since all sensitive information that is owned by a company can never be transferred, changed, or altered without appropriate permissions in place.
Knowing the difference between compliance and information security before you start getting ready for a compliance audit can help tremendously. Having a well-built security information program first will make any future compliance needs much easier to achieve, as most of the core and advanced security controls will already be in place. You won’t be scrambling to build a well-built security information program while in parallel trying to hurry and meet a compliance deadline.