Welcome to part three of our 3-part series about security and compliance. For those of you who missed part one or two, feel free to follow these links to get up to speed on this series: Part 1: Related but Not the Same, and Part 2: Compliance Means We’re Secure, Right?
In the previous two parts of the Security and Compliance series, you should have gained a clear picture of the relationship between security and compliance. Ideally, focusing on security improvements should always be a goal that companies work toward as it protects an organization against breaches and protects assets from any malicious action. When the need for compliance comes around there will be fewer security holes to patch, providing your company is constantly improving and monitoring security. Improving your security posture could be overwhelming in the beginning much like compliance, but there is guidance available to help you achieve maturity.
Increasing security posture
The Center for Internet Security (CIS) Top 20 Critical Security Controls is a great place to start. The CIS Top 20 has also been referred to as SANS Top 20 since the SANS institute worked with CIS to create a comprehensive security framework used by most organizations today. The 20 CIS controls are broken up into three categories which helps you organize each control into a group. Basic controls, foundational controls, and organizational controls make up all three categories.
Using a compliance standard for increasing security
If your organization is feeling adventurous, another great source of security hardening is the NIST Special Publication 800-53, or better known as NIST 800-53. 800-53 is Security and Privacy Controls for Information Systems and Organizations. With nearly 500 pages of documentation, it can be overwhelming, to say the least. The biggest advantage and reason to use 800-53 as a security framework is that most regulatory or compliance standards such as HIPAA or PCI-DSS are based on industry best practices or guidelines from agencies such as NIST. When you look at some of most common regulatory or compliance standards 800-53 is referenced a great deal.
Although security does not mean compliance, working on increasing the organization’s security posture such as utilizing the SANS Top 20 or NIST 800-53, will usually mean you have less security and technical controls to patch up when your company must reach a particular regulatory compliance standard.