Compliance standards are determined by governmental, non-profit, or industry groups. The purpose of compliance is to serve as a foundation for operational data security. Regulatory bodies issue compliance standards and enforce them through audits or assessments. Security is more of an umbrella term that covers all of the processes used to protect data. Effective security is the result of proactive threat identification and risk assessment (e.g. active network monitoring).
Some initial groundwork must be laid before designing a compliance framework to deal with today’s threats.
First, it is necessary to take inventory of your assets to determine what exactly you need to protect.
Second, find the necessary standard to use as template for your compliance plan. Deciding on a template is dependent on the type of business we are trying to protect.
By using FIPS 199 we can consider the appropriate security category of an information system with risk impact analysis. There are three main security objectives for information and information systems, C-I-A: preserving the confidentiality, integrity, and availability of data.
Generally speaking, the type of data a business regularly works with will determine their security categorization. As an example, we can consider the difference between an organization that mostly manages public information (where confidentiality requirements are not applicable) vs. a healthcare business that manages both public information and highly sensitive patient information.
These two organizations need different security frameworks: both the former and latter organizations will benefit from using NIST 800-53 and the ISO 27000 family of standards. However, the healthcare organization will likely be required to meet the standards of HIPAA (Health Insurance Portability and Accountability Act).
Achieving adequate information security for organizations, mission/business processes, and information systems is a multifaceted undertaking that requires:
Clearly articulated security requirements and security specifications;
Well-designed and well-built information technology products based on state-of-the-practice hardware, firmware, and software development processes;
Sound systems/security engineering principles and practices to effectively integrate information technology products into organizational information systems;
Sound security practices that are well documented and seamlessly integrated into the training requirements and daily routines of organizational personnel with security responsibilities;
Continuous monitoring of organizations and information systems to determine the ongoing effectiveness of deployed security controls, changes in information systems and environments of operation, and compliance with legislation, directives, policies, and standards;
Information security planning and system development life cycle management.NIST 800-53a
It is the blending of different security frameworks that will help improve it’s efficacy. Another interesting variable is looking at how the threat landscape for many businesses has grown with the expansion of cloud computing. It has moved from not just having to protect your information internally but also to protect information in the cloud.
It makes sense that an organization’s security framework ought to be designed in accordance with the applicable regulatory requirements (like HIPAA in our healthcare hypothetical).
It is worth noting that just because an organization is compliant does not mean they are secure. Compliance standards (examples: HIPAA and PCI DSS) are essential for a business to remain operationally viable, but they serve only as a minimum baseline for information systems, regardless of how extensive they might be.
In other words, for a business to have a strong security posture, more is required of them than to merely pass compliance audits. Establishing system boundaries (like segmenting information resources and systems), providing security training for employees, as well as implementing specific technical security controls are all critical components for any type of security framework to be successful.
As their security program matures, an organization will be making strides towards lowering their risk profile.