A basic understanding of information security and compliance is fundamental to the success of thousands of organizations. Unfortunately, the two terms are far too often misunderstood, mixed up, and misused. What if I told you that information security—if you understand it—can be used by your organization as a competitive advantage?
But before we get there, we will need to gain an understanding of information security and compliance.
A basic (and accurate) understanding of information security and compliance are critical to figuring out how they can positively or negatively affect our businesses.
To get this understanding we need to define compliance and information security, tackle common misconceptions about information security, and set some principles that can continue to drive this competitive advantage for you.
What better place to start with a definition of compliance than with the dictionary?
com-pli-ance [kuh m – plahy – uh ns] (noun):
1. the act of conforming, acquiescing, or yielding
2. a tendency to yield readily to others, especially in a weak and subservient way
3. conformity; accordance: in compliance with orders.
4. cooperation or obedience: Compliance with the law is expected of all.
From a security standpoint, what is compliance?
Most security-related compliance comes through legislative or administrative/regulatory law. Obviously, it is important for us to obey the law! Regulatory standards for data security include HIPAA/HITECH, GLBA, FISMA, PCI DSS, and too many others to mention.
Information security-related laws are written to apply to a large number of similar organizations and are enforced by regulators and auditors. In order for a law or mandate to apply to a large number of organizations, it has to be written with some vagueness and interpreted on a case-by-case basis (at least until an adequate precedent is set).
Information security-related compliance is doing what your last auditor or regulator told you to do, based upon their interpretation of the law as it applies to you.
In other words, compliance is like doing what you are told to do by someone who does not know or care about what’s best for you, based upon their unqualified interpretation of a vague law.
Letter of the Law vs. Intent of the Law vs. Interpretation of the Law
The letter of the law (pick just about any information security-related law) is fairly easy to comply with due to the law’s inherent vagueness. The problems start with the interpretation of the intent. In most cases, the intent of information security-related law is to reduce the risk of unauthorized disclosure, alteration, and destruction of sensitive (or regulated) personal information.
Interpretation is left to government agencies and regulators (compliance audits). If the intent of the law is to reduce risk, who knows better about risk management in my organization? Me or a regulator? I hope you answered me! If you are not in a position to answer this for yourself, then this series of articles was written specifically for you.
I’m a competitive guy. I try to lead my organization with courage and boldness. Words like “conforming,” “acquiescing,” and “yielding” are not words that I want to be associated with.
At the end of the day, if I can demonstrate that I manage risk well then I can also demonstrate that I can handle what compliance requires. All this without being told what to do from an outside entity that doesn’t know what’s best for my company.
Information security is not anything new. In fact, information security has been around ever since we have had information to protect. Today, if you ask ten security professionals to define information security, you will probably get ten different answers. How can corporate leaders like you and me make strategic decisions about something that we cannot define? We need to start with a definition:
Information security is managing risks to the confidentiality, integrity, and availability of information using administrative, physical, and technical controls.
- One action: managing risks
- Three characteristics of information: confidentiality, integrity, and availability
- Three types of security controls: administrative, physical, and technical
In the simplest of terms, risk is the likelihood of something bad (like a data breach) happening combined with the impact of the bad thing happening.
Confidentiality is keeping information secret—only allowing authorized disclosure. The opposite of confidentiality is disclosure.
Integrity is ensuring that information is accurate. Accurate information is critical to us in making sound decisions. The opposite of integrity is (unauthorized) alteration.
Information must be available when it’s needed. The opposite of availability is destruction.
These controls are used to manage the organization’s information security efforts and to address the people part of security. These types of controls include things like policies, standards, procedures, and training. These are not exciting, but are absolutely critical to good information security management.
Typically the controls that you can touch. These controls are designed to manage physical access to information and include things like door locks, alarm systems, and camera surveillance. It really doesn’t matter how good your antivirus software is if someone can easily steal your server.
This is the IT part of security. Notice how the IT part of security is only one part of security and not all parts of security? Technical controls are what most people think of when they think of information security. These controls include things like firewalls, antivirus software, passwords, and permissions.
So there we have it. This is our workable definition of information security.
Ten Security Principles To Live (or Die) By
Over the years information security has gained a bad rap for a number of reasons; poor definition and poor application of security are two primary reasons. Here are ten information security principles that should help us put our definition into context.
- A business is in business to make money.
- Seems obvious, doesn’t it? How often does information security get in the way of making money? If information security gets in the way of our business making money, then we’re doing it wrong. Information security must align with business objectives. This is almost impossible for corporate leaders unless we take an active role.
- Information security is a business issue.
- Information security is NOT an IT issue. The technical part of information security is complementary to administrative and physical security, not exclusive.
- Information security is fun.
- Who actually says or thinks this is true?! It really comes down to attitude. People do not want to do anything that they see as boring or painful. If we ask someone to do something that is important to our mutual success, we should make it as enjoyable as possible.
- People are the biggest risk.
- This has always been and will always be true. Most organizations overspend on security technology at the expense of neglecting the people part of security. Your greatest risk is probably not technology-related.
- “Secure” and “compliant” are different.
- We shouldn’t confuse the two.
- There is no common sense in Information Security
- If there were, we would have better information security. This point re-emphasizes the point that people are our greatest risk.
- “Secure” is relative.
- As you recall from our definition earlier, security is managing risks not eliminating them. We cannot reduce our risk to zero. The relativeness of security warrants ongoing measurements and comparisons.
- Information security should drive business.
- Identify and focus on information security benefits. Information security shouldn’t just be a cost-center.
- Information security is not one-size-fits-all.
- No two organizations are exactly alike. It makes sense to copy certain things that work for other organizations, but if we expect something to work we will have to make it our own.
- There is no “easy button”
- So stop looking for one.
We now know that compliance and information security are two different terms and we know why. The relationship between the two is compliance (by itself) does not mean that you are managing security well; however, managing security well will mean compliance.
Getting information security right by leveraging a good definition and applying sound principles will save your organization thousands (maybe millions) of dollars. It is not something that can be entirely delegated to others because ultimate success or failure rests with us, the leaders of our respective organizations.
For assistance with building a security program that goes beyond compliance, visit frsecure.com.