What is the difference between a security program and security compliance?
When we start talking about security programs and standards, we need to also talk about security compliance. Unfortunately, these terms can start to blur together. To eliminate confusion, we define them here and explain how you will want to use them together to optimize your company’s information security. We also clarify a few other terms along the way.
Defining a “security program”
A security program is the documented collection of policies, controls, and processes used by a company to protect its assets. Let's break this down:
Documenting your security program is essential. Information and cyber security have too many moving parts to rely on an ad hoc approach to security. Documentation is the reference material that keeps the organization aligned with its security decisions.
The core of a security program are its security policies. Each IT security policy sets the expectations in a specific area, like data security or incident response. Collectively, security policies are the roadmap that sets the scope and guidelines of your security program.
Security policies don't specify how they are implemented. Those details are in the controls and processes. They are the mechanisms you choose to put your security policies into practice.
- Controls can be physical, like controlling access to locations where sensitive assets are held.
- Controls are often technological, such as tools that handle encryption, password management, and data restoration.
- Administrative controls cover the human element, outlining actions humans need to take. This means everything from security training requirements to outlining how other controls are used.
An example: An automated tool (a technology control) conducts weekly user audits to defend against unauthorized access to your network and data. The process around responding and remediating any audit flags is an administrative control.
The purpose of your security program is to protect the confidentiality, integrity, and accessibility of your company’s assets, and to contain and minimize the impact of any intrusions. Define your company assets broadly; you can assign a security priority to different assets once you define and identify them. Your assets are data, intellectual property, strategic documents, business processes, and the network that supports your ability to operate.
A security program is the culmination of internal analyses and decisions regarding where your vulnerabilities are, what your risk tolerance is, and how you plan to execute security on your assets.
Defining “security compliance”
Step outside of information security for a minute. What do you think when you hear "compliance"? Labor laws? Taxes or zoning? Contractual obligations? Compliance management isn’t new to an entrepreneur. You already navigate a vast network of laws, regulations, and contracts. If you want to conduct business, you not only have to comply with their applicable provisions, but have to be able to document that compliance.
"Compliance" in the information security context isn't too different. Information security compliance means you can document how your company fulfills the security requirements of an external party.
The external requirements can be contract provisions with a vendor or customer or a published security standard. A security standard specifies the criteria, expectations, and guidelines that define minimum requirements needed to satisfy it.
Governments can impose security standards as a condition for doing business. Two examples:
- If your company holds personal health information, you must comply with HIPAA regarding the handling of that data.
- If you want to do business in the EU, you must comply with the General Data Protection Regulation (GDPR), which controls how you collect and manage personal information for people living in the EU.
Industry organizations can also impose security standard compliance as a condition. Any company that wants to process credit card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS).
Governments and industry organizations also publish security standards that aren't required. A couple of examples:
- The U.S. Department of Commerce, through the National Institute of Standards in Technology (NIST), issues a number of security standards, such as NIST 800-53.
- The American Institute of CPAs (AICPA) developed SOC 2 compliance requirements for service organizations, which provides a standard for handling personal information.
Standards facilitate business growth by providing a common framework that helps independent organizations trust each other, encouraging voluntary compliance.
Voluntary or compelled, compliance with a given security standard is evidence that an organization has the processes and controls in place that meet the level of security specified.
How Security Programs and Compliance Differ and How They Support Each Other
The defining difference between a security program and security compliance is that a security program is internally driven while security compliance is externally driven. Here’s what this looks like when we break down how each functions within the organization:
Scope and priorities of a security program are determined through internal assessment of vulnerabilities, assets, business needs, and risk tolerance.
Meeting the expectations and requirements determined by a third-party, whether government, industry organization, or potential customer, vendor, or partner.
Continually re-assessed and updated to address evolving security challenges and business priorities.
Reactive to changes made either in the standard itself or in an auditor’s or certifier’s evaluation of the organization’s compliance level.
Constant evaluation as to whether controls are, in fact, providing the expected level of security.
Certification and audits determine whether processes and controls are in place, without addressing efficacy.
Represents a holistic, comprehensive approach to organizational security that reflects understanding that the business is solely responsible for ensuring its information and operations are protected.
Provides a baseline of security measures required to gain external confidence in and approval of the organization’s security posture.
While they are distinct from each other, they aren’t an either/or proposition. They both have their role. Companies must have a security program. As noted above, in some cases complying with a certain security standard is required to do business. Where compliance isn’t mandated, working towards compliance with a relevant security standard is still a solid practice for two key reasons:
- Security standards represent best practices and security industry-accepted controls, so they act as helpful guidelines and a backstop for your own due diligence. For companies that have no formal security program, they can be a useful first stop that keeps new companies from getting overwhelmed. They often include information security policy templates, so you don’t have to start from scratch. We generally recommend using NIST 800-53 as a framework to start building a security program.
- Developing your security program in alignment with a security standard
- provides a roadmap for maturing your security program,
- allows you to respond to security questions on RFPs more quickly and confidently, and
- smooths the way for your company to get formally certified or pass a SOC 2 audit in the future if a potential customer requires it.