What is Compliance?


I read and hear the term “compliance” used liberally in infosec, often without a clear context.

The graphic above is intended to illustrate some business drivers such as statutory laws, regulatory agencies (e.g. GAO’s HIPAA), industry-imposed requirements (e.g. PCI DSS), customers’ and shareholders’ expectations (some of which are legally and contractually required).

These plus other business-specific requirements are mixed with the business’ risk appetite, its mission, vision and goals to produce a matrix of value statements about what a company must do.

Within an enterprise the requirements that come from the 5 horizontal pillars above* tend to be articulated as non-functional requirements and they must be given voice by the corporate management team as well as area leaders throughout the enterprise to offset how abstracted they are from most solution providers.  These requirements may be codified within the enterprise in the form of policy statements (e.g. some of the larger Whats that matters to the company), position papers, standards, controls and/or procedures.

It’s important to articulate these larger values because the values of more localized, vertical business units are often less abstracted and easier to see in terms of cost-benefit statements while these larger, more enterprise level values can be hard to explain in direct monetary impact (and often the time for these types of cost-benefit statements for broader values is only undertaken after a loss is realized).

Meeting all these requirements is COMPLIANCE.

Compliance is the starting point for infosec.  A compliant business is NOT a secure business.  Principles of risk management almost always require that enterprises do more than just meet these requirements.  Being compliant is required of businesses for any number of stakeholders but it does not satisfy the Due Care requirement that a business has in terms of infosec.

Next in this series: Governance

*CAVEAT – these are not the only places that requirements can come from.  Some requirements are legally binding and will cost the company in fees, fines and other penalization while some costs are to brand.