I read and hear the term “compliance” used liberally in infosec, often without a clear context. The graphic above is intended to illustrate some business drivers such as statutory laws, regulatory agencies (e.g. GAO’s HIPAA), industry-imposed requirements (e.g. PCI DSS), customers’ and shareholders’ expectations (some of which are legally and contractually required). These plus other… Continue reading What is Compliance?
[youtube http://www.youtube.com/watch?v=QqV_a_5tZCI?feature=oembed&w=250&h=140] Scaling Security to the Enterprise – from BSides Nasvhille (May 17, 2014) (Source: https://www.youtube.com/)
Compliance is about auditable business processes that are related to meeting legal, regulatory & contractual requirements. Infosec is a confluence of strategic & tactical processes & controls with a goal of ensuring confidentiality, integrity & availability of data & systems. There is overlap but the two things are effectively different and aimed at different needs… Continue reading Compliance versus Security … Coming to Trial?