Unless you're a network security or IT security professional, hearing the word "compliance" probably makes the hairs on the back of your neck stand up. It's sort of like when you realized (spoiler alert) that Bruce Willis was dead at the end of The Sixth Sense -- you suspected something was wrong for a while but now your dread has come to life.
When most of us hear the word "compliance," we tend to think terms like "expensive", "tedious" and "pain in the rear." I hosted a webcast this week, "Back to the Basics of Compliance," and some really interesting responses from some of the participants really got me thinking.
Many of the attendees equated security with compliance and didn't understand why I was separating them out on the webcast. Some folks considered them vastly different things and were adamant that some of what I was calling compliance was really security and vice versa. So are compliance and security really the same thing? Well, yes and no.
Let's first take a look at compliance. Compliance is the act of conforming to documented standards or requirements and providing validation of that conformance. For companies dealing with credit card data, PCI is a common compliance concern, medical companies have to think about HIPAA, for publicly traded companies it's Sarbanes-Oxley (SOX), and FISMA for government agencies.
Even if none of these formal regulations apply to you, compliance can be as simple as following the documented policies that your company has in place and providing proof that you're doing so. Many compliance standards are in fact related to security. For instance, PCI is about protecting personal credit card information and HIPAA is about protecting patient health information. However, while compliance is related to security, it isn't necessarily related to security. Instead, compliance focuses on validating that you're following the rules and processes.
While compliance focuses on validation, security focuses on protection. Your security policies should explicitly dictate how IT should be protected. Firewall configurations, antivirus plans, server security, user password requirements and more all fall into the realm of security.
There is a lot of overlap between security and compliance but its important to remember that compliance does not equal security. You can't assume that just because you're compliant that you are secure.
Compliance standards are static in nature and are slow to be updated. However, security is a dynamic, ever-changing beast that will devour you the first time that you take your eyes off of it -- ok, maybe that's a little melodramatic but there are a lot of actors in my family.
Have an opinion about compliance vs. security? Are they handled by the same folks in your organization or different teams? If different teams, what are the challenges in working together?
Josh Stephens is Head Geek and VP of Technology at SolarWinds, an IT management software company based in Austin, Texas. He shares network management best practices on SolarWinds' GeekSpeak and thwack. Follow Josh on Twitter @sw_headgeek and SolarWinds @solarwinds_inc.