In general, compliance is defined as following rules and meeting requirements. In cybersecurity, compliance means creating a program that establishes risk-based controls to protect the integrity, confidentiality, and accessibility of information stored, processed, or transferred. A control is a specific, defined standard or method. It lays out the criteria for following a particular process within a framework of policies, guidelines, and procedures of your organization. Technically, there are no rules or guidelines that establish standards for compliance. It is the IT professional’s responsibility to assure compliance. The program can be manual or, preferably, automated. In either case, the priority is to have a program to regularly test and assess compliance.
Compliance can exist at many levels. At an organizational level, compliance can mean ensuring your organization doesn’t become the target for cyber attacks. Furthermore, compliance can mean complying with regulatory requirements, such as maintaining a privacy and security program that protects PII. If your organization falls victim to a cyber attack, compliance can mean conducting a breach response that protects the organization’s assets and reputation.
Compliance can also exist at a technology level. The ISO 27000 series of standards approach security from a “control perspective.” This means, in order to be compliant, you must have controls in place for the confidentiality, integrity, and availability of information resources. There are five major categories of cybersecurity controls:
- Data Security
- System Security
- Network Security
- Identity Management
- Access Control
The Department of Homeland Security (DHS) publishes the Risk Management Framework, which is a set of security guidelines and best practices for implementing security measures into your organization.