Compliance or Conformity

-

Compliance is not security, or is it?







There is a view (anecdotal)  that compliance is not security. To be more precise, information and cyber security.

For those aware of this standard, ISO/IEC 27001:2013 (information security management system, requirements) asks those organisations seeking certification to conform to its requirements.
On the other hand, the Payment Card Industry (PCI) security standards, and for example the Data Security Standard (PCI DSS), requires compliance.

Conformity or compliance; in the cases above they both seek to achieve something similar; security, in the context of information and cyber security, by ensuring that important data assets are protected (specifically card holder data for PCI DSS, and ‘other’ sensitive and critical information/data for ISO/IEC 27001:2013).

Having generalised with the use of the word ‘other’ for 27001, in truth if card holder data were in scope then in fact ‘other’ would include cardholder data. But, if by ‘other’ it is meant confidential company financial data (not card holder data), or perhaps special categories of personal data (not card holder data) then PCI DSS does not come into play.

However, in both cases, the objective is to manage the risk to what can be suggested as being sensitive and (or) critical data. In one it asks us to conform to requirements, the other it asks us to be compliant.

Many a tech company and cyber security company, having jumped onto the (EU) GDPR bandwagon back in 2016, offered solutions to enable an organisation to become compliant to the Regulation.

The bandwagon jumping antics of many of these businesses is an entirely different topic of conversation; in the meantime, how do they in fact determine that their customers are compliant to the (EU) GDPR simply by offering a technical solution?

Coming back to the original question of compliance and security; (EU) GDPR has a number of Articles (and recitals) directing controllers and processors to manage risk (likelihood and severity) and to respond by implementing appropriate technical and organisational controls.

In part only (many more non-security related obligations must be met), and in order to reach a degree of compliance, the risk associated with the processing of personal data by a controller and processor from an information and cyber security standpoint must be managed and levels of risk treated in some fashion to assist in complying with the Regulation.

ISO deprecated the use of the word compliance from its management system vocabulary preferring the use of the word conform or conformity, and forgetting that in fact conformity means, ‘compliance’ with standards, rules or laws (thank you Google), the simple answer is; given the context of information and cyber security, compliance is a valid word to use and given the context, compliance can indeed be used with the word security.

KanSecurity (NL)

Popular posts from this blog

Black Swans and other things

-
Image
Back swans and other things. For transparency I’m not an academic. What I enjoy doing is reading academic works, it does not matter what field, with the objective of attempting to answer questions I have related to information and cyber security. Two [of many] questions [the context throughout this blog are businesses, organisations, and information and cyber security] . Why, in the many cases that have been documented, do Chief Information Security Officers [CISO] get shown the door following a major breach of a company network? Whilst CISOs are highlighted, others having a similar role but not called CISOs, are also covered under this question. Why, given the current situation of COVID-19, were many businesses unprepared? The unauthorised attempts at infiltrating a company network, are not outliers [thus not a Black Swan], they happen daily, it is the norm. The evidence, even though prejudiced in itself, is there for all to see. I say that the evidence is prejudiced
Read more

Personal data or PII

-
Image
PII or not to PII, that is the question PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data. What is personal data vs PII? Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)). PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (Offic
Read more

Risk and micro, small business

-
Image
Risk; why is it so difficult? Information security risk management, or if you wish cyber security risk management; either way it appears to cause a bit of a problem. Over many years now I have seen and audited different concoctions, the majority of which fail completely to be effective in managing the risk.  That said, I have also seen some scarily good processes, many of which are application driven rather than spreadsheet driven. This is an out and out plug, but the best and most effective examples have usually be driven by Acuity Risk Management's Stream application .  However, for the micro or small business the best approach is to keep things simple, for the moment at least. Risk description - there are excellent definitions for risk published within various ISO documents. However it all boils down to the following: Source (what is the source of the thing that could happen - internal or external parties) Event (what is going to occur) Cause
Read more