“Compliance is not security, and security is not compliance.” Compliance This statement can potentially be attributed to a number of sources, but it has definitely become a widely used trope in the security sector. While security moves too quickly to be effectively codified into a set of requirements that works in all instances, both now and in the future, there is also some- thing to be said for the structure that compliance standards can provide. They are designed to protect the general public as well as the companies forced to adhere to them. In the United States, the most prominent compliance standards include PCI, which provides regula- tions around credit cards and other modes of payment; HIPAA, which focuses on medical/healthcare data; and Sarbanes-Oxley, which is designed to preserve the integrity of corporate financial reporting. ISO and SSAE also factor into the equation. In Europe, GDPR has become the de facto standard, and carries serious financial implications for failures to comply. U.S.-based respondents to AVANT’s assessment survey points to enterprise customers adhering to the following standards at the proportions shown below, based on 197 responses. Compliance Standard Required (Based on 197 responses) PCI 47% HIPAA 33% ISO 16% Sarbanes-Oxley 15% SSAE 16 Type II 14% Source: AVANT Assesment Data Even if your company is not required to adhere to a standard, it is often a valuable exercise to choose a standard that can be used as a useful framework for establishing necessary controls and policies. Copyright © 2020 AVANT Communications, Inc. 2514 Copyright © 2020 AVANT Communications, Inc. 294 Copyright © 2020 ACopyright © 2020 AVVANT CommunicANT Communicaations, Inc.tions, Inc. 7 Copyright © 2020 AVANT Communications, Inc.
Managed Security Trends and Insights Page 29 Page 31