Heather
Gray

Security vs compliance: connecting the dots between the two

Heather Gray

Aug 16, 2022

13 min read

We often confuse security and compliance to mean the same thing. This is an easy mistake to make. At a glance, it does seem like both require organizations to implement adequate measures to safeguard information and other assets critical to business operations. In reality, the difference between security and compliance is pretty big.

Primarily, the goal behind any compliance framework is to focus on the type of data being handled by the organization and the various requirements that need to be in place to ensure its protection. Security on the other hand, constitutes all the tools and processes you implement to protect sensitive information on a continual basis.

Compliance alone doesn’t guarantee a strong security infrastructure. Businesses have been subjects of phishing attacks and data breaches despite being compliant with frameworks such as PCI DSS and GDPR. So, what went wrong here? We can’t blame it all on shoddy monitoring. The real problem lies in not getting a clear picture of the rapid pace at which the security landscape continues to evolve.

Hackers and other malicious actors are constantly coming up with new ideas and are planning attack vectors that escape detection. The best way to avoid being the next victim and the focal point of a PR scandal is to keep up with the latest security measures experts recommend and have them implemented within your organization asap.

Breaking down the chaos: what’s required of security and compliance

If you feel like all the measures you’ve taken so far were all for naught, calm down. Let me break it down to you. When it comes to security, there are some core areas you need to focus on such as:

  • Network
  • Systems and applications
  • Operations

Network

Ensuring adequate network security is important as it not only protects the information harboring within your networks but also helps to fix any existing vulnerabilities hackers may use to gain entry. Adequate network segmentation, firewall and email security are some of the great places to start.

Network segmentation

Network segmentation helps to define who has access to what within an organization. Each network segment will consist of assets that have a defined role and a common set of functionalities to perform. By neatly segmenting your networks, you avoid the risk of external threats occurring, thereby making sure sensitive data remains confined to authorized users within your organization.

Firewall

Firewall is an important component of network security as it monitors all the incoming and outgoing traffic of your network. Some of the other benefits of enabling firewall includes preventing malware attacks, restricting hackers from gaining access to your networks and enhancing privacy.

Email security

Emails continue to be one of the most preferred attack vectors. The reputation of many leading organizations have toppled due to the simple act of an employee clicking on suspicious looking link. Phishing emails are harder to spot nowadays, all the more reason for businesses to prioritize email security.

In addition to configuring email settings, your IT security team can make sure users only use strong and corporate-approved passwords to access their emails and have them updated at regular intervals. Periodic training sessions can be given to help employees identify suspicious emails, inspect URLs and use spam filters to filter out such emails. The use of an email encryption and two factor authentication are some of the other security measures you can implement.

Configuring Wi-Fi settings

Configuring the Wi-Fi settings in advance saves users from the trouble of remembering complex passwords each time they try to connect to your corporate network. You can define the security type to make it more secure and configure the proxy settings remotely. There are many benefits to enabling proxy as well, these include hiding the IP address to prevent hackers from accessing your networks and restricting users from accessing malicious websites, limiting the chances for malware attacks to occur.

Configuring VPN settings

VPN or Virtual Private Network is an additional security measure you can implement, especially for employees working remotely. It creates a secure and private connection thereby ensuring data security when employees access corporate resources remotely.

Security certificates

Security certificates are a great way to authenticate users before they are granted access to any sensitive information. These certificates can also be used as identity certificates to access Wi-Fi and used for authenticating VPN connections and app communications.

Threat monitoring and defense

Chances are high that your organization has employees either working from home or from some other remote location. This opens up a lot of doorways for hackers to latch onto your networks. Implementing additional network security measures such as threat monitoring and defense gives your IT security team a good idea on the current state of your network security. It helps to identify patterns that could lead to the occurrence of a data breach or an information security incident. Alerts can be set up to notify the admins immediately when a real threat does occur. Due to the full visibility it provides, organizations can be better equipped to handle any external or internal threats.

Pen tests and vulnerability assessments

It is a good idea to carry out penetration tests and vulnerability assessments at periodic intervals as they help identify all the weak points existing within your networks and web applications. In this way, you not only strengthen your security infrastructure but also prevent hackers from infiltrating your networks.

How does this relate to compliance?

It helps organizations to keep track of user activities across their networks and implement necessary access controls to ensure only authorized users have access to sensitive data. Network traffic can be monitored to minimize the risk of external parties accessing the networks. Sensitive data can be secured via email encryption, firewall and network segmentation.

Systems and applications

It’s vital to protect all the systems in use since they can be easily misconfigured to gain access to sensitive data. You can implement measures to make sure employees don’t tamper with any of the security settings previously configured by the admin.

Some of the ways in which you can ensure information security on your systems and applications include implementing strong passwords, enabling encryption to protect sensitive data and restricting access to critical applications only to authorized users.

Although, the introduction of personal devices to work gives employees the convenience to work with a device they are comfortable with, it increases the chances for a multitude of risks to occur such as device hacking, malware, shadow IT and improper device management. It’s equally important to carry out maintenance checks at periodic intervals to ensure the systems always continue to function to their full capacity.

Device security

Device hacking is pretty widespread. You can enable a number of restrictions to restrict users from implementing any unauthorized changes to the device. In addition to this, you can secure the devices by locking them down with strong passwords and reminding users to have them updated at periodic intervals. One of the ways in which you can secure personal devices with access to personal data is to create work containers. They create a separate encrypted space within the device where all work-related data and applications would be stored.

Passwords can be created on work containers as well to ensure only right users have access to it. Remotely push OS updates to the devices to make sure they always run on the latest OS version. This prevents hackers from exploiting any of the vulnerabilities known to exist within the previous versions.

Keep an asset inventory

Maintaining an asset inventory is a great way to keep track of all the devices, networks and other assets you have in place. You can keep track of user activities and check whether they operate in compliance with your organization’s policies.

Access control

Keeping an access control list of all the applications and tools in use gives you a clear idea of the level of access users have to those applications. You can classify information based on the level of confidentiality and monitor user access to them on a regular basis.

Give employees clarity on the requirements of your organization by documenting an access control policy that defines how access is provided during the onboarding process and how it is revoked when the employee leaves the organization. Some of the other areas you can address within the policy include the management of privileged access rights and the time period in which the review of access rights would be carried out.

Secure unattended devices

Employees often leave their workstations with their devices left unattended. Implement a strict clear screen policy to limit the chances for any external or unauthorized users to access sensitive information. In addition to asking the employees to lock their devices each time they are away from the system, you can initiate a remote lock on the device after a defined period of inactivity.

Application security

You can blacklist applications that pose a risk to your security infrastructure and predefine app configurations and permissions to ensure applications continue to function according to the requirements set up by your organization.

Create and deploy app catalogs to user end devices to give users easy access to the applications they need. It’s always good to upgrade your applications since not all applications are known to be bug free. Each update makes the application more secure and resolves all the vulnerabilities identified in the previous versions.

How does this relate to compliance

The best way to ensure data security is to make sure proper access control measures are maintained to limit the chances for data leakage to occur. It’s important to make sure the systems used for processing and storing data run in their full capacity as it helps in managing resources effectively and saves organizations from needlessly spending too much money in constantly upgrading their hardware. Having ample security measures in place restricts users from installing any unauthorized software or applications that could lead to the rise of various threats.

Operations

The NIST defines information security as the protection of information and information systems from unauthorized access, disclosure, modification and destruction to preserve its confidentiality, integrity and availability.

Your business operations play a major role in ensuring information security. Some of the areas you could focus on includes implementing enough security measures to safeguard the physical environment of your organization, having a well-defined process in place where employees can easily report instances of a data breach or an information security incident to the right team, ensuring business continuity in times of a data breach incident and keeping track of every actual and suspected events in an event log.

Ensuring physical security

Physical security includes the protection of your premises, people and assets from various threats that could result in damage and financial loss. The physical security measures should help you detect the presence of intrusions in a timely manner and allow relevant staff to respond to these threats as quickly as possible. Controls such as implementing access cards, CCTVs and other surveillance systems can be taken up to prevent external threats from occurring.

Information security incident management

No matter how good your security infrastructure may be, it’s always better to anticipate the occurrence of an information security incident. Firstly, you need to have a well-documented policy that defines what constitutes an information security incident, and the various processes employees need to follow to report the occurrence of such an event to concerned employees within your organization. Next, you need to keep an adequate number of logs to keep track of the incidents and record other details related to it. This would help your team identify any patterns and take up measures to prevent their occurrence in the future.

Ensuring business continuity

Business continuity management helps organizations to ensure the continuity of their business operations when disruptive events occur. You can begin by creating a list of threats that can affect your business and carry out an analysis to understand how these threats could affect your daily operations if they do occur.

Some of the events that could lead to business disruption includes natural and manmade disasters, technological failures, human errors and cybersecurity incidents. In addition to taking backups of critical data, it’s also best to carry out a recovery test to understand how quickly services could be brought back into operation after the occurrence of a disaster or incident. It’s equally important to have a secondary location to store critical assets and systems if the primary location is unserviceable.

How does this relate to compliance

Keeping backups of critical data is an important requirement in many regulatory compliance frameworks. Carrying out periodic tests of your business continuity, disaster recovery plans and data impact assessments would give your customers the assurance that their data lies in safe hands. The continual anticipation of an incident will help organizations research on better measures to improve their security.

How UEM bridges the gap between IT security and compliance

“Ensuring
Ensuring data security
 

A Unified Endpoint Management solution such as Hexnode UEM helps organizations be compliant with all the requirements of compliance standards such as HIPAA, GDPR, PCI DSS and SOC 2 by providing IT admins the ease with which a number of security restrictions and measures can be implemented. These include:

  • Enabling a number of restrictions on the device functionalities, network, app and location settings.
  • Preventing the removal of an MDM profile to ensure the devices continue to stay managed by the IT admin.
  • Disabling screen capture and clipboard to prevent users from copying sensitive data.
  • Preventing multiple file sharing options to prevent the sharing of sensitive files.
  • Improving BYOD security with the creation of work containers and restricting users from copying content between work and normal profiles.
  • Configure Wi-Fi and VPN settings.
  • Enable firewall remotely.
  • Deploy a number of remote actions to secure access to sensitive corporate data when users access them remotely.
  • Deploy security certificates to authenticate users and devices accessing corporate data.
  • Enable web filtering to restrict user access to unsecure sites.
  • Remotely deploy OS updates and upgrade applications to keep devices and applications secure.
  • Restrict the installation of applications from unknown sources.
  • Enable full disk encryption programs such as FileVault and BitLocker.
  • Secure lost devices by enabling remote lock, initiating lost mode and full device wipe.
  • Generate reports on a real time or periodic basis to check the compliancy of devices to your organization’s policies.

Bottomline

The takeaway? Compliance frameworks are good, they after all guide organizations on the various requirements they need to take up to ensure data protection and privacy. However, these frameworks often take time to be updated. You may have to wait for quite a bit for the latest security practices to be incorporated into these frameworks. Security and compliance are two sides of the same coin. You cannot have one without the other. The key point is to understand what links the both of them together and plan out your measures and processes accordingly.

Share

Heather Gray

Technical Blogger @ Hexnode. Reading and writing helps me to stay sane.

Share your thoughts