Chapter 8. Industry Compliance Standards and Frameworks

Businesses may be required to conform to one or more regulatory compliance regimes, which are administered by a variety of governing bodies. Failure to comply with these standards can come with heavy fines or in some cases hindering ability to conduct business (such as preventing the capability of processing credit card transactions). Frameworks differ from regulatory compliance standards by the fact that they are not required for a specific industry or type of data; they are more of a guideline.

The requirement to comply with one standard or the next does provide a few benefits to your organization. Certain standards leave significant room for interpretation, giving you the ability to tie security measures that should be implemented to a portion of that same standard. When compliance is involved there are now social, political, and legal components that can be leveraged to implement security controls and process changes that may not have been possible otherwise. It also may present the opportunity to piggyback off another department that has excess budget for a project.

Industry Compliance Standards

Compliance standards are a minimum, not a complete security program. It is easy and lazy to be just a “check box checker” when going through implementing controls in a compliance list, and it’s possible to technically be compliant with a standard and still not have a secured environment. Many standards leave room for the imagination ...

Get Defensive Security Handbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.