Defining the difference between IT compliance and IT security


March 6, 2018

3-6-18 Blog Graphic.png

You say, “IT security.” I say, “IT compliance.” When you’re investigating your network, data storage and devices, the difference between these two can seem as inconsequential as tomato and tomahto. But IT security and IT compliance aren’t just two ways of saying the same thing. In fact, they’re more like tomatoes and pasta sauce. Sure, you sometimes use tomatoes in your sauce, but other times you’re craving pesto, alfredo or a nice olive oil and garlic mixture with no tomatoes to be found!

Similarly, although you might employ some IT security techniques to keep yourself compliant with regulations, compliance and security are not one and the same. The broad term “security” refers to the best practices and IT solutions used to protect assets, information and data. “Compliance,” on the other hand, pertains to the rules and regulations created by the government, a regulatory agency or an industry organization to protect a subset of internet users.

That said, regulatory protections associated with compliance can seem an awful lot like security. After all, the goal of some regulations is to protect the end user’s security or privacy. Let’s look at some common compliance measures and a handful of frequently used security techniques to see where security stops and compliance begins.

Examples of compliance measures

As discussed above, compliance refers to requirements created by governing bodies and organizations to protect users, consumers, clients and patients. Here are some that you may have encountered before:

  • Health Insurance Portability and Accountability Act: Healthcare providers, insurers and basically all entities that deal with sensitive health information are required to comply with practices designed to protect client privacy and security. Most of these guidelines are outlined in the Health Insurance Portability and Accountability Act, which busy healthcare professionals have shortened to HIPAA. Some HIPAA requirements, such as access controls for workstations, are the same kinds of recommendations you’d see from IT consultants for general IT security, while others, like audits and device integrity controls, are more specific to the healthcare industry.
  • Americans with Disabilities Act: Never heard of ADA compliance before? You’re not alone. Many companies overlook these guidelines, which outline website extras—image descriptions, detailed page titles, compatibility with text-to-speech tools, etc.—that make sites accessible for users with disabilities. Although the ADA covers special accessibility regulations to keep websites discrimination-free, most of these rules deal with site content and aren’t really related to internet security.
  • Federal Trade Commission privacy and security guidelines: The FTC has its own set of guidelines, many of which protect consumer privacy over the internet, as well as rules for businesses that accept electronic funds transfers, offer credit to customers or access credit information. In particular, the FTC outlined specific regulations for financial institutions in the Gramm-Leach-Bliley (GLB) Act. Some of its data security recommendations are a lot like those an IT solutions provider would give you: encrypt sensitive data, safeguard your servers and generate strong passwords. The difference lies in the execution.
  • Federal Communications Commission online media and communication guidelines: Thank the FCC next time you enable closed captioning on Netflix. The FCC oversees the captioning of online videos, as well as protocols for broadband and internet connections, VoIP systems and internet safety for children, among other things.

Resource Library-12.png

Examples of general security measures

Security measures are the techniques used to protect your data, users, networks and assets—usually from hackers or other malicious parties. Some regulations require security protections and some don’t. Below are a few of the more well-known security practices recommended by IT consultants:

  • Encrypting data: Many tools send and save data as plain text, which makes it easy for hackers to spy on sensitive information and steal it for their own malicious purposes. Encryption obfuscates data stored on servers or transferred online that can only be accessed with a special key, making it an effective tool to prevent data breaches, ransomware attacks and other cybercrimes. Regulations designed to protect personal information may require data encryption as a matter of course, but this isn’t always the case.
  • Establishing firewalls: Just as you’d likely avoid drinking water that’s not filtered, you probably wouldn’t want to browse the internet without some sort of firewall. A firewall filters the traffic coming and going on your network by examining packets of information to ensure that nothing seems off. This protects you from malicious Trojan viruses and other malware designed to steal information and data from your devices.
  • Performing regular backups: Backups may not be required by regulation, but they’re a good idea for most organizations—particularly those in the healthcare sector. Backups can be used to restore data and provide useful firepower against ransomware, as hackers performing ransomware-based attacks often count on you not having duplicates. These kinds of hacks are on the rise for small businesses and healthcare providers, so backups are highly recommended regardless of whether you’re actually required to make them.

As you can see, there’s some overlap between compliance and security guidelines, but that doesn’t mean they are the same. Moreover, don’t consider this an exhaustive list of security recommendations or internet regulations! For a better sense of what you need to be both safe and compliant, you’ll need to refer to the governing department or legislation that applies to your company and business sector.

If you’d rather not wade through a bunch of legalese, why not ask your IT solutions provider to help ensure your networks, servers, devices and websites stay compliant? An IT consultant can offer industry-specific suggestions to keep your systems above board from a compliance perspective—and can provide you with tools and tips to stay secure, too. Whether you’re grappling with IT security or IT compliance, there’s really just one thing you need to know: the name of your local IT consultant!

We're Integris. We're always working to empower people through technology.

Keep reading

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...

Hot Topics for Cybersecurity in 2024

Hot Topics for Cybersecurity in 2024

As we go into 2024, Cybercrime now accounts for $8 Trillion US dollars—enough to make it the third largest "economy" after the US and China.   As scary as that number is, it is the downstream effects of Cybercrime that are so serious. Hacked businesses experience the...

How to Navigate the Cybersecurity Workforce Shortage

How to Navigate the Cybersecurity Workforce Shortage

Cybersecurity stats are in for 2023, and the numbers aren’t pretty. Ransomware attacks are up by 95 percent over 2022, according to the latest analysis by Corvus, a cyber risk insurer. With the inevitable rise in attacks coming in election year 2024, it’s enough to...