Many businesses make the mistake of thinking of security and compliance as synonymous terms. While compliance does increase security through a rigid set of requirements and audits, it is more of a reporting tool and minimum set of standards set regulated by organizations such as PCI, HIPAA, or the Sarbanes-Oxley Act. Proper security measures should aim to protect you from threats by controlling how information is shared between your technology and others. Compliance on the other hand is more of a regularly scheduled demonstration to the regulatory organizations, that you are meeting a specific set of security standards that they have defined. Compliancy tests and regulations can be cumbersome to make you feel jaded towards security as a whole, but it is absolutely crucial to invest in both.
Unlike security standards, which can often be numerous and more loosely defined on a case by case basis, compliancy focuses on a set of regulations which allow for a business to execute certain actions or practices. Compliancy certificates are often awarded for passing these regulated tests, and can then give the company legal ability to process credit cards, share medical information, or go public. These standards have helped tremendously over the years, but businesses often do not audit their systems beyond these checklists or worse yet, do not follow the rules and regulations properly. To get a better feel for what you should focus on, first try and understand the following standards and practices that are currently regulated or recommended based upon industry.
Whether your product is web, mobile, private or public; to protect yourself legally, you should protect all personally identifiable information with encryption. Even email addresses and names should be encrypted when transmitted from a client to a server. As a most basic example, all websites should be using https, and sensitive data such as passwords should be one-way encrypted when stored in a database. While these standards may not be regularly enforced, they are an industry standard and as such are expected and are actually punishable for violations in many regions.
Health Application Compliance
The Health Insurance Portability and Accountability Act (HIPAA) defines many rules and regulations for how medical companies must carry out and enforce many aspects from administrations, to technical and physical security measures. HIPAA enforces quite an extensive list and can be very aggressive against violators, so compliancy is incredibly important. Even though HIPAA is elaborate and strict, the compliancy alone does not protect businesses from vulnerabilities, nor does it ensure that a breach will not result in violation or penalties.
All applications that accept credit cards, even in cases where the information is not stored, are subject to the Payment Card Industry Data Security Standard (PCI-DSS) regulations. Unlike HIPAA, which defines a single core set of standards, PCI compliance comes with various levels of certifications depending on certain statistics like volume of transactions. Many businesses are not even aware that they need to be PCI compliant until a breach occurs and they are surprised with a lawsuit or fine that is charged against them for violating compliance standards.
Many local and federal government agencies in various countries have their own set of compliance regulations. In the US a minimum set of standards are required under the National Institute of Standards and Technology (NIST) regulation. Some of these agencies are required to comply with the Federal Information Security Management Act (FISMA) while others, such as defense agencies, have additional standards such the Defense Information Assurance Certification and Accreditation Process (DIACAP). All agencies are then held accountable and are regularly monitored, audited and assessed by the Federal Risk and Authorization Management Program (FedRAMP).