Why Isn’t “C” for Compliance?

If you missed it:

• “A” is for Accountability
• “B” is for Business
• “C” is for Cybersecurity
• “D” is for Data

And “C” is NOT for compliance. Why not?

The simple answer is:

Compliance is NOT information security despite what people may think.

Judging from how many organizations treat compliance and information security like they’re the same, they’re not. People must be confused. Compliance has never been the same as information security, and it never will be.

Ultimately, compliance is doing what you’ve been told to do.

Explanation

Here’s how compliance works.

A governing body (country, state, industry, etc.) decides it needs to do something about information security, or privacy (a different, but inseparable thing). They write a law, regulation, or standard by which all entities (organizations) must abide. Examples include:

• 104th United States Congress\Department of Health, HIPAA, all entities interacting with PHI.
• 106th United States Congress\Federal Financial Institutions Examination Council (FFIEC), GLBA, financial institutions
• California State Legislature, Assembly Bill No. 375 (California Consumer Privacy Act  or “CCPA“), for-profit businesses who conduct business in California that 1) has gross revenue in excess of $25MM, 2) buys, receives, or sells personal information of 50,000 or more consumers, or 3) earns >1/2 of its annual revenue from selling consumer personal information
• Payment Card Industry Security Standards Council (self-regulation), Payment Card Industry Data Security Standard (PCI-DSS), organizations that handle branded credit cards from the major card brands (VISA, MasterCard, et al.)

If you’re in the sights of the regulation\law\standard, you have little choice but to comply with the regulation\law\standard or face sanctions. Where organizations DO have a choice is in how they comply. Organizations can choose:

1. To abide by the intent of the regulation\law\standard, or
2. To abide by the letter of the regulation\law\standard.

The choice comes down to the organization’s understanding, lack of skill, and/or how short-sighted management may be.

Option #1 – Intent of the Law

The intent of information security and privacy related regulations/laws/standards is usually a noble one. Take HIPAA for instance, the intent is to protect protected health information (PHI).

That seems noble.

The challenge is writing a regulation\law\standard that’s prescriptive enough to be effective in enforcing the intent while at the same time being flexible enough to apply to a large population and all its inherent variables. There are 146 mentions of the word “risk” in the Final Rule. This is great because “risk management” fits our definition of information security. Clearly, when reading the text, the intent of HIPAA is to build a fundamental information security program upon risk management fundamentals.

This is not only noble, but it’s very close to producing the same outcome as information security. Sadly, this is as close to information security as compliance gets.

Option #2 – Letter of the Law

If the intent of the law escapes you, you have the other option, a shortcut, the letter of the law. Abiding by the letter of the law is a shortcut, leading to checkboxes and poor information security.

HIPAA calls for a risk analysis in the Security Rule, so shortcutters get out their Excel spreadsheet and do the minimum work necessary to check the box. HHS recognized that people were half-assing it. Many healthcare organizations were not even doing their risk assessments, so in 2009/2010 they incented health care organizations through Meaningful Use Requirements. That still didn’t have it’s desired effect, so they increased enforcement through the OCR (first settlement in 2009). That still didn’t do enough, so HHS started compliance audits in 2011. Still not enough, so the Omnibus Rule comes about in 2013. Since then HIPAA audits have been delayed and we’re in a bit of a stalemate.

Question. Has healthcare information security been improved, or not? In some places, “yes” maybe. In other places, “no”. There’s nothing definitive to say one way or the other.

Conclusion

“C” is not for compliance because compliance isn’t information security. If you must use compliance as your driver, go after the intent of the law versus the letter of the law (PLEASE).