Compliance doesn’t equal security, but security equals compliance.
Finally, compliance that works for your business.
Compliance may be the biggest driver in information security. High profile breaches in the retail and healthcare industries have made PCI and HIPAA household terms. Compliance, however, has a negative connotation for many individuals and organizations.
Frustration and disillusionment within the information technology profession has led to phrases like, “compliance doesn’t equal security.” We agree. We believe, however, that in its proper place, compliance can be incredibly healthy and helpful. This requires a strategic shift that changes the goal of compliance from being focused on external regulations to being driven by internal requirements. This shift can save your organization from falling to the folly of regulatory tunnel vision.
Once you have a security program that is strategically focused on what matters to your organization, compliance becomes valuable. Internal compliance ensures that your security controls are addressing your unique risks as well as regulatory requirements. That is why, at TRUE, we say that compliance doesn’t equal security, but security equals compliance.
TRUE has extensive experience with many different standards and regulations. Some of the most prominent ones are listed below.
PCI DSS The Payment Card Industry (PCI) Data Security Standard (DSS) is one of many PCI standards created to protect cardholder data. As a Qualified Security Assessor (QSA) and an Approved Scanning Vendor (ASV), True is uniquely qualified to help your organization navigate PCI requirements.
HIPAA The Health Insurance Portability and Accountability Act (HIPAA) is revolutionizing security in the Healthcare industry and we are on the front lines with our clients and partners in this space.
NERC CIP The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards are designed to protect North America's bulk electric grid, thereby affecting the Energy & Utilities industry.
FFIEC Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook (IT Handbook) audits are becoming increasingly challenging for financial organizations as IT Examiners become increasingly capable of evaluating the intricate details of the complex security controls required to protect against today's advanced threats.
SOC 1,2,3 and SSAE 18 The AICPA’s SAS No. 70, Service Organizations, has evolved into a family of Service Organization Control (SOC) Reports, which relate to information security and provide assurances about privacy and confidentiality controls as well as the security, availability, and processing integrity of their systems. As companies are increasingly adopting vendor management programs to assess the IT security of their vendors, the demand for SOC Reporting is on the rise. Our experts are available to provide service organizations with audit preparation consulting, coaching, IT GRC services, and security program development guidance to ensure necessary controls are in place for future successful SOC engagements.