Compliance and Guidance Links

Is compliance the same as security? No. You cannot achieve “security.” You can achieve “compliance.” Compliance dangles. The term “compliance” begs for a phrase to follow it. Find that framework and criteria you need, such as ISO 27001. Achieve compliance with that, you should feel secure. Settle for lower standards, settle for the bare minimum, such as PCI DSS or HIPAA, and you should feel insecure.

Being compliant with a standard should not be sufficient, either. You should also appear to be compliant. Consider the disposal of training materials. Information which appears on the training materials should be fictitious. You should not need to shred training materials with fictitious information since no proprietary information is involved. You should choose to shred training materials rather than explain why, when training materials are found in a dumpster, that these official-looking forms are not a concern. You should shred training materials rather than allow them to be re-purposed in a fraudulent or “social engineering” manner.

Comply with the audit requirements for PCI DSS or HIPAA, because these are contractual or legislated requirements intended to establish a minimal set of expectations.

The purpose of MITRE’s Benchmark Development effort is to foster best practices and encourage the security guidance community to create guidance that is standards-based, structured, and automatable. This web site is intended to serve as a community gathering place for that effort by providing a variety of resources for the benchmark development community including access to Standards and Tools for benchmark development, an email list Discussion Forum for community participation, a Free Online Course designed to teach attendees how to create good benchmarks more efficiently, and Other Helpful Resources.

Health Care

Compliance and Guidance links

Comments are closed.