Forces Driving Compliance

One of the biggest misconceptions about compliance is that it is related to the law. There are probably a couple of reasons as to why. First, if you’ll recall, we talked about how compliance is intended to prove the organization is acting in a trustworthy or expected manner. Second, there are a large number of laws and regulations that do create compliance obligations for companies working in certain industries, but not every compliance obligation is related to a legal obligation. We will discuss that as we progress throughout this lesson.
In the Security GRC profession, however, all our security obligations do affect operational security controls --- meaning that security compliance obligations are met with specific security controls. In this way, the practice of Security GRC is mostly binary. Either you comply with an obligation, or you don’t, although there are a few caveats.

Before we talk more about Security Compliance, it is important to have a basic understanding of how the practice has evolved into what we think of as Security Compliance today. If you’ll recall, earlier in this course, I talked about fraud and business failure combining to create oversight and regulation that led to the beginnings of modern-day traditional GRC practices. At the same time, there were two other forces combining to give rise to Security GRC. First, companies were at the very beginning of a technological watershed beginning their journeys to the cloud and intertwining technology with most business processes (digital transformation). Second, the reliance on technology required greater security controls to ensure operations, avoid breaches, and avoid fraud. Keeping in mind that security is built to protect the confidentiality, integrity and availability of systems and data, the more technology gained a foothold in business, the more security was needed to protect it.

Knowing that fraud and business failure led to regulation in the early 2000s and that technology was beginning to be inseparable from business processes, let’s look back at the Sarbanes-Oxley Act. We know that Sarbanes-Oxley was passed in direct response to the Enron scandal and other business failures like it, and if you examine Section 302 of the act, you can clearly see the desire to hold individuals accountable for rampant fraud. Section 302 mandates that senior corporate officers in publicly traded companies personally certify the accuracy of the organization’s financial statements. If we then examine Section 404, we see that the act requires the establishment of internal controls and reporting to measure the adequacy of the controls. In this case, the controls are really any controls that help the organization maintain accurate financial statements, but in many cases, those controls are technological in nature. As we said before, in order to ensure that technology is operating efficiently, we need to secure the technology through security controls. So today, Section 404 operates to require assessments of technology and security mechanisms that support financial statements.

This doesn’t just affect the financial services market or publicly traded companies. Other vertical industries have also worked to create regulations, laws, or standards that require strong security controls in order to protect individuals. Today, you can see even further expansion of these ideas in consumer privacy-related regulations. While these laws are designed to protect privacy, a part of that equation is securing personal data.