Information Security Compliance


Compliance is a shared responsibility.

Internal Influence

The first step in achieving compliance is ensuring that your organization has a robust security program. The following areas should be addressed, at a minimum:

  • Security policy and procedures
  • Resource management (e.g., hardware and software)
  • Asset management (e.g., physical assets vs. virtual assets)
  • Incident response plan

External Influence

External Influence

External influence is the most direct and obvious way to ensure your security program is aligned with best practices. This type of compliance often comes in the form of laws, regulations, and standards requiring you to act in a certain way. It can also come from industry best practices or government policies and guidelines. In some cases, external influence may be more indirect—for example, if your industry has established specific standards for data protection practices (e.g., Payment Card Industry Data Security Standard [PCI DSS] or Health Insurance Portability and Accountability Act [HIPAA]). These standards may provide an indirect source of compliance requirements for your organization.

Policies and procedures

Policies and procedures are the rules that govern how an organization does business. They help to ensure consistency and reduce risk while also giving employees a clear idea of what is expected from them.

Procedures usually have accompanying policies, which are written in a way that is easy to understand so that anyone doing business with your company will know what to expect.

Procedures may be updated regularly or as needed by those who keep track of such things. For example, HR might develop new hiring protocols after reviewing the current procedures manual and making changes based on recent laws or best practices. 

Metrics and Reports

Metrics and reports are essential to the success of any compliance program. Metrics and reports are used to measure the effectiveness of policies and procedures and compliance with regulations such as HIPAA or GLBA. They can also be used to measure non-compliance in order to determine areas where improvements need to be made. For example, if a company has a policy that requires employees to use multifactor authentication (MFA) when logging into workstations remotely, but only half of those employees are doing so, then that would indicate a problem that needs addressing before it becomes more widespread.

Non-compliance risks

Non-compliance with security laws and regulations can result in penalties and fines, loss of reputation and business, loss of customers, loss of assets, loss of opportunities for growth or expansion, revenue losses due to downtime, or other financial impacts from data breaches. It can also lead to imprisonment if you deliberately cause harm through non-compliance.

Non-compliance can mean that you cannot enforce your rights under a contract; it could mean that your employees cannot access their email accounts; it could also lead to some people not being able to get healthcare because health records have been compromised by a cyber attack on an organization’s network.

Compliance is a shared responsibility.

Compliance is a shared responsibility. Each employee is obligated to ensure that they comply with their organization’s policies and procedures. The organization is also responsible for ensuring that employees comply with the policies and procedures. Employees must take personal responsibility for ensuring that they are following all relevant laws and regulations, but the organization must make sure that they have the right tools, resources, and training available so that employees can comply with these requirements.

Compliance is not something that happens once or twice per year; it must be an ongoing process that includes regular reviews by management/supervisors who provide feedback on compliance status.


Compliance is both a shared responsibility and a shared value. It’s important to work with your team and other departments to establish policies and procedures to ensure compliance. You can also use metrics to track progress toward goals effectively, but these should be set up in consultation with management, so they’re aligned with business objectives. With these tips in mind, you should be well on your way to becoming compliant!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: