By Drew Fox Jordan • November 30, 2021

    Identifying The Difference Between Security & Compliance

    Identifying The Difference Between Security & Compliance

    Nonprofits around the country must satisfy various compliance standards, from GDPR to CCPA. But, how do you ensure compliance? By securing the information your organization handles. Of course, this is easier said than done and requires cross-team collaboration. 

    Security and Compliance: The Difference

    Security is the infrastructure, tools, and policies you put in place to protect your company’s information and equipment. 

    Compliance is the act of meeting a required set of security and regulatory standards.

    As you might have guessed, security and compliance are very closely linked, and each should drive the other. When it comes to information security, organizations have to safeguard every vector that stores and transfers data.

    Join 30,000+ fundraising professionals that receive our weekly Sunday newsletter with industry trends, tips, and analysis delivered right to your inbox

    Network Security

    While every organization is different, most IT leaders are concerned with protecting network security. Why? Because employees access company data via various networks, including: 

    • Your company’s network — which can be as secure as you are prepared to make it.
    • Your employees’ home networks — which you can’t assume will be protected.
    • Public networks — such as on public transport and in coffee shops, which are notoriously not secure.

    Importantly, data can be intercepted or exfiltrated across all of the above networks. But, there are several steps you can take to mitigate network security threats:

    • Email security software — Email security software is a critical requirement in most compliance regimes and should protect against both inbound threats like spear-phishing and outbound threats like misdirected emails. 
    • A firewall — Firewalls can be either hardware or software-based. Specific regulations such as PCI DSS require both hardware and software firewalls to be in place.
    • Access controls — Access controls allow you to restrict network access only to authorized actors. Laws such as GDPR treat access control as a basic tenet of reasonable security.

    Device Security

    Your organization is responsible for devices that store and handle vast amounts of data, including the personal information of your donors and the confidential information of your company.

    This applies to any devices that process company data — whether they belong to your company or your employees — including:

    • Desktop computers
    • Laptops
    • Mobile phones
    • Tablets
    • USB storage devices

    You can protect these devices in multiple ways, including:

    • Antivirus software
    • Multi-factor authentication (MFA)
    • Device encryption
    • Endpoint security
    • Anti-theft tools

    Employee Security

    Human error causes 88% of data breaches. That’s why employee training is an essential component of any security strategy and a requirement under compliance standards. A security training program should teach employees:

    • How to identify and respond to threats such as phishing, smishing, and vishing
    • Why security policies exist and how to follow them 
    • How to safely handle and dispose of data

    Compliance: Types of Standards

    There are several laws, regulations, and certifications with minimum security standards that businesses must comply with. So, what happens if your security measures don’t comply with relevant standards? Your organization will either breach the law or be unable to obtain or maintain a particular certification.

    Generally-Applicable Laws 

    Some laws apply to every business operating in a given jurisdiction, regardless of industry. Compliance with these laws generally requires implementing “reasonable” security measures specific to their industry and proportionate to their size. Let’s look at two examples:

    General Data Protection Regulation (GDPR)

    The EU General Data Protection Regulation applies to every person and organization operating in the EU or targeting EU residents. It sets down minimum requirements for information security and privacy.

    In particular, covered organizations must:

    • Analyze and mitigate security risks
    • Encrypt, pseudonymize, or anonymize personal information as appropriate
    • Control access to premises, equipment, and digitized personal information

    The GDPR offers some flexibility in accounting for the current state of technology and the costs involved in securing personal information. However, all organizations must implement “appropriate technical and organizational measures.”

    California Consumer Privacy Act (CCPA) 

    The California Consumer Privacy Act applies to certain businesses that collect California residents’ personal information. It requires that organizations take “reasonable security measures” to secure personal information in their control.

    For CCPA-covered businesses, implementing a minimum reasonable security level means complying with the 20 Critical Security Controls from the Center for Internet Security (CIS). The controls include:

    • Email and web browser protection
    • Account monitoring and controls
    • Penetration testing

    A business’s security measures may be “appropriate to the nature of the information” that the organization controls — so highly sensitive personal information will require more robust security measures to protect it.

    Sector-Specific Regulations

    Different organizations are subject to industry-specific regulations, and some rules govern how they protect and store that data.

    Health Insurance Portability and Accountability Act (HIPAA)

    The US Health Insurance Portability and Accountability Act applies to healthcare providers and businesses that handle protected health information (PHI). 

    The HIPAA “security rule” requires covered entities to implement administrative, technical, and physical safeguards over the PHI they control, including:

    • Ensuring PHI remains confidential 
    • Identifying and protecting against “reasonably anticipated threats”
    • Ensuring all employees comply with HIPAA

    Organizations may vary in the extent to which they implement such security measures, accounting for:

    • The size, complexity, and capabilities of the organization
    • Its technical, hardware, and software infrastructure
    • The costs of implementing security measures
    • The likelihood and potential impact of risks to PHI

    Payment Card Industry Data Security Standard (PCI DSS)

    The Payment Card Industry Data Security Standard regulates how organizations handle credit and debit card data. Among other measures, PCI DSS requires organizations to:

    • Maintain secure networks
    • Encrypt cardholder data
    • Regularly review security measures

    The number of annual transactions a card handler processes dictates the level of security measures they must implement.

    • Level 1 — Over 6 million transactions per year
    • Level 2 — 1-6 million transactions per year
    • Level 3 — 20,000-1 million transactions per year
    • Level 4 — Under 20,000 transactions per year

    What’s More Important: Security or Compliance?

    It’s not possible to say whether security is more important than compliance, or vice-versa. Security and compliance go hand-in-hand.

    If you neglect compliance, you may find your company breaches data security law — even if you take reasonable steps to secure sensitive information. Moreover, without understanding your compliance obligations, you can never be sure you’ve got everything covered.

    Likewise, suppose you neglect security, and take a mechanical, “bare minimum” approach to compliance. In that case, you’re putting your company at risk of data breaches, reputational damage, and private legal claims from your customers and employees.

    Our advice? Take an overarching approach to security and compliance by understanding the risks to your company’s information and your legal and regulatory obligations.

    Posts by Topic

    see all