10 KEY security PRINCIPLES A. VISION
2. — Compliance is not enough —
As the compliance is always focused on specific topics, the comprehensive risk-based approach is often missing. E.g. privacy efforts focus only on the protection of personal data and control over financial statements will mainly look at the integrity of financial data. We must therefore understand two important aspects:
Companies are subject to many laws and regulations, many of which require the implementation of appropriate security controls. Laws and regulations address privacy, control over the financial statement process, consumer protection focus and the security of specific data. They are often supplemented by industry specific regulations or security standards and frameworks.
• First of all, being compliant does not necessarily imply being secure. Security objectives coming from laws, regulations and standards are always a subset of the overall company security objectives. With that in mind, implementing good business security practices will almost certainly facilitate or lead to compliance, whilst at the same time satisfying the business’ needs. • Secondly, security efforts should be aligned and where possible integrated with compliance and other mitigating efforts. This to avoid too many different overlapping initiatives and responsibilities.
Compliance with these laws, regulations and standards has led to improved information security. However, too often the compliance effort remains the sole objective.
BELGIAN CYBER SECURITY GUIDE |
13