Words have meaning. Cybersecurity and IT professionals routinely abuse the terms “policy” and “standard” as if they are synonymous. The same holds true for compliance terms since these terms tend to get thrown in the same bucket even though there are significant differences that should be kept in mind.

Why Should You Care?

Beyond just using terminology properly, understanding which of the three types of compliance is crucial in managing both cybersecurity and privacy risk within an organization. The difference between non-compliance can be as stark as (1) going to jail, (2) getting fined, (3) getting sued, (4) losing your contract and (5) an unpleasant combination of the previous options.

Understanding the “hierarchy of pain” with compliance leads to well-informed risk decisions that influence technology purchases, staffing resources, and management involvement. That is why it serves both cybersecurity and IT professionals well to understand the compliance landscape for their benefit, since you can present issues of non-compliance in a compelling business context to get the resources you need to do your job.

In the context of this article, I’m going to cover the most common types of compliance requirements:

  1. Statutory;
  2. Regulatory; and
  3. Contractual.

Statutory Cybersecurity & Privacy Requirements

Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. These laws are generally static and rarely change unless a new law is passed that updates it, such as the HITECH Act provided updates to the two decades old HIPAA.

From a cybersecurity and privacy perspective, statutory compliance requirements include:

  • US – Federal Laws
    • Children’s Online Privacy Protection Act (COPPA)
    • Fair and Accurate Credit Transactions Act (FACTA) – including “Red Flags” rule
    • Family Education Rights and Privacy Act (FERPA)
    • Federal Information Security Management Act (FISMA)
    • Federal Trade Commission (FTC) Act
    • Gramm-Leach-Bliley Act (Read more...)