How Do Security, Privacy, and Compliance Fit Together?

Security, privacy, and compliance issues form a complicated web. Information security is the practice of protecting information to ensure the goals of confidentiality, integrity, and availability. Information security makes sure that accurate information is available to authorized individuals when it is needed.

In contrast, privacy encompasses people’s right to have control of their personal data. Privacy means that a person has the right to specify how his or her data is collected, used, and shared. Information security practices can be used to make sure that a person’s privacy decisions are respected.

Organizations do not always do a good job of either information security or protecting privacy. For that reason, laws are enacted that force organizations to take a more structured approach to information security and privacy. To date, there have been no laws enacted in the United States that comprehensively address information security or data privacy. Instead, laws are made to protect certain types of information on an industry basis, such as laws regulating health data for the healthcare industry. Organizations that hold or process those types of information must follow the relevant laws. This text discusses some of these laws in the following chapters.

When laws addressing information security or data privacy are enacted, organizations impacted by these laws must take actions to meet them. If an organization fails to meet its obligations, it can be subject to sanctions. Compliance is the action of following the applicable laws and rules and regulations. Compliance efforts are supported by documenting organizational controls and enhancing the capabilities of information systems to ensure information security.