Early in August I commented on the implications of a US district court’s judgement that Microsoft had to turn over e-mail from alleged UK nationals who’s e-mail stored in a data center in Ireland.
I read and hear the term “compliance” used liberally in infosec, often without a clear context.
The graphic above is intended to illustrate some business drivers such as statutory laws, regulatory agencies (e.g. GAO’s HIPAA), industry-imposed requirements (e.g. PCI DSS), customers’ and shareholders’ expectations (some of which are legally and contractually required).
Compliance is about auditable business processes that are related to meeting legal, regulatory & contractual requirements.
Infosec is a confluence of strategic & tactical processes & controls with a goal of ensuring confidentiality, integrity & availability of data & systems.