Regulatory Compliance: Checking the Box and Securing Information Systems

Often there is a bit of puzzlement when companies have a massive regulatory compliance component yet end up in the press with major security breaches. This puzzlement attributes to an oft confused idea that a strictly compliant information system is also secure. The misunderstanding is often as the result of the millions of dollars it takes companies to put proper controls in place to meet a satisfactory regulatory assessment or system evaluation.;This dissertation is meant to pose critical questions surrounding the quandary that many companies are left in, after spending the money it takes to become compliant, and yet remain unsecure. Specifically, this dissertation is not meant to replace compliance adherence with security measures. Rather, the idea is to explore the possibility of ranking and weighting regulatory requirements in a security vein. Then, as a company pursues and achieves compliance, there will also flow a security cognizance in that same effort.;Myriad regulations exist that we can choose from for this exercise that for completeness is listed and defined in the literature review. However, dissertation purposes we produce a simple model utilizing like regulatory requirements across Health Insurance Portability and Accountability Act (HIPAA) requirements and Payment Card Industry Data Security Standard PCI-DSS requirements. Comparative security relevance of compliance requirements will be listed and then supported or argued by experienced security professionals. As multiple compliance frameworks are considered only the most security relevant like compliance requirements will be utilized to build a common framework that when applied should both render the information system compliant and more secure. Shane Stailey -- June 2015.