Monthly Archives: Gennaio 2021

We are inside Information Technology. For some IT professionals, the line between compliance and ssecurity becomes easily blurred and may seem like a moving target.

1. Compliance

While compliance is similar to security in that it drives a business to practice due diligence in the protection of its digital assets, the motive behind compliance is different: It is centered around the requirements of a third party, such as a government, security framework, or client’s contractual terms.

Compliance is often viewed as the figurative stick which motivates the donkey, rather than the carrot. If an organization wants to do business in a country with strict privacy laws, or in a heavily-regulated market like healthcare or finance, or with a client that has high confidentiality standards, they must play by the rules and bring their security up to the required level. For example, regulations like HIPAA and SOX, or standards like PCI-DSS or ISO:27001, outline very specific security criteria that a business must meet to be deemed compliant. A high-profile client may require the business to implement very strict security controls, even beyond what might be considered reasonably necessary, in order to award their contract. These objectives are critical to success because a lack of compliance will result in a loss of customer trust, if not make it outright illegal to conduct business in the market.

In short, IT Compliance is the process of meeting a third party’s requirements for digital security with the aim of enabling business operations in a particular market or with a particular customer.

2. Security

Security is the practice of exercising due diligence and due care to protect the confidentiality, integrity, and availability of critical business assets.

Security officers follow industry best practices to ward off attackers who would seek to harm the business, or to mitigate the amount of damage that is done when an attack is successful. In the past, administrators would take a purely technical approach and rely heavily on systems and tools to protect their network: devices like firewalls and content filters, along with concepts like network segmentation and restricted access, were the security professional’s bread and butter.

While these safeguards are still necessary today, modern threat agents employ much more sophisticated strategies which easily overcome old-school technical controls. Threats like social engineering, remote code execution, and vendor-created backdoors require the security professional to be much more diligent and proactive in their approach.

The concept of “Security” come down to employing certain measures to have the best possible protection for an organization’s assets.

3. Compliance vs Security

To restate from above, security is the practice of implementing effective technical controls to protect digital assets, and compliance is the application of that practice to meet a third party’s regulatory or contractual requirements. Here is a brief rundown of the key differences between these two concepts:

Compliance:

• Is practiced to satisfy external requirements and facilitate business operations
• Is driven by business needs rather than technical needs
• Is “done” when the third party is satisfied

Security:

• Is practiced for its own sake, not to satisfy a third party’s needs
• Is driven by the need to protect against constant threats to an organization’s assets
• Is never truly finished and should be continuously maintained and improved

4. Summary

Compliance and Security and  go hand in hand, and complement each other in areas where one may fall short. Compliance establishes a comprehensive baseline for an organization’s security posture, and diligent security practices build on that baseline to ensure that the business is covered from every angle. With an equal focus on both of these concepts, a business will be empowered to not only meet the standards for its market, but also demonstrate that it goes above and beyond in its commitment to digital security.

SecFull features

1. ICT

It is an acronym that stands for Information Communications Technology.

However, apart from explaining an acronym, there’s no universally accepted defininition of ICT. Why? Because the concepts, methods and applications involved in ICT are constantly evolving on an almost daily basis and it’s difficult to keep up.

A good way to think about ICT is to consider all uses of digital technology that exist to help individuals, businesses and organisations use information. ICT covers any product that will store, retrieve, manipulate, transmit or receive information electronically in a digital form. For example, personal computers, digital television, email, robots.

So ICT is concerned with the storage, retrieval, manipulation, transmission or receipt of digital data. Importantly, it is also concerned with the way these different uses can work with each other.

2. ICT products

In business, ICT is often categorised into two broad types of product:

• Traditional computer-based technologies (things you can typically do on a personal computer or using computers at home or at work)
• Digital communication technologies (which allow people and organisations to communicate and share information digitally)

3. Convergence

ICTs are also used to refer to the convergence of media technology such as audio-visual and telephone networks with computer networks, by means of a unified system of cabling (including signal distribution and management) or link system. However, there is no universally accepted definition of ICTs considering that the concepts, methods and tools involved in ICTs are steadily evolving on an almost daily basis.

4. European Commission

The development of Information and Communication Technologies (ICT) is vital for Europe’s competitiveness in today’s increasingly digital global economy. Over €20 billion from the European Regional Development Fund (ERDF) is available for ICT investments during the 2014-2020 funding period. These investments are vital for the success of the Commission’s objective of making Europe fit for the digital age.

Improving access, use and quality of ICTs is one of the 11 thematic objectives for Cohesion Policy in 2014-2020. The ERDF will prioritise:

• Extending broadband deployment and the roll-out of high-speed networks
• Developing ICT products and services and e-commerce
• Strengthening ICT applications for e-government, e-learning, e-inclusion, e-culture and e-health

ICT measures may also receive support under other thematic objectives, and they are also included in many smart specialisation strategies. Moving from a classic ICT sector approach to a comprehensive local/regional/national “digital agenda” within the Smart Specialisation Strategy is enabling regions to identify the priorities for ICT investment which are pertinent for their territory.

European Structural and Investment Funds are not only to be seen as financial support, but also as a policy tool to support the public authorities in defining their strategy and planing their administrative and investment effort. In order to make sure that EU investments achieve maximum impact, Member States and regions that wish to use funding for ICT-related projects are required to put in place a strategic policy framework for digital growth and a next generation network plan.

European Structural and Investment Funds can also be used strategically to encourage the transposition of Digital Single Market (DSM) legislative initiatives, the development of administrative capacity for effective application of this legislation and the leverage of national public and private funding to enhance and speed-up the positive impact of the DSM in all EU regions.

Increased ICT Investments in 2014-2020 will build on the achievements during the 2007-2013 funding period:

• Over 5 million additional people connected to broadband
• More than 20,700 ICT projects received ERDF support