Skip to content ↓ | Skip to navigation ↓

Words have meaning. Cybersecurity and IT professionals routinely abuse the terms “policy” and “standard” as if they are synonymous. The same holds true for compliance terms since these terms tend to get thrown in the same bucket even though there are significant differences that should be kept in mind.

Why Should You Care?

Beyond just using terminology properly, understanding which of the three types of compliance is crucial in managing both cybersecurity and privacy risk within an organization. The difference between non-compliance can be as stark as (1) going to jail, (2) getting fined, (3) getting sued, (4) losing your contract and (5) an unpleasant combination of the previous options.

Understanding the “hierarchy of pain” with compliance leads to well-informed risk decisions that influence technology purchases, staffing resources and management involvement. That is why it serves both cybersecurity and IT professionals well to understand the compliance landscape for their benefit, since you can present issues of non-compliance in a compelling business context to get the resources you need to do your job.

In the context of this article, I’m going to cover the most common types of compliance requirements: statutory, regulatory and contractual.

Statutory Cybersecurity & Privacy Requirements

Statutory obligations are required by law and refer to current laws that were passed by a state or federal government. These laws are generally static and rarely change unless a new law is passed that updates it, such as the HITECH Act, which provided updates to the two-decades-old HIPAA.

From a cybersecurity and privacy perspective, statutory compliance requirements include:

  • US – Federal Laws
    • Children’s Online Privacy Protection Act (COPPA)
    • Fair and Accurate Credit Transactions Act (FACTA) – including “Red Flags” rule
    • Family Education Rights and Privacy Act (FERPA)
    • Federal Information Security Management Act (FISMA)
    • Federal Trade Commission (FTC) Act
    • Gramm-Leach-Bliley Act (GLBA)
    • Health Insurance Portability and Accountability Act (HIPAA) / HITECH Act
    • Sarbanes-Oxley Act (SOX)
  • US – State Laws
    • California SB1386
    • Massachusetts 201 CMR 17.00
    • Oregon ORS 646A.622
  • International Laws
    • Canada – Personal Information Protection and Electronic Documents Act (PIPEDA)
    • UK – Data Protection Act (DPA)
    • Other countries’ variations of Personal Data Protect Acts (PDPA)

Regulatory Cybersecurity & Privacy Requirements

Regulatory obligations are required by law, but they are different from statutory requirements in that these requirements refer to rules issued by a regulating body that is appointed by a state or federal government. These are legal requirements through proxy, where the regulating body is the source of the requirement. It is important to keep in mind that regulatory requirements tend to change more often than statutory requirements.

From a cybersecurity and privacy perspective, regulatory compliance examples include:

  • US Regulations
    • Defense Federal Acquisition Regulation Supplement (DFARS) (AKA NIST 800-171)
    • Federal Acquisition Regulation (FAR)
    • Federal Risk and Authorization Management Program (FedRAMP)
    • DoD Information Assurance Risk Management Framework (DIARMF)
    • National Industrial Security Program Operating Manual (NISPOM)
    • New York Department of Financial Services 23 NYCRR 500
  • International Regulations
    • European Union General Data Protection Regulation (EU GDPR)

Contractual Cybersecurity & Privacy Requirements

Contractual obligations are required by legal contract between private parties. This may be as simple as a cybersecurity or privacy addendum in a vendor contract that calls out unique requirements. It also includes broader requirements from an industry association that membership brings certain obligations.

From a cybersecurity and privacy perspective, common contractual compliance requirements include:

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Financial Industry Regulatory Authority (FINRA)
  • Service Organization Control (SOC)
  • Generally Accepted Privacy Principles (GAPP)
  • Center for Internet Security (CIS) Critical Security Controls (CSC)
  • Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM)


About the Author: Beverly Cornelius is a partner at ComplianceForge. ComplianceForge is a specialty cybersecurity firm that focuses on governance, risk, compliance and privacy-related documentation. Their unique solutions help companies document their cybersecurity governance programs to comply with specialized requirements, such as NIST 800-171, FAR, and EU GDPR.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Read the full series here:

Word Crimes Part 1 – Taking on Compliance: Statutory vs Regulatory vs Contractual Compliance

Word Crimes Part 2 – Understanding Policies, Control Objectives, Standards, Guidelines & Procedures

Word Crimes Part 3 – Developing Cybersecurity Vision, Mission & Strategy Statements