Regulatory compliance is an important consideration for many organizations, enabling them to participate in specific industries that require minimum standards for organizational processes and technology.
Compliance vs. Security
Regulatory compliance is a business requirement driven by the need to perform regulated tasks like accepting credit cards as payment, conducting health care activities, running energy production facilities, and more. In contrast, security is driven by the need to protect an organization’s assets from constant threat. Both activities often deal with security controls, but regulatory compliance is only assessed periodically through an audit. At the end of the audit an organization is granted an “Authority to Operate” wherein they can begin or continue the regulated activity.
How Compliance is Achieved
Regulatory compliance is assessed on implementations of systems and products, not on the products themselves. An auditor does not deal with hypothetical situations, system designs, or product capabilities. They want to see how the system is built and operated. While a VMware Cloud-based SDDC has hundreds of security features and is validated for use in the world’s most sensitive environments, it is still possible to make implementation decisions that provide opportunities for attackers and disasters. An auditor seeks to find those problems and shine a light on them.