in cyber security what does ( compliance ) means, sorry i am somehow confused about it.
I hope other's will chime here as well to provide more contexts too.
Many business have to follow some regulations to be in business where they are. There are regulations that followed by the industry that you're in. Compliance is meeting those requirements in the regulations.
For example, a company that is publicly traded will have certain security requirements that are mandated by regulations. These regulations must be implemented. That is compliance at the basic level--implementing the required security measures. If those requirements are not met, then you're "out-of-compliance" and that could result in a fine...or other measures as the regulation states.
Ah yes “Pandoras’ Box” and the “Myth of Sisyphus” all rolled into one!
In simple terms (non-international), understanding the concept of compliance is best observed by how it is implemented across our major industries (Financial, Information Technology, Aviation, Government, Healthcare, Manufacturing, etc…). Compliance may be voluntary or required. How does one identify if one is compliant? It directly relates to knowing who the AHJ (Authority Having Jurisdiction) is over your industry or sector. If an organization does not identify this, they will have a compliance blind-spot.
Consider a few examples of compliance in action:
Electrical industry: While the National Fire Protection Agency (NFPA) has created a continuously revised standard for the electrical industry (ANSI/NFPA 70 aka “NEC”), the NFPA does not enforce these standards. The AHJ that adopts this code is the enforcing agency (in this case the government). However, one state government may choose to enforce as “code” the standard that was formalized in 2017, while another state may choose one that was formalized in 2020. In the former situation, an electrician may choose to apply the 2020 standard to his work, however, if it violates a standard from the state adopted 2017 NEC then he would be in non-compliance.
Healthcare industry: Due to the diverse nature of hospital departments and environmental conditions (laboratory, radiology, biohazard, nursing, autopsy, surgery, blood bank, heliport, RF communications, etc…) there are a bewildering number of codes to comply with. The challenge is that there may be a few to several dozen AHJs regulating their various operations. Auditing of code compliance may be aggressively or loosely performed by the related AHJ. However, there may be the option for intermediary organizations to be contracted to serve as auditors of overall hospital compliance. Intermediary organization submits the audit report to the AHJ. The AHJ may choose to approve or reject the audit and perform a secondary audit. With several AHJs involved, the overlapping “authority” may result in a hospital being subject to mitigating the conflicting application of different codes adopted and enforced by the AHJs.
At this point, I believe it is important make a clear distinction between “Regulation” and “Standard”. These terms are frequently used interchangeably. Industry “standards” are developed by committees of industry professionals, subject to review by public opinion and revised by the same committees. These committees may or may not include representatives from AHJs. Standards should be viewed as a non-enforceable benchmark. However, they may be wholly or in part voluntarily enforced by an organization. A “Standard” becomes a “Regulation” when it has been adopted by an AHJ and enforces the code on the associated industry it governs.
In essence it helps us to see the value of “Compliance Officers” in organizations. These professionals may be as sharp as a tack, but they endure the fate of Sisyphus, and must be a diligent student with resources to help them safely navigate their organization through this extremely complex world.