How do you handle a situation where security and compliance requirements overlap but are not identical?