WOLF//SEC
← Domain 5
OBJECTIVE 5.4 Summarize

Summarize elements of effective security compliance

Compliance is meeting the requirements imposed by laws, regulations, industry standards, and contractual obligations. It’s not optional, and penalties for non-compliance can be severe — fines, lawsuits, loss of business, or criminal liability.

Regulatory Frameworks

GDPR (General Data Protection Regulation)

EU regulation governing personal data of EU residents.

  • Applies to any organization processing EU resident data, regardless of where the org is located
  • Key requirements: Lawful basis for processing, data subject rights (access, deletion, portability), 72-hour breach notification, Data Protection Officer (DPO) for certain orgs, privacy by design
  • Penalties: Up to 4% of annual global revenue or €20 million, whichever is greater

HIPAA (Health Insurance Portability and Accountability Act)

US regulation protecting healthcare data (PHI — Protected Health Information).

  • Applies to covered entities (healthcare providers, insurers) and their business associates
  • Security Rule: Technical, physical, and administrative safeguards for ePHI
  • Privacy Rule: How PHI can be used and disclosed
  • Breach Notification Rule: Notification requirements when PHI is compromised

PCI-DSS (Payment Card Industry Data Security Standard)

Industry standard for organizations that handle credit card data.

  • Not a law — contractual requirement from card brands (Visa, Mastercard, etc.)
  • 12 requirements covering network security, data protection, access control, monitoring, testing
  • Quarterly vulnerability scans by Approved Scanning Vendor (ASV)
  • Annual assessment (Self-Assessment Questionnaire for small merchants, on-site audit for large)

SOX (Sarbanes-Oxley Act)

US law requiring internal controls over financial reporting for publicly traded companies.

  • IT controls are in scope because financial data flows through IT systems
  • Section 404: Management must assess and report on internal control effectiveness

GLBA (Gramm-Leach-Bliley Act)

US law requiring financial institutions to protect customer financial information.

  • Safeguards Rule: Risk assessment, employee training, vendor oversight

FERPA (Family Educational Rights and Privacy Act)

US law protecting student education records.

CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)

California privacy regulation — often called “US GDPR.”

  • Consumer rights: know what data is collected, delete data, opt out of sale
  • Applies to businesses meeting revenue/data thresholds

Compliance vs. Security

Compliance ≠ Security. An organization can be compliant and insecure, or secure and non-compliant.

  • Compliance is the minimum baseline — the floor, not the ceiling
  • Compliance frameworks can lag behind current threats
  • Checkbox compliance without genuine security investment creates a false sense of safety
  • However, compliance drives accountability and funding that might not otherwise exist

Compliance Elements

Policies and Procedures

Documented controls that demonstrate how requirements are met.

  • Must be current, approved, and distributed to relevant personnel

Evidence Collection

Proof that controls are implemented and operating effectively.

  • Logs, configurations, screenshots, tickets, training records
  • Must be maintained for the retention period required by the standard

Internal Monitoring

Continuous or periodic self-assessment to verify compliance is maintained.

  • Automated compliance monitoring tools
  • Regular control testing and validation
  • Gap remediation tracking

Reporting

Demonstrating compliance to regulators, auditors, or business partners.

  • Compliance reports, attestation letters, certification documents
  • Incident reporting within required timeframes (GDPR 72-hour requirement)

Data Privacy

Key Concepts

  • PII (Personally Identifiable Information): Data that can identify an individual (name, SSN, email, IP address in some jurisdictions)
  • PHI (Protected Health Information): Health-related PII under HIPAA
  • Data sovereignty: Legal requirement that data is subject to the laws of the country where it’s stored
  • Data localization: Requirement that data must be stored within specific geographic boundaries
  • Privacy Impact Assessment (PIA): Evaluation of how a project or system affects individual privacy

Data Subject Rights (GDPR model)

  • Right of access: See what data is held about you
  • Right to rectification: Correct inaccurate data
  • Right to erasure (“right to be forgotten”): Request deletion of personal data
  • Right to portability: Receive your data in a portable format
  • Right to object: Opt out of certain data processing
  • Must be freely given, specific, informed, and unambiguous
  • Pre-checked boxes are not valid consent under GDPR
  • Must be as easy to withdraw as to give

Consequences of Non-Compliance

  • Financial: Fines (GDPR fines regularly in millions), contract penalties
  • Legal: Lawsuits, regulatory action, criminal charges for willful negligence
  • Reputational: Loss of customer trust, public disclosure of failures
  • Operational: Loss of ability to process payments (PCI-DSS), loss of government contracts

Offensive Context

Compliance frameworks exist because organizations historically failed to implement basic security without external pressure. From the offensive side, compliance documentation is reconnaissance gold — it tells the attacker what controls are supposedly in place. The gap between documented compliance and actual implementation is where attackers find opportunity. “We’re PCI compliant” means nothing if the controls are poorly implemented or scope is minimized to pass the audit rather than genuinely protect cardholder data.