OBJECTIVE 5.4 Summarize
Summarize elements of effective security compliance
Compliance is meeting the requirements imposed by laws, regulations, industry standards, and contractual obligations. It’s not optional, and penalties for non-compliance can be severe — fines, lawsuits, loss of business, or criminal liability.
Regulatory Frameworks
GDPR (General Data Protection Regulation)
EU regulation governing personal data of EU residents.
- Applies to any organization processing EU resident data, regardless of where the org is located
- Key requirements: Lawful basis for processing, data subject rights (access, deletion, portability), 72-hour breach notification, Data Protection Officer (DPO) for certain orgs, privacy by design
- Penalties: Up to 4% of annual global revenue or €20 million, whichever is greater
HIPAA (Health Insurance Portability and Accountability Act)
US regulation protecting healthcare data (PHI — Protected Health Information).
- Applies to covered entities (healthcare providers, insurers) and their business associates
- Security Rule: Technical, physical, and administrative safeguards for ePHI
- Privacy Rule: How PHI can be used and disclosed
- Breach Notification Rule: Notification requirements when PHI is compromised
PCI-DSS (Payment Card Industry Data Security Standard)
Industry standard for organizations that handle credit card data.
- Not a law — contractual requirement from card brands (Visa, Mastercard, etc.)
- 12 requirements covering network security, data protection, access control, monitoring, testing
- Quarterly vulnerability scans by Approved Scanning Vendor (ASV)
- Annual assessment (Self-Assessment Questionnaire for small merchants, on-site audit for large)
SOX (Sarbanes-Oxley Act)
US law requiring internal controls over financial reporting for publicly traded companies.
- IT controls are in scope because financial data flows through IT systems
- Section 404: Management must assess and report on internal control effectiveness
GLBA (Gramm-Leach-Bliley Act)
US law requiring financial institutions to protect customer financial information.
- Safeguards Rule: Risk assessment, employee training, vendor oversight
FERPA (Family Educational Rights and Privacy Act)
US law protecting student education records.
CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
California privacy regulation — often called “US GDPR.”
- Consumer rights: know what data is collected, delete data, opt out of sale
- Applies to businesses meeting revenue/data thresholds
Key Compliance Distinctions
Due Diligence vs. Due Care
CompTIA tests this explicitly. Know the difference cold.
- Due diligence: The investigation and research before making a decision. Identifying risks, evaluating controls, understanding regulatory requirements. “Did you do your homework?”
- Due care: The ongoing implementation and maintenance of reasonable protections after you know the risks. “Are you doing what a reasonable person would do?”
| Concept | When | Example |
|---|---|---|
| Due diligence | Before/during planning | Conducting a risk assessment before adopting a cloud provider |
| Due care | Ongoing operations | Applying patches promptly after they’re released |
Failure of due diligence = negligence in preparation. Failure of due care = negligence in execution. Both create legal liability.
Attestation vs. Acknowledgement
- Attestation: A formal declaration that something is true, typically by a qualified third party. An auditor attests that controls are operating effectively. A SOC 2 report is an attestation.
- Acknowledgement: Confirmation that a person has received and understood information. An employee acknowledging the AUP isn’t attesting to its accuracy — they’re confirming they read it.
Data Roles
| Role | Responsibility | Example |
|---|---|---|
| Data Owner | Business executive who decides classification and access policy | VP of Finance owns financial data |
| Data Steward | Ensures data quality, integrity, and proper use within policy | Database admin who enforces naming conventions, validates data accuracy |
| Data Custodian | Implements technical controls the owner defines | Sysadmin who configures encryption and backups |
| Data Controller | Determines purposes and means of processing (GDPR term) | The company collecting customer data |
| Data Processor | Processes data on behalf of the controller | A cloud provider storing that data |
Exam trap: Data steward ≠ data custodian. The steward focuses on data quality and governance within business rules. The custodian focuses on technical implementation of protections.
Breach Notification Requirements
Notification timelines vary by regulation. CompTIA expects you to know the key ones:
| Regulation | Notification Deadline | Who Must Be Notified |
|---|---|---|
| GDPR | 72 hours to supervisory authority | Authority + affected individuals if high risk |
| HIPAA | 60 days to HHS + individuals | HHS, affected individuals, media if >500 people |
| PCI-DSS | ASAP (no fixed timeline) | Card brands, acquiring bank |
| State breach laws | Varies (30–90 days typical) | State AG, affected residents |
- Clock starts when the breach is discovered, not when it occurred
- “Discovery” means when the org knew or should have known — willful ignorance doesn’t stop the clock
- Notification must include: what happened, what data was involved, what the org is doing about it, what affected individuals should do
Data Retention and Classification
Retention Periods by Regulation
| Regulation | Retention Period | What’s Retained |
|---|---|---|
| PCI-DSS | 1 year (audit logs) | Cardholder data environment logs |
| SOX | 7 years | Financial records, audit workpapers |
| HIPAA | 6 years | PHI-related documentation, policies |
| GDPR | No longer than necessary | Personal data (purpose limitation) |
| IRS | 7 years | Tax-related financial records |
- Retention policies must address both minimum (hold at least this long) and maximum (delete after this long) periods
- GDPR’s “storage limitation” principle means you can’t keep data indefinitely “just in case”
- Retention applies to backups too — a backup containing data past its retention period is a compliance violation
Data Inventory and Classification
Data classification is a prerequisite for compliance, not a separate activity:
- Inventory: Identify what data you have, where it lives, who accesses it
- Classify: Apply labels based on sensitivity (Public, Internal, Confidential, Restricted)
- Map to requirements: Which regulations apply to which data categories
- Apply controls: Controls proportional to classification level
- Monitor: Ongoing verification that classified data is handled according to policy
Without a data inventory, compliance is guesswork. You can’t protect what you don’t know you have.
Compliance Monitoring
Automated vs. Periodic Monitoring
- Automated/continuous: Real-time compliance checking via tools (CSPM for cloud, SIEM for log retention, configuration management for baselines). Catches drift immediately.
- Periodic: Scheduled reviews — quarterly access reviews, annual policy reviews, monthly control testing. Catches issues on a cadence.
- Best practice is both: automated monitoring for technical controls, periodic reviews for procedural and administrative controls.
Gap Remediation Tracking
- Gaps identified during audits or monitoring must be tracked to closure
- Plan of Action and Milestones (POA&M): Formal document listing each gap, remediation steps, responsible party, and deadline
- Compensating controls may be acceptable while permanent fixes are implemented
- Regulators and auditors want to see progress, not perfection — but they want to see documented progress
Master Regulatory Comparison
One table to rule them all. CompTIA loves “which regulation applies?” questions.
| Regulation | Applies To | Protects | Key Requirements | Penalties | Retention | Breach Notification |
|---|---|---|---|---|---|---|
| GDPR | Any org processing EU resident data | Personal data of EU residents | Lawful basis, DPO, privacy by design, data subject rights | Up to 4% global revenue or €20M | No longer than necessary | 72 hours to authority |
| HIPAA | Healthcare providers, insurers, business associates | PHI (Protected Health Information) | Technical/admin/physical safeguards, BAAs, minimum necessary | Up to $1.5M per violation category/year | 6 years (documentation) | 60 days to HHS + individuals |
| PCI-DSS | Any org handling payment card data | Cardholder data | 12 requirements, quarterly ASV scans, annual assessment | Contract penalties, increased fees, loss of card processing | 1 year (audit logs) | ASAP to card brands + acquirer |
| SOX | US publicly traded companies | Financial reporting integrity | Section 404 internal controls, audit trails | Fines, prison (up to 20 years for willful violation) | 7 years | N/A (SEC filings) |
| GLBA | US financial institutions | Customer financial information | Safeguards Rule, privacy notices, vendor oversight | Fines per violation | Varies | State-specific |
| FERPA | Educational institutions receiving federal funding | Student education records | Consent for disclosure, access rights, amendment rights | Loss of federal funding | Varies by record type | No federal requirement |
| CCPA/CPRA | Businesses meeting CA revenue/data thresholds | CA consumer personal information | Right to know, delete, opt-out of sale, correct | $2,500/violation, $7,500/intentional | Reasonable period | No specific timeline |
| SOC 2 | Service organizations (voluntary) | Customer data (Trust Services Criteria) | Security, availability, processing integrity, confidentiality, privacy | N/A (market consequence) | Per engagement | Per contract |
Exam decision logic:
- Healthcare data → HIPAA
- EU personal data → GDPR
- Credit card numbers → PCI-DSS
- Student records → FERPA
- Financial reporting → SOX
- California residents → CCPA/CPRA
- Customer financial data → GLBA
- “Which has the shortest breach notification?” → GDPR (72 hours)
- “Which has the highest penalties?” → GDPR (percentage of global revenue)
Compliance vs. Security
Compliance ≠ Security. An organization can be compliant and insecure, or secure and non-compliant.
- Compliance is the minimum baseline — the floor, not the ceiling
- Compliance frameworks can lag behind current threats
- Checkbox compliance without genuine security investment creates a false sense of safety
- However, compliance drives accountability and funding that might not otherwise exist
Compliance Elements
Policies and Procedures
Documented controls that demonstrate how requirements are met.
- Must be current, approved, and distributed to relevant personnel
Evidence Collection
Proof that controls are implemented and operating effectively.
- Logs, configurations, screenshots, tickets, training records
- Must be maintained for the retention period required by the standard
Internal Monitoring
Continuous or periodic self-assessment to verify compliance is maintained.
- Automated compliance monitoring tools
- Regular control testing and validation
- Gap remediation tracking
Reporting
Demonstrating compliance to regulators, auditors, or business partners.
- Compliance reports, attestation letters, certification documents
- Incident reporting within required timeframes (GDPR 72-hour requirement)
Data Privacy
Key Concepts
- PII (Personally Identifiable Information): Data that can identify an individual (name, SSN, email, IP address in some jurisdictions)
- PHI (Protected Health Information): Health-related PII under HIPAA
- Data sovereignty: Legal requirement that data is subject to the laws of the country where it’s stored
- Data localization: Requirement that data must be stored within specific geographic boundaries
- Privacy Impact Assessment (PIA): Evaluation of how a project or system affects individual privacy
Data Subject Rights (GDPR model)
- Right of access: See what data is held about you
- Right to rectification: Correct inaccurate data
- Right to erasure (“right to be forgotten”): Request deletion of personal data
- Right to portability: Receive your data in a portable format
- Right to object: Opt out of certain data processing
Consent
- Must be freely given, specific, informed, and unambiguous
- Pre-checked boxes are not valid consent under GDPR
- Must be as easy to withdraw as to give
Consequences of Non-Compliance
- Financial: Fines (GDPR fines regularly in millions), contract penalties
- Legal: Lawsuits, regulatory action, criminal charges for willful negligence
- Reputational: Loss of customer trust, public disclosure of failures
- Operational: Loss of ability to process payments (PCI-DSS), loss of government contracts
Offensive Context
Compliance frameworks exist because organizations historically failed to implement basic security without external pressure. From the offensive side, compliance documentation is reconnaissance gold — it tells the attacker what controls are supposedly in place. The gap between documented compliance and actual implementation is where attackers find opportunity. “We’re PCI compliant” means nothing if the controls are poorly implemented or scope is minimized to pass the audit rather than genuinely protect cardholder data.