Compliance, Legal, and Regulatory Requirements in Security Programs

Security Compliance in Context

Security compliance aligns technical and administrative controls with external obligations (laws, regulations, contracts, standards) and internal policies.

Governance, Risk, and Compliance

Governance, risk, and compliance refers to operating with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance when securing enterprise environments.

Rules vs Frameworks vs Controls

• Laws/regulations: you must do X
• Standards/frameworks: structured ways to do X
• Controls: concrete mechanisms (MFA, logging, encryption) that implement X

Link to Risk Management

Risk management decides which risks to treat. Compliance adds non‑negotiable requirements: some controls are required even if risk seems low.

Exam Angle

Expect scenario questions asking which laws, regulations, or standards drive security choices like logging, encryption, and incident reporting.

Why Regulations Matter

Know categories of regulations and how they shape controls, rather than memorizing every article or section number.

Data Protection & Privacy

GDPR, CCPA/CPRA, and similar laws drive lawful processing, data minimization, user rights, and strict breach notification rules.

Sector-Specific Rules

HIPAA governs health data safeguards; GLBA requires financial institutions to secure customer information via formal programs.

Cyber & Critical Infrastructure

Laws such as EU NIS2 set minimum security and incident reporting for critical sectors and essential services.

Breach Notification Trends

Most modern laws require timely breach notification with specific content and recipients, driving logging and incident response.

Beyond Laws: Other Drivers

Compliance is also driven by industry standards, security frameworks, and contractual obligations, not just formal laws.

Industry Standards: PCI DSS

PCI DSS is a card-brand standard requiring controls like segmentation, encryption, and logging for cardholder data environments.

Security Frameworks

Frameworks like ISO/IEC 27001 and NIST CSF organize best-practice controls and processes, often used to structure security programs.

Contracts and SLAs

Contracts with cloud and SaaS providers often specify encryption, logging, incident notification timelines, and audit rights.

Exam Signal

If you see PCI DSS, think industry standard; if you see SLA notification timelines, think contractual compliance requirement.

Why Data Type Matters

Different laws and standards apply to different data types, so classification is the first step in mapping compliance to controls.

PII and Sensitive PII

PII identifies a person; sensitive PII (like health or biometric data) typically requires stronger protections and stricter consent.

PHI and Health Data

PHI is health-related PII in a medical context, driving HIPAA-style safeguards like strict access control, logging, and encryption.

Financial and Cardholder Data

Financial data may fall under GLBA; cardholder data is governed by PCI DSS, requiring strong segmentation and encryption.

Privacy-Driven Controls

Common controls: data minimization, least privilege, encryption, logging, and secure retention/disposal policies.

Scenario 1: EU E‑commerce

US company selling to EU customers triggers GDPR: consent for tracking, privacy notices, data subject rights, and breach notification.

Scenario 1: Controls

Map to cookie consent tools, access control and encryption for PII, data inventory, and incident response with GDPR steps.

Scenario 2: Hospital Hybrid Environment

Hospital using on‑prem EHR plus cloud imaging: hybrid environment subject to HIPAA and local health privacy laws.

Scenario 2: Controls

Controls: BAAs, encrypted links, RBAC for PHI, centralized logging, and clear breach notification playbooks.

Scenario 3: Online Retailer

Retailer accepting credit cards must follow PCI DSS, focusing on protecting cardholder data and limiting scope.

Scenario 3: Controls

Use PCI-compliant payment gateways, segment networks, and run regular vulnerability scans and web app firewalls.

Audit Lifecycle

Audits move through planning and scoping, evidence collection, reporting, and remediation/follow-up stages.

Scope and Controls

Scoping defines which systems and processes are in; auditors then focus on relevant controls like firewalls or encryption.

Evidence Types: Documents

Policies, procedures, and records (like training logs and risk assessments) support administrative controls.

Evidence Types: Technical

Screenshots, configuration exports, and logs demonstrate that technical controls are implemented and operating.

What Makes Good Evidence

Good evidence is reliable, objective, and repeatable, such as signed access reviews or SIEM logs, not just verbal claims.

Step 1: Identify the Driver

Determine whether the requirement comes from a law, industry standard, framework, or contract/SLA.

Step 2: Extract the Objective

Ask what the rule tries to achieve: confidentiality, integrity, availability, accountability, or user rights.

Step 3: Control Families

Map the objective to administrative, technical, and physical control families.

Step 4: Concrete Controls

Translate requirements like limited PHI access into RBAC, MFA, policies, and access logs.

Step 5: Monitoring & Evidence

Always ask how you will prove the control works: logs, reports, tickets, and sign-offs.