Overview
Compliance and governance form the foundational framework that ensures organizations manage information security in alignment with legal requirements, industry standards, and best practices. This domain covers regulatory frameworks, data privacy principles, audit processes, organizational policies, and risk management strategies. Understanding these concepts is critical for Security+ candidates, as governance decisions drive technical security implementations across all other domains.
---
Regulatory Frameworks & Standards
What You Need to Know
Regulatory frameworks are legally mandated or industry-driven sets of rules that organizations must follow to protect specific types of data. Each framework applies to a defined scope of organizations and data types.
Key Frameworks at a Glance
| Framework | Governing Body | Protects | Applies To |
|-----------|---------------|----------|------------|
| PCI DSS | PCI Security Standards Council | Cardholder data | Any org processing payment cards |
| HIPAA | U.S. Dept. of Health & Human Services | PHI / ePHI | Healthcare orgs & business associates |
| FISMA | U.S. Federal Government | Government information systems | Federal agencies & contractors |
| SOX | U.S. Congress | Financial reporting data | Publicly traded companies |
| GDPR | European Union | Personal data of EU residents | Any org handling EU resident data |
| NIST CSF | NIST (voluntary) | General cybersecurity posture | Any organization (widely adopted) |
Detailed Breakdown
#### PCI DSS (Payment Card Industry Data Security Standard)
• Protects cardholder data, including credit and debit card transaction information
• Applies to any organization that stores, processes, or transmits payment card data
• Enforced through payment card brands (Visa, Mastercard, etc.), not by law
• Compliance validated through Qualified Security Assessors (QSAs) or self-assessment questionnaires
#### HIPAA (Health Insurance Portability and Accountability Act)
• Governs Protected Health Information (PHI) and electronic PHI (ePHI)
• Two Main Rules:
- Privacy Rule — Controls use and disclosure of PHI
- Security Rule — Mandates administrative, physical, and technical safeguards for ePHI
• Applies to covered entities (hospitals, insurers) and business associates (vendors with PHI access)
#### FISMA (Federal Information Security Management Act)
• Requires federal agencies to develop, document, and implement information security programs
• Applies to federal agencies and their contractors
• Works in conjunction with NIST SP 800-53 (security and privacy controls for federal systems)
#### SOX (Sarbanes-Oxley Act)
• Requires publicly traded companies to implement internal controls protecting financial data
• Key IT security concern: preventing unauthorized modification of financial records
• Section 404 specifically requires management assessment of internal controls
• Enforced by the SEC and PCAOB
#### GDPR (General Data Protection Regulation)
• EU law governing collection and processing of personal data of EU residents
• Applies to any organization worldwide that handles EU resident data (extraterritorial reach)
• Maximum fine: €20 million or 4% of global annual turnover, whichever is higher
• Key rights granted to individuals: right to access, right to erasure ("right to be forgotten"), right to portability
#### NIST Cybersecurity Framework (CSF)
• Voluntary framework developed by NIST for risk management and governance
• Organized into five core functions:
1. Identify — Asset management, risk assessment
2. Protect — Access controls, training, data security
3. Detect — Anomalies, security events
4. Respond — Incident response, communications
5. Recover — Recovery planning, improvements
• Widely adopted as a reference framework even outside regulated industries
Key Terms — Regulatory Frameworks
• Compliance — Adherence to laws, regulations, or standards
• Covered Entity — Organizations directly subject to HIPAA
• Business Associate — Third parties that handle PHI on behalf of covered entities
• Extraterritorial Jurisdiction — A law's authority beyond its home country (e.g., GDPR)
• PHI (Protected Health Information) — Individually identifiable health information
• ePHI — PHI stored, transmitted, or processed electronically
⚠️ Watch Out For
• PCI DSS is industry-driven, not a federal law — Do not confuse it with FISMA or HIPAA
• HIPAA has two main rules — The Privacy Rule and Security Rule have distinct purposes; know the difference
• GDPR applies globally — A U.S. company handling EU citizen data must comply
• NIST CSF is voluntary — NIST SP 800-53 is mandatory for federal agencies; these are different documents
• SOX is about financial integrity, not just IT — Frame SOX answers in terms of financial reporting accuracy
---
Data Privacy & Classification
What You Need to Know
Data privacy governs how personal information is collected, stored, used, and shared. Data classification determines how data is labeled and protected based on sensitivity.
Privacy Principles
#### Data Minimization
• Definition: Collect and retain only the minimum amount of personal data necessary for a specific, stated purpose
• A core GDPR principle — collecting excess data is a violation
• Ask: Is this data actually needed for the stated purpose?
#### Data Sovereignty vs. Data Residency
| Concept | Definition |
|---------|-----------|
| Data Residency | The physical location where data is stored |
| Data Sovereignty | Data is subject to the laws of the country where it physically resides |
> Example: A U.S. company stores data in Germany — that data is subject to German/EU law (data sovereignty), regardless of where the company is headquartered.
#### Data Protection Officer (DPO)
• Required under GDPR for certain organizations
• Oversees data protection strategy and ensures GDPR compliance
• Serves as the point of contact for supervisory authorities and data subjects
• Must be independent and report directly to top management
Data Classification
#### U.S. Government Classification Levels (Most to Least Sensitive)
1. Top Secret — Unauthorized disclosure could cause exceptionally grave damage to national security
2. Secret — Could cause serious damage to national security
3. Confidential — Could cause damage to national security
4. Unclassified — No specific protection requirements
#### Commercial/Private Sector Classification (Common Labels)
1. Restricted/Confidential — Highest sensitivity (trade secrets, PII)
2. Internal/Private — For internal use only
3. Public — Safe for public disclosure
Key Terms — Data Privacy & Classification
• PII (Personally Identifiable Information) — Data that can identify an individual
• Data Subject — The individual whose personal data is being processed
• Data Controller — Entity that determines the purpose and means of processing personal data
• Data Processor — Entity that processes data on behalf of the controller
• Right to Erasure — GDPR right to have personal data deleted ("right to be forgotten")
• Data Portability — Right to receive personal data in a usable format
⚠️ Watch Out For
• Data residency ≠ data sovereignty — Residency is physical location; sovereignty is legal jurisdiction
• Top Secret is the highest U.S. government classification — "Classified" is not a level; it's a general term
• DPO is not the same as a CISO — The DPO is specifically a GDPR compliance role, not the head of security
• Data minimization applies at collection — Not just storage; don't collect data "just in case"
---
Audit & Assessment
What You Need to Know
Audits and assessments verify that security controls are in place and functioning. Understanding the types, purposes, and outputs of audits is essential for compliance.
Types of Audits
#### Internal vs. External Audit
| Type | Conducted By | Purpose | Independence |
|------|-------------|---------|--------------|
| Internal Audit | Organization's own staff or internal team | Identify gaps, assess controls | Lower — potential bias |
| External Audit | Independent third party | Unbiased compliance assessment | Higher — no conflict of interest |
#### Gap Analysis
• Definition: Compares current security posture against a desired standard or framework
• Identifies deficiencies ("gaps") that must be remediated
• Outputs: A list of findings with recommended remediation steps
• Used at the start of a compliance initiative to build a roadmap
#### Attestation
• Definition: A formal confirmation (often signed) that specific controls, processes, or configurations are in place and functioning
• Can be provided by management or a third party
• Example: A cloud provider attesting that they comply with SOC 2 controls
• Creates legal accountability — false attestation can have serious consequences
Vendor & Third-Party Audits
#### Right-to-Audit Clause
• A contractual provision granting an organization the authority to audit a vendor's security controls
• Ensures vendors meet required security standards before and during the business relationship
• Important: Vendors may resist this clause — its presence in a contract is a strong governance signal
• Should be established before a vendor relationship begins
Key Terms — Audit & Assessment
• Audit Trail — A record of events used to trace system activity for accountability
• Compliance Audit — Verifies adherence to specific regulations or standards
• Remediation — Actions taken to fix identified security gaps or vulnerabilities
• Finding — A documented deficiency identified during an audit
• SOC 2 Report — An audit report on a service organization's controls relevant to security, availability, and confidentiality
⚠️ Watch Out For
• Gap analysis is not a vulnerability scan — It's a process comparing posture to a framework, not automated scanning
• Attestation creates legal liability — It's not just a checkbox; false attestation can lead to legal consequences
• External auditors provide independence, not necessarily superiority — Internal audits serve a different (but equally valid) purpose
• Right-to-audit must be in the contract — Verbal agreements are insufficient; this must be a formal clause
---
Organizational Governance Policies
What You Need to Know
Governance policies form the hierarchy of rules that guide security behavior across an organization. Understanding the policy hierarchy and the purpose of specific policies is critical.
The Policy Hierarchy
```
Policy (High-Level Intent — "What" and "Why")
↓
Standard (Specific, Mandatory Requirements — "How" in measurable terms)
↓
Procedure (Step-by-Step Instructions — "How" in operational detail)
↓
Guideline (Recommended, Non-Mandatory Advice)
```
| Document Type | Authority | Flexibility | Example |
|--------------|-----------|-------------|---------|
| Policy | Mandatory | Broad | "All data must be encrypted" |
| Standard | Mandatory | Specific | "AES-256 encryption must be used" |
| Procedure | Mandatory | Step-by-step | "How to configure AES-256 on system X" |
| Guideline | Recommended | Flexible | "Consider using a password manager" |
Key Policies Explained
#### Acceptable Use Policy (AUP)
• Defines permitted and prohibited uses of organizational IT resources
• Covers: computers, networks, internet access, email, and removable media
• Why it matters: Establishes user accountability, reduces legal liability, sets a baseline for disciplinary action
• Users typically must sign the AUP as part of onboarding
• Violations can justify termination or legal action
#### Change Management Policy
• Establishes a formal process for requesting, reviewing, approving, testing, and documenting changes to IT systems
• Goal: Reduce risk of unauthorized or poorly tested changes introducing vulnerabilities or outages
• Key roles: Change Advisory Board (CAB) reviews and approves changes
• Emergency changes have an expedited process but still require documentation
#### Business Continuity Plan (BCP) vs. Disaster Recovery Plan (DRP)
| Aspect | BCP | DRP |
|--------|-----|-----|
| Focus | Keeping critical business functions operational | Restoring IT systems and data |
| Scope | Broader — entire business | Narrower — IT systems specifically |
| Relationship | Parent plan | Subset of BCP |
| Example | Alternate work locations during a flood | Restoring servers from backup after ransomware |
#### Data Retention Policy
• Defines how long data must be kept, in what format, and when it must be securely destroyed
• Balances: regulatory compliance requirements vs. storage costs vs. data exposure risk
• Legal hold — When litigation is pending, retention schedules may be suspended to preserve evidence
• Secure destruction methods: shredding, degaussing, cryptographic erasure
Key Terms — Governance Policies
• Governance — The framework of rules, practices, and processes by which an organization is directed and controlled
• Change Advisory Board (CAB) — Group that reviews and approves proposed changes
• RTO (Recovery Time Objective) — Maximum acceptable time to restore a system after a disruption
• RPO (Recovery Point Objective) — Maximum acceptable data loss measured in time
• Legal Hold — A directive to preserve data relevant to anticipated or ongoing litigation
• Due Diligence — Reasonable steps taken to satisfy a legal or policy requirement
• Due Care — Ongoing efforts to maintain security and compliance over time
⚠️ Watch Out For
• Policy ≠ Standard ≠ Procedure — These have distinct definitions; don't use them interchangeably on the exam
• BCP is broader than DRP — DRP is a subset of BCP, not the same thing
• AUP must be signed — Without acknowledgment, enforcement is difficult
• Change management is preventive, not reactive — It exists to prevent incidents, not respond to them
• RPO and RTO are different — RPO = data loss tolerance; RTO = downtime tolerance
---
Risk Management & Third-Party Governance
What You Need to Know
Third-party relationships introduce significant security risk. Understanding the types of agreements and how supply chain risk is managed is essential.
Types of Agreements
| Agreement | Binding? | Purpose |
|-----------|---------|---------|
| MOU (Memorandum of Understanding) | Non-binding | Documents mutual intentions before a formal contract |
| SLA (Service Level Agreement) | Legally binding | Defines measurable performance and security commitments |
| MSA (Master Service Agreement) | Legally binding | Governs the overall relationship between parties |
| NDA (Non-Disclosure Agreement) | Legally binding | Protects confidential information shared between parties |
| ISA (Interconnection Security Agreement) | Legally binding | Governs secure connections between two organizations' networks |
Detailed Agreement Breakdown
#### MOU (Memorandum of Understanding)
• Non-binding agreement documenting mutual intentions, roles, and responsibilities
• Used before a formal contract is in place
• Common in government and inter-agency relationships
• Documents agreed-upon security expectations at a high level
#### SLA (Service Level Agreement)
• Contractual agreement between service provider and customer
• Defines specific, measurable commitments such as:
- Uptime guarantees (e.g., 99.9% availability)
- Incident response times
- Data protection requirements
- Notification timelines for breaches
• Creates legal accountability for the vendor
• Penalties for non-compliance should be defined in the SLA
Supply Chain Risk Management (SCRM)
#### Definition
• The process of identifying, assessing, and mitigating security risks introduced through third-party vendors, suppliers, and partners
#### Why It Matters
• Attackers can compromise an organization by targeting a less-secure vendor with trusted access
• Notable example: SolarWinds attack — attackers compromised a vendor's software update mechanism to reach thousands of customers
• Hardware supply chain risks: Counterfeit or tampered components in hardware
#### SCRM Best Practices
• Conduct vendor risk assessments before onboarding
• Include right-to-audit clauses in contracts
• Monitor vendor security posture continuously, not just at contract signing
• Evaluate fourth-party risk (vendors' vendors)
• Use approved vendor lists to limit exposure
Key Terms — Risk Management & Third-Party Governance
• Third-Party Risk — Security risks arising from external organizations with access to systems or data
• Vendor Due Diligence — Evaluating a vendor's security posture before engagement
• Fourth-Party Risk — Risk from a vendor's own vendors and subcontractors