5.4 - CompTIA Security+

Internal compliance reporting

Internal audits and assessments that an organization conducts to examine its alignment with its own organizational policies and regulatory requirements.

External compliance reporting

Audits of external stakeholders (e.g., clients, vendors, business partners), and how they adhere to regulatory requirements.

Fines

Financial penalties imposed on organizations for failing to meet regulatory standards, impacting the company's reputation and bottom line.

Sanctions

Penalties imposed on an entity to enforce compliance with regulations/laws.

Reputational damage

Public announcements/scandals related to non-compliance, discouraging customers from using a business’s products/services.

Loss of license

Loss of a certification allowing a company to operate in its industry, significantly affecting its economic situation.

Contractual impacts

Contract breaches that occur when organizations fail to maintain relevant security compliance.

Due diligence

Compliance monitoring actions taken towards a third party (e.g., audits, compliance, penetration testing).

Due care

Compliance monitoring actions taken internally (e.g., internal audits).

Attestation/acknowledgement

Signing or affirmation from a senior official that an organization adheres to standardized policies.

Automation

Using automated compliance systems to collect data for monitoring purposes.

Privacy

The ability of individuals/entities to seclude information about themselves and/or express themselves secretly.

Local/regional privacy laws

Regulations governing privacy in a smaller area (e.g., California Consumer Privacy Act, CCPA).

National privacy laws

Regulations that govern privacy over a whole country (e.g., HIPAA in the US).

Global privacy laws

Regulations governing privacy across multiple countries (e.g., GDPR in the EU).

Data subject

An individual who is identified by personal data.

Data controller

The entity that determines the purposes and means of processing personal data.

Data processor

The entity that processes data on behalf of the controller, often under contractual obligations.

Data owner

The individual or entity that holds the right to determine how and why personal data is processed.

Data inventory

Lists of classified data or information stored or processed by a system.

Data retention

The process an organization uses to maintain and control certain data to comply with business policies and/or applicable laws.

Right to be forgotten

A principle in GDPR that grants data subjects the right to request the erasure or deletion of their personal data under certain circumstances.