5.4 - CompTIA Security+

Compliance reporting

Internal

  • Internal compliance reporting: Internal audits and assessments that an organization conducts to examine its alignment with its own organizational policies and regulatory requirements.

External

  • External compliance reporting: Audits of external stakeholders (e.g., clients, vendors, business partners), and how they adhere to regulatory requirements.

Consequences of non-compliance

Fines

  • Fines: Financial penalties imposed on organizations for failing to meet regulatory standards, which can significantly impact the company's reputation and bottom line.

Sanctions

  • Sanctions: Penalties imposed on an entity to enforce compliance with regulations/laws.

Reputational damage

  • Reputational damage: Public announcements/scandals related to non-compliance, which discourages customers from using a business’s products/services.

Loss of license

  • Loss of license: Loss of a particular certification that allows a country to operate in its industry - can be a significant economic hit to the company if the license is required to sell a product.

Contractual impacts

  • Contractual impacts: Contract breaches that occur when one (or more) organizations fail to maintain relevant security compliance.

Compliance monitoring

Due diligence/care

  • Due diligence: Compliance monitoring actions taken towards a third party (e.g., audits, compliance, penetration testing).

  • Due care: Compliance monitoring actions taken internally (e.g., internal audits).

Attestation and acknowledgement

  • Attestation/acknowledgement: Signing or affirmation from a senior official (in charge of compliance), that an organization adheres to the standardized policies.

Internal and external

Automation

  • Automation: Refers to using automated compliance systems to collect data from people, third parties, and from the organization for monitoring purposes.

Privacy

  • Privacy: The ability of individuals/entities to seclude information about themselves and/or express themselves secretly.

Legal implications

Local/regional

  • Local/regional privacy laws: Regulations that govern privacy in a smaller area (e.g., California Consumer Privacy Act, CCPA).

National

  • National privacy laws: Regulations that govern privacy over a whole country (e.g., HIPAA in the US).

Global

  • Global privacy laws: Regulations that govern privacy across multiple countries (e.g., GDPR in the EU).

Data subject

  • Data subject: An individual who is identified by personal data.

Controller vs. processor

  • Data controller: The entity that determines the purposes and means of processing personal data.

  • Data processor: The entity that processes data on behalf of the controller, often under contractual obligations.

Ownership

  • Data owner: The individual or entity that holds the right to determine how and why personal data is processed, making decisions regarding its use and management.

Data inventory and retention

  • Data inventory: Lists of classified data or information stored or processed by a system.

  • Data retention: The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations

Right to be forgotten

  • Right to be forgotten: A fundamental principle outlined in the General Data Protection Regulation (GDPR) that grants data subjects the right to request the erasure or deletion of their personal data under certain circumstances.