5.4 - CompTIA Security+

Compliance reporting

Internal

• Internal compliance reporting: Internal audits and assessments that an organization conducts to examine its alignment with its own organizational policies and regulatory requirements.

External

• External compliance reporting: Audits of external stakeholders (e.g., clients, vendors, business partners), and how they adhere to regulatory requirements.

Consequences of non-compliance

Fines

• Fines: Financial penalties imposed on organizations for failing to meet regulatory standards, which can significantly impact the company's reputation and bottom line.

Sanctions

• Sanctions: Penalties imposed on an entity to enforce compliance with regulations/laws.

Reputational damage

• Reputational damage: Public announcements/scandals related to non-compliance, which discourages customers from using a business’s products/services.

Loss of license

• Loss of license: Loss of a particular certification that allows a country to operate in its industry - can be a significant economic hit to the company if the license is required to sell a product.

Contractual impacts

• Contractual impacts: Contract breaches that occur when one (or more) organizations fail to maintain relevant security compliance.

Compliance monitoring

Due diligence/care

• Due diligence: Compliance monitoring actions taken towards a third party (e.g., audits, compliance, penetration testing).

• Due care: Compliance monitoring actions taken internally (e.g., internal audits).

Attestation and acknowledgement

• Attestation/acknowledgement: Signing or affirmation from a senior official (in charge of compliance), that an organization adheres to the standardized policies.

Internal and external

Automation

• Automation: Refers to using automated compliance systems to collect data from people, third parties, and from the organization for monitoring purposes.

Privacy

• Privacy: The ability of individuals/entities to seclude information about themselves and/or express themselves secretly.

Legal implications

Local/regional

• Local/regional privacy laws: Regulations that govern privacy in a smaller area (e.g., California Consumer Privacy Act, CCPA).

National

• National privacy laws: Regulations that govern privacy over a whole country (e.g., HIPAA in the US).

Global

• Global privacy laws: Regulations that govern privacy across multiple countries (e.g., GDPR in the EU).

Data subject

• Data subject: An individual who is identified by personal data.

Controller vs. processor

• Data controller: The entity that determines the purposes and means of processing personal data.

• Data processor: The entity that processes data on behalf of the controller, often under contractual obligations.

Ownership

• Data owner: The individual or entity that holds the right to determine how and why personal data is processed, making decisions regarding its use and management.

Data inventory and retention

• Data inventory: Lists of classified data or information stored or processed by a system.

• Data retention: The process an organization uses to maintain the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations

Right to be forgotten

• Right to be forgotten: A fundamental principle outlined in the General Data Protection Regulation (GDPR) that grants data subjects the right to request the erasure or deletion of their personal data under certain circumstances.