This chapter covers compliance and regulatory frameworks, a critical topic for the SY0-701 exam under Security Program Management (Objective 5.4). You'll learn the major frameworks, regulations, and standards that organizations must follow, and how they differ from security controls. Understanding these is essential for passing the exam and for real-world roles where you must align security practices with legal and industry requirements.
Jump to a section
Imagine you're a building code inspector for a large city. Your job isn't to build buildings, but to ensure every new construction project follows the city's building code, fire code, and zoning regulations. These codes exist to protect people and property, but they don't tell you exactly how to build—they set minimum standards. When a developer submits plans, you check them against the code: Are the fire exits wide enough? Is the electrical wiring up to standard? Are the materials fire-resistant? If the plans meet the code, you approve them. If not, you demand changes. But here's the key: compliance doesn't guarantee safety. A building can meet every code and still collapse in an earthquake if the code didn't account for that risk. Similarly, security compliance frameworks like PCI DSS or HIPAA set minimum standards for protecting data. They require specific controls—like encryption or access logs—but they don't guarantee you're secure against every attack. An organization can be 'compliant' yet still have misconfigured firewalls or unpatched software. The auditor (inspector) checks for the checklist, but the real security depends on going beyond the minimum. In the SY0-701 exam, you need to know the difference between complying with a framework and actually being secure.
What Are Compliance and Regulatory Frameworks?
Compliance and regulatory frameworks are structured sets of guidelines, controls, and requirements that organizations must adhere to, often due to legal obligations, industry standards, or contractual agreements. They are not security controls themselves but define what controls should be in place. For SY0-701, you need to distinguish between frameworks (like NIST, ISO) and regulations (like GDPR, HIPAA). Frameworks are voluntary but often become mandatory via contracts or laws. Regulations are legally enforceable.
Key Regulatory Frameworks
GDPR (General Data Protection Regulation): EU regulation protecting personal data of EU citizens. Applies to any organization processing EU data, regardless of location. Key requirements: consent, data breach notification within 72 hours, right to erasure, data protection officer appointment. Fines up to 4% of global annual revenue or €20 million, whichever is greater.
HIPAA (Health Insurance Portability and Accountability Act): US regulation for healthcare providers, insurers, and their business associates. Protects electronic protected health information (ePHI). Requires administrative, physical, and technical safeguards. Breach notification required within 60 days. Penalties range from $100 to $50,000 per violation.
PCI DSS (Payment Card Industry Data Security Standard): Not a law but a contractual requirement for entities handling credit card data. Managed by the PCI Security Standards Council. 12 requirements including encrypt cardholder data, restrict access, monitor networks. Non-compliance can result in fines or loss of ability to process cards.
SOX (Sarbanes-Oxley Act): US law requiring publicly traded companies to maintain accurate financial records and internal controls. Section 404 mandates assessment of internal controls over financial reporting, including IT controls that affect financial data.
GLBA (Gramm-Leach-Bliley Act): US law requiring financial institutions to protect customers' nonpublic personal information. Includes privacy notices and opt-out rights.
FERPA (Family Educational Rights and Privacy Act): US law protecting student education records. Applies to schools receiving federal funds.
Key Compliance Frameworks
NIST SP 800-53: Provides a catalog of security and privacy controls for federal information systems. Used as a baseline for US government agencies. Also widely adopted in private sector. Contains 20 control families (e.g., Access Control, Audit and Accountability).
NIST Cybersecurity Framework (CSF): Voluntary framework consisting of five functions: Identify, Protect, Detect, Respond, Recover. Provides a risk-based approach to managing cybersecurity. Not as prescriptive as 800-53.
ISO/IEC 27001: International standard for information security management systems (ISMS). Organizations can be certified. Requires risk assessment, implementation of controls from Annex A (114 controls in 14 domains), and continuous improvement.
CIS Controls: Prioritized set of 18 actions (e.g., Inventory and Control of Hardware Assets, Continuous Vulnerability Management). Developed by the Center for Internet Security. Focus on practical, high-impact defenses.
COBIT: Framework for IT governance and management. Aligns IT goals with business objectives. Used for auditing and control.
How They Work Mechanically
Compliance typically involves: (1) Identify applicable regulations/frameworks based on industry, location, data type. (2) Perform a gap analysis between current controls and required controls. (3) Implement controls to meet requirements. (4) Document policies, procedures, and evidence. (5) Undergo audits by internal or external auditors. (6) Remediate findings. (7) Maintain continuous compliance.
Exploitation by Attackers
Attackers know that compliance does not equal security. They target organizations that are 'compliant' but have weak implementation. For example, a company may encrypt data at rest (PCI DSS requirement) but use weak key management. Attackers may steal encryption keys from poorly protected key stores. Or an organization may have a firewall (compliance requirement) but misconfigured rules allowing inbound traffic. Common mistakes: checkbox compliance without understanding intent, failing to update controls as threats evolve, and treating compliance as a one-time project.
Real Tool Examples
OpenSCAP: Automated compliance scanning against SCAP (Security Content Automation Protocol) standards. Can check system configurations against NIST SP 800-53, PCI DSS, etc.
Nessus, Qualys: Vulnerability scanners that also include compliance checks for various frameworks.
Splunk: Used for log management and monitoring required by many frameworks.
GRC tools (e.g., RSA Archer, ServiceNow GRC): Manage policies, risks, and compliance activities.
Identify Applicable Requirements
Determine which regulations and frameworks apply to your organization. Consider: geographic location (GDPR for EU data), industry (HIPAA for healthcare, PCI DSS for payment cards), data types (PII, PHI, cardholder data), and business partners (contractual requirements). Document the specific clauses or controls that must be met. For example, if you process credit cards, PCI DSS Requirement 3.4 mandates rendering cardholder data unreadable anywhere it is stored. This step is often done by a compliance officer or legal team.
Perform Gap Analysis
Compare current security controls against the identified requirements. Use a checklist or mapping tool. For each requirement, assess whether the control is in place, partially in place, or absent. For example, if HIPAA requires encryption of ePHI at rest, check if disk encryption is enabled on all servers storing ePHI. Document gaps with evidence. This step may involve technical assessments, policy reviews, and interviews.
Implement and Document Controls
Remediate gaps by implementing missing controls. Update policies, configure technical controls (e.g., enable encryption, deploy intrusion detection), and create procedures. Document everything: policies, configuration files, training records, and audit logs. For example, for PCI DSS Requirement 10 (track and monitor access to cardholder data), ensure logging is enabled and logs are reviewed daily. Create a log review policy and document review activities.
Conduct Internal Audit
Before external audit, perform an internal audit to verify compliance. Use automated tools (e.g., vulnerability scanners, configuration compliance scanners) and manual checks. For example, run a PCI DSS scan using Tenable's Compliance Checks. Review logs for evidence of monitoring. Prepare evidence packages for each requirement. Identify any non-compliance and remediate before external audit.
Undergo External Audit
An external auditor (e.g., Qualified Security Assessor for PCI DSS, third-party auditor for ISO 27001) reviews evidence, interviews staff, and tests controls. They may perform on-site inspections. For example, a PCI DSS auditor will verify that cardholder data is not stored after authorization (Requirement 3.1). If non-compliance is found, they issue a report of findings. Remediation must occur within specified timeframes (e.g., 30 days for PCI DSS).
Maintain Continuous Compliance
Compliance is not a one-time event. Continuously monitor controls, update them as regulations change, and conduct periodic reassessments. For example, GDPR requires ongoing data protection impact assessments. Use continuous monitoring tools like SIEM to detect configuration drift. Schedule annual audits and quarterly vulnerability scans (PCI DSS Requirement 11). Maintain a change management process to ensure new systems are compliant.
Scenario 1: Hospital HIPAA Audit A hospital's security team is preparing for a HIPAA audit. The analyst reviews access logs for ePHI systems. They use a SIEM like Splunk to detect unauthorized access. During the audit, the auditor asks for evidence of encryption at rest. The analyst provides a report from BitLocker showing all ePHI servers are encrypted. However, the auditor finds that backup tapes are not encrypted. This is a common mistake: encrypting production data but forgetting backups. The correct response is to encrypt all backups and update the policy. The analyst should have included backups in the gap analysis.
Scenario 2: E-commerce PCI DSS Compliance A small e-commerce company must comply with PCI DSS Level 4 (lowest volume). They use a third-party payment processor to reduce scope. The engineer runs a vulnerability scan using a PCI-approved scanning vendor (ASV). The scan reveals that the web server has a critical vulnerability (e.g., CVE-2023-xxxx). The engineer must remediate within 30 days. A common mistake is to ignore the scan results because the vulnerability is not directly exploited. The correct response is to patch immediately and rescan. The engineer also ensures that cardholder data is never stored on the web server (Requirement 3.1).
Scenario 3: GDPR Data Breach A multinational company suffers a data breach exposing EU customer data. The incident response team must notify the supervisory authority within 72 hours. The CISO must determine if the breach poses a risk to individuals. They use a DPIAs (Data Protection Impact Assessment) template to document the breach. A common mistake is to delay notification while investigating, but GDPR requires notification even without full details. The correct response is to notify promptly with available info and update later. The team also implements additional controls like multi-factor authentication to prevent recurrence.
What SY0-701 Tests: Objective 5.4 focuses on explaining the importance of applicable regulations, standards, and frameworks. You must be able to identify which regulation applies based on scenario (e.g., a healthcare provider in the US must follow HIPAA). Also know the differences between regulations (legally binding) and frameworks (voluntary but often required). Expect scenario-based questions where you choose the correct regulation or framework.
Common Wrong Answers: 1. Choosing 'ISO 27001' when the question asks for a US federal regulation (ISO is international, not a regulation). 2. Selecting 'PCI DSS' for a healthcare scenario (PCI DSS is for payment cards, not health data). 3. Confusing 'NIST SP 800-53' with 'NIST Cybersecurity Framework' — 800-53 is a control catalog, CSF is a risk-based framework. 4. Thinking 'GDPR' applies only to EU companies (it applies to any organization processing EU data).
Key Terms to Memorize: - PII, PHI, ePHI, PCI DSS, SOX, GLBA, FERPA, GDPR, NIST SP 800-53, NIST CSF, ISO 27001, CIS Controls, COBIT, SCAP, DPIA. - Breach notification timeframes: GDPR 72 hours, HIPAA 60 days, PCI DSS varies. - Penalties: GDPR 4% revenue or €20M, HIPAA up to $50K per violation.
Trick Questions: - 'Which regulation requires a Data Protection Officer?' Answer: GDPR (not HIPAA or PCI DSS). - 'Which framework includes the five functions: Identify, Protect, Detect, Respond, Recover?' Answer: NIST CSF (not NIST 800-53). - 'Which standard uses Annex A controls?' Answer: ISO 27001.
Decision Rule: For scenario questions, first identify the data type (PII, PHI, cardholder data) and location (US, EU). Then match to the most specific regulation. If no regulation fits, choose a framework like NIST CSF or ISO 27001.
GDPR requires breach notification within 72 hours of discovery.
HIPAA applies to ePHI and requires administrative, physical, and technical safeguards.
PCI DSS has 12 core requirements for protecting cardholder data.
NIST CSF consists of five functions: Identify, Protect, Detect, Respond, Recover.
ISO 27001 is an international standard for ISMS with 114 controls in Annex A.
SOX Section 404 requires internal controls over financial reporting, including IT controls.
GLBA requires financial institutions to protect nonpublic personal information.
These come up on the exam all the time. Here's how to tell them apart.
Regulation (e.g., GDPR, HIPAA)
Legally enforceable
Mandatory for covered entities
Specific penalties for non-compliance
Often industry-specific
Focus on protecting specific data types
Framework (e.g., NIST CSF, ISO 27001)
Voluntary (but may be required by contract)
Not legally binding
No direct fines (but certification may be required)
Cross-industry applicability
Focus on overall security posture
Mistake
Compliance equals security.
Correct
Compliance is a baseline, not a guarantee of security. An organization can be compliant yet still vulnerable to attacks due to misconfigurations or unpatched systems.
Mistake
PCI DSS is a law.
Correct
PCI DSS is a contractual standard, not a law. However, non-compliance can lead to fines or loss of ability to process credit cards.
Mistake
GDPR only applies to companies in the EU.
Correct
GDPR applies to any organization that processes personal data of EU residents, regardless of the organization's location.
Mistake
HIPAA applies to all health-related data.
Correct
HIPAA applies only to covered entities (healthcare providers, insurers) and their business associates. It does not apply to all health data (e.g., fitness app data may not be covered).
Mistake
NIST CSF and NIST SP 800-53 are interchangeable.
Correct
NIST CSF is a high-level risk management framework; NIST SP 800-53 is a detailed control catalog. They serve different purposes.
A regulation is a legally binding rule issued by a government body (e.g., GDPR, HIPAA) that must be followed, with penalties for non-compliance. A framework is a set of guidelines or best practices (e.g., NIST CSF, ISO 27001) that is voluntary but often adopted to improve security or meet contractual requirements. On the SY0-701 exam, you must identify which is which based on the scenario.
For a US healthcare organization, the primary regulation is HIPAA (Health Insurance Portability and Accountability Act). It applies to covered entities and business associates that handle electronic protected health information (ePHI). Additionally, you may use frameworks like NIST SP 800-53 or HITRUST to implement controls. On the exam, if the scenario mentions patient data, think HIPAA.
Yes, PCI DSS applies to any organization that stores, processes, or transmits cardholder data. However, the level of validation depends on transaction volume. Small merchants may self-assess, while large merchants require an on-site audit by a Qualified Security Assessor (QSA). Note: PCI DSS is not a law but a contractual requirement from card brands.
The NIST Cybersecurity Framework (CSF) is a voluntary framework that provides a risk-based approach to managing cybersecurity. It consists of five functions: Identify, Protect, Detect, Respond, Recover. It is widely used across industries to improve security posture and communicate risk. Unlike NIST SP 800-53, it does not provide specific controls but rather a structure for developing a cybersecurity program.
Yes, organizations can be certified against ISO/IEC 27001 by an accredited certification body. Certification requires implementing an Information Security Management System (ISMS) that meets the standard's requirements, including risk assessment and controls from Annex A. Certification is valid for three years with annual surveillance audits. It is common for organizations to seek certification to demonstrate security maturity.
A common mistake is treating compliance as a checkbox exercise without understanding the intent. For example, a company may encrypt data at rest (meeting a requirement) but use weak key management, leaving data vulnerable. Another mistake is failing to maintain continuous compliance—updates, patches, and configuration changes can break compliance. On the exam, look for answers that indicate a lack of ongoing monitoring or misunderstanding of control objectives.
GDPR affects any company that processes personal data of EU residents, regardless of the company's location. This includes offering goods or services to EU residents or monitoring their behavior. Non-EU companies must appoint a representative in the EU, comply with data subject rights, and notify breaches within 72 hours. Non-compliance can result in fines up to 4% of global annual revenue.
You've just covered Compliance and Regulatory Frameworks — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?