Compliance and Regulatory Frameworks (GDPR, HIPAA, PCI-DSS, NIST) Explained for Security+

GDPR (General Data Protection Regulation) governs personal data of EU residents regardless of where the organization processing it is located. Key requirements: lawful basis for processing personal data, the right to erasure (right to be forgotten), data portability, and breach notification to supervisory authorities within 72 hours of becoming aware of the breach. GDPR fines can reach 4 percent of global annual revenue.

HIPAA (Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI) in the United States. PHI includes any information that can identify a patient and relates to their health condition, treatment, or payment. HIPAA applies to covered entities (healthcare providers, insurers, clearinghouses) and their business associates. HIPAA requires administrative, physical, and technical safeguards, and breach notification to affected individuals within 60 days.

PCI-DSS (Payment Card Industry Data Security Standard) is a set of technical and operational requirements created by the card brands (Visa, Mastercard, Amex) for any organization that stores, processes, or transmits cardholder data. Unlike GDPR and HIPAA, PCI-DSS is not a law but a contractual requirement: organizations that do not comply risk losing the ability to accept card payments. Twelve core requirements cover network security, access control, encryption, monitoring, and vulnerability management.

The NIST Cybersecurity Framework (CSF) organizes security activities into five core functions: Identify (know your assets and risks), Protect (implement safeguards), Detect (identify security events), Respond (take action on detected events), and Recover (restore capabilities after an incident). The framework is voluntary for most private organizations but is required for US federal agencies and is widely adopted as a best-practice reference.

NIST SP 800-53 is the catalog of security controls used by US federal agencies and contractors. It covers hundreds of specific controls across access control, audit, configuration management, incident response, and more.

ISO 27001 is an international standard for information security management systems (ISMS). Organizations can certify their ISMS against ISO 27001 through an independent audit, providing a recognized certification of their security posture.

SOC 2 (System and Organization Controls) is an audit framework covering five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type I assesses whether controls are designed correctly at a point in time. SOC 2 Type II assesses whether they operated effectively over a period (typically 6 to 12 months). SaaS providers often obtain SOC 2 Type II reports to demonstrate security to enterprise customers.

Framework identification: EU personal data, 72-hour breach notification = GDPR. US health information, PHI = HIPAA. Payment card data = PCI-DSS.

NIST CSF functions in order: Identify, Protect, Detect, Respond, Recover. The function being described determines the correct answer.

SOC 2 Type I: design of controls at a point in time. Type II: operational effectiveness over a period. For vendor due diligence, Type II is more meaningful.

Compliance vs security: compliance establishes a minimum baseline. It does not guarantee security. An organization can be fully compliant and still be breached because compliance frameworks are not updated fast enough to address emerging threats.