SecurityNetwork+

Compliance Frameworks for CompTIA Network+ N10-009

Compliance frameworks define security standards and requirements that organizations must meet based on their industry, data types, and geographic location. CompTIA Network+ N10-009 tests major compliance frameworks and how they influence network design and security controls. Understanding PCI DSS, HIPAA, GDPR, SOX, and NIST frameworks helps answer questions about why certain network controls are required.

7 min

2 sections · 7 exam key points

1 practice questions

Key Compliance Frameworks

PCI DSS (Payment Card Industry Data Security Standard): applies to organizations that process, store, or transmit credit card data. Twelve requirements including: network segmentation of cardholder data environment (CDE), firewalls required, no default passwords, encrypted transmission, vulnerability scanning and pen testing, access control, logging and monitoring, security policy. Non-compliance risks fines and loss of ability to process payment cards.

HIPAA (Health Insurance Portability and Accountability Act): US federal law protecting Protected Health Information (PHI). Requires: access controls, audit logging, encryption of PHI at rest and in transit, minimum necessary access principle, breach notification within 60 days, business associate agreements. Applies to covered entities (healthcare providers) and business associates (vendors handling PHI).

GDPR (General Data Protection Regulation): EU regulation covering personal data of EU residents. Key requirements: data minimization, purpose limitation, right to erasure ('right to be forgotten'), explicit consent, breach notification within 72 hours, data protection by design. Applies to any organization processing EU resident data, regardless of location.

SOX (Sarbanes-Oxley): US law requiring financial reporting controls for publicly traded companies. IT controls include: access controls to financial systems, audit trails, segregation of duties, change management controls. Network security supports SOX compliance by controlling who can access financial systems.

NIST and Security Frameworks

NIST CSF (Cybersecurity Framework): voluntary framework from the National Institute of Standards and Technology. Five functions: Identify (understand assets and risks), Protect (implement safeguards), Detect (monitor for events), Respond (respond to incidents), Recover (restore capabilities). Widely used as an organizational security maturity model.

NIST SP 800-53: security and privacy controls catalog used by US federal agencies. Comprehensive control families covering access control, audit, incident response, configuration management, and more. Many private organizations adopt SP 800-53 as a rigorous security baseline.

ISO 27001: international standard for Information Security Management Systems (ISMS). Organizations can achieve ISO 27001 certification demonstrating systematic security management. Annex A contains 114 controls across 14 domains.

Key exam facts — Network+

PCI DSS: payment card data, 12 requirements, requires network segmentation of CDE
HIPAA: US healthcare PHI, access controls, encryption, breach notification within 60 days
GDPR: EU personal data, right to erasure, breach notification within 72 hours
SOX: US publicly traded companies, financial system controls, audit trails
NIST CSF: Identify, Protect, Detect, Respond, Recover
ISO 27001: international ISMS certification standard
Compliance requires network segmentation, logging, encryption, and access controls

Common exam traps

Compliance equals security

Compliance is a minimum baseline — meeting compliance requirements does not mean the organization is fully secure. Many breaches occur in compliant organizations. Security should exceed compliance requirements, not just meet them

Practice questions — Compliance Frameworks

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A retail company that processes credit card payments must isolate its payment processing systems from general corporate systems and implement firewalls, logging, and encryption. Which compliance framework mandates these requirements?

A.HIPAA

B.GDPR

C.PCI DSS

D.SOX

Explanation: PCI DSS (Payment Card Industry Data Security Standard) specifically mandates network segmentation of the cardholder data environment (CDE) from other networks, firewall deployment, access controls, encryption of transmitted cardholder data, and logging/monitoring. HIPAA covers healthcare data, GDPR covers EU personal data, SOX covers financial reporting controls.

Frequently asked questions — Compliance Frameworks

Does GDPR apply to companies outside the EU?

Yes. GDPR applies to any organization, anywhere in the world, that processes personal data of EU residents. A US company with an EU customer base must comply with GDPR. This includes: proper consent mechanisms, privacy policies, data subject rights (right to access, erasure, portability), breach notification, and data transfer restrictions when data leaves the EU.

Practice this topic

Network+practice questions

Test yourself on Compliance Frameworks

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime