Domain 5 of 5 · Chapter 4 of 6

Security Compliance

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Security+ premium course — no separate purchase.

Included in this chapter:

  • Compliance reporting: internal vs. external
  • Consequences of non-compliance
  • Compliance monitoring: due diligence, due care, attestation, automation
  • Privacy: roles, rights, ownership, inventory, and retention

Non-compliance consequences and how they bite

ConsequenceSourceTypical examplePrimary mitigation
FinesStatutory/regulatoryGDPR penalty up to 4% of global annual turnoverMaintain documented controls + breach reporting
SanctionsRegulator/governmentOperating restrictions or mandated remediation orderDemonstrate due diligence via monitoring evidence
Loss of licenseLicensing bodyHealthcare or financial license suspendedContinuous attestation against the licensing standard
Contractual impactsCustomer/partner contractSLA penalties, contract termination, indemnity claimsMap controls to contractual security clauses
Reputational damagePublic/marketCustomer churn and lost deals after a disclosed breachTransparent reporting + rapid, documented response

Decision tree

Is the audience inside the organization? Yes (board / mgmt) No (external) Internal compliance report control gaps, residual risk Is it a privacy-rights request from a data subject? Yes No Right-to-be-forgotten workflow find via data inventory, delete, honor retention / legal-hold exceptions Continuous assurance vs. point-in-time evidence? Continuous Point-in-time Automated compliance monitoring scanners / GRC = due diligence, catches drift between audits External report + attestation to regulator / auditor / customer Always: due care first (implement the control), then due diligence (verify it keeps working) — neither alone avoids negligence.

Cheat sheet

  • Compliance reporting splits internal vs. external by audience
  • External reporting is deadline-bound by breach-notification law
  • Due care = doing; due diligence = checking
  • A written-but-untested plan = due care without due diligence
  • Non-compliance has exactly five consequence categories
  • Fines are money; sanctions are an order
  • GDPR's top fine tier is the greater of EUR 20M or 4% of global turnover
  • Reputational damage has no ceiling and no end date
  • Attestation is a formal control assertion; acknowledgement is a personal sign-off
  • Monitoring can be internal or external, and external carries more weight
  • Automation makes due diligence continuous, not point-in-time
  • Compliance is necessary but not sufficient for security
  • Privacy obligations stack across four scopes, and the strictest governs
  • Know the privacy triad: data subject, controller, processor
  • A processor that decides purpose is reclassified as a controller
  • A data inventory is the prerequisite to every privacy obligation
  • Retention is pulled between minimization and legal hold
  • The right to be forgotten is not absolute
  • Match each consequence category to the source that produces it
  • GDPR reaches any organization worldwide that targets people in the EU
  • Handling DoD CUI requires at least CMMC 2.0 Level 2, mapped to NIST SP 800-171
  • HIPAA requires individual breach notice within 60 calendar days of discovery

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST Glossary: attestation Whitepaper
  2. NIST Cybersecurity Framework 2.0 (Govern function) Whitepaper
  3. CompTIA Security+ (SY0-701) certification and exam objectives
  4. Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5) Whitepaper
  5. NIST Glossary: personally identifiable information (PII) Whitepaper
  6. Guide to Protecting the Confidentiality of PII (SP 800-122) Whitepaper
  7. NIST Privacy Framework Whitepaper