Chapter 116 · Security Program Management

Compliance

Compliance means meeting the standards set by laws, regulations, and policies. This chapter covers regulatory frameworks (SOX, HIPAA, GLBA), HIPAA penalty tiers, real-world compliance consequences, due care vs. due diligence, attestation, and the role of compliance monitoring in maintaining regulatory posture.

Confidential
Report ID: COMP-2024-001Domain: Security Program ManagementTopic: Regulatory Frameworks & Compliance Fundamentals

Regulatory Frameworks and Compliance Fundamentals

Compliance is the state of meeting the requirements set by laws, regulations, policies, and contractual obligations. Organizations operate in an environment where compliance failures carry real consequences: financial penalties, criminal prosecution, loss of operating licenses, and termination of business relationships.

What Compliance Means

Compliance is not optional. Organizations must comply with every applicable law, regulation, and standard in every jurisdiction where they operate. Ignorance of a regulation is not a defense; compliance must be actively managed.

Key Regulatory Frameworks

Three major US regulatory frameworks appear frequently on Security+ examinations:

SOX = public company financial controls (2002, post-Enron). HIPAA = healthcare PHI protection. GLBA = financial institution customer data privacy (1999). Each has specific technical requirements for IT systems handling covered data.
Confidential
Report ID: COMP-2024-002Domain: Security Program ManagementTopic: HIPAA Penalties & Compliance Violation Consequences

HIPAA Penalty Tiers and Real-World Compliance Consequences

HIPAA establishes a tiered penalty structure that scales based on the nature and intent of the violation. Understanding the penalty tiers illustrates how regulators treat compliance violations of varying severity — and demonstrates the real consequences of inadequate security programs.

HIPAA Criminal Penalty Tiers

HIPAA criminal penalties escalate based on the violator's intent and knowledge:

Civil penalties: In addition to criminal penalties, HIPAA civil fines can reach $25,000 per year per identical type of violation. Multiple violation types in the same year multiply the potential civil penalty.

Real-World Consequences: The Uber Case Study

The Uber data breach illustrates the range of consequences that compliance and disclosure failures create:

Uber Breach Timeline: October 2016 — attackers breach Uber systems, exfiltrating data on approximately 25.6 million drivers and riders. November 2017 — Uber publicly discloses the breach (13 months after discovery). During those 13 months, Uber paid the attackers $100,000 and required them to sign an NDA in an attempt to keep the breach confidential — concealing the breach rather than notifying regulators and affected individuals as required by law. 2018 — Uber pays a $148 million settlement across US states for breach notification violations. May 2023 — Uber's former Chief Security Officer (CSO) is sentenced to federal prison for obstruction of justice and concealment of the breach.

Other Compliance Consequences

HIPAA tiers: unknowing = $50K/1yr; false pretenses = $100K/5yr; malicious/commercial = $250K/10yr. Civil: $25K/yr per violation type. Uber: $148M fine + CSO imprisoned for concealing breach. Loss of license and contractual breach are non-criminal compliance consequences.
Confidential
Report ID: COMP-2024-003Domain: Security Program ManagementTopic: Due Care, Due Diligence, Attestation & Compliance Monitoring

Due Care, Attestation, and Compliance Monitoring

Beyond meeting specific regulatory requirements, organizations must demonstrate that they are actively managing their compliance posture. Three related concepts form the foundation of proactive compliance management: due care, due diligence, and attestation. Compliance monitoring operationalizes these concepts in ongoing daily activity.

Due Care vs. Due Diligence

Due care and due diligence are complementary concepts that describe how an organization demonstrates reasonable, responsible behavior in managing security and compliance obligations.

Attestation

Attestation is the formal process by which an executive or authorized individual signs off on compliance documentation, certifying that it is accurate and complete to the best of their knowledge. Attestation creates legal accountability for the signatory.

Compliance Monitoring

Compliance monitoring is the ongoing process of verifying that the organization continues to meet its compliance obligations over time. Compliance is not a one-time achievement — it must be maintained continuously as systems change, regulations evolve, and the business grows.

Due care = internal security activities. Due diligence = third-party evaluation activities. Attestation = executive sign-off creating legal accountability. Compliance monitoring = ongoing automated + audited verification that compliance is maintained continuously, not just at audit time.