Glossary: Compliance

This glossary covers essential cybersecurity and password management terminology from password policies and zero-knowledge encryption to RBAC, API authentication, and compliance frameworks like GDPR and SOC 2.

Compliance — the process of adhering to laws, regulations, standards, and contractual obligations governing data protection, privacy, and security practices. Compliance requirements vary by industry (healthcare, finance, retail), geography (GDPR in EU, CCPA in California), and business relationships (SOC 2 for vendors). Compliance mandates specific security controls, documentation, audits, and reporting to demonstrate adherence.

Compliance failures result in penalties, legal liability, reputational damage, and business disruption. Effective compliance balances regulatory requirements with business objectives while maintaining robust security protecting sensitive data and systems.

HIPAA — Health Insurance Portability and Accountability Act, a U.S. federal legislation establishing national standards for protecting sensitive patient health information from disclosure without patient consent or knowledge. HIPAA's Privacy Rule governs protected health information (PHI) use and disclosure, while the Security Rule mandates administrative, physical, and technical safeguards for electronic PHI (ePHI).

HIPAA violations result in penalties from $100 to $50,000 per violation, with annual maximums reaching $1.5 million. HIPAA compliance protects patient privacy, prevents data breaches, and ensures healthcare data security.

ISO 27001 — an international standard specifying requirements for establishing, implementing, maintaining, and continually improving information security management systems (ISMS). ISO 27001 provides a systematic approach to managing sensitive information through risk assessment, security controls, policies, procedures, and continuous improvement. The standard covers 114 controls across 14 domains including access control, cryptography, physical security, incident management, and business continuity.

ISO 27001 certification demonstrates organizational commitment to information security, builds customer trust, and meets contractual requirements.

GDPR — General Data Protection Regulation, a comprehensive EU data privacy law that regulates how organizations collect, process, store, and protect personal data of EU residents. Enacted in May 2018, GDPR grants individuals rights including data access, rectification, erasure ("right to be forgotten"), and data portability. Organizations must implement privacy by design, obtain explicit consent, report breaches within 72 hours, appoint data protection officers when required, and demonstrate compliance through documentation.

GDPR applies globally to any organization processing EU resident data, with penalties reaching €20 million or 4% of global revenue. GDPR compliance requires data encryption, access controls, audit trails, privacy impact assessments, and vendor management.

NIST — National Institute of Standards and Technology, a U.S. government agency that develops cybersecurity frameworks, standards, and guidelines widely adopted globally for improving security posture and risk management. The NIST Cybersecurity Framework provides a voluntary framework of standards, guidelines, and best practices for managing cybersecurity risks across five functions: Identify, Protect, Detect, Respond, and Recover. NIST Special Publication 800-53 provides security and privacy controls for federal systems and organizations.

NIST standards cover cryptography, access control, incident response, risk assessment, and security architecture. Organizations implement NIST frameworks to establish comprehensive security programs, achieve compliance, improve risk management, and align security practices with industry standards.

PCI DSS — Payment Card Industry Data Security Standard, a security framework mandating requirements for organizations that store, process, or transmit credit card information to prevent fraud and data breaches. Established by major card brands (Visa, Mastercard, American Express), PCI DSS includes 12 requirements across six control objectives: secure networks, protect cardholder data, vulnerability management, access controls, monitoring, and information security policies.

Compliance levels depend on transaction volumes, with validation through self-assessment questionnaires or qualified security assessor audits. Non-compliance risks fines, increased transaction fees, and loss of card processing privileges.

Security audit — a systematic evaluation of an organization's information systems, policies, procedures, and controls to assess security posture, identify vulnerabilities, and verify compliance with standards and regulations. Security audits examine access controls, encryption implementation, network security, application security, physical security, incident response capabilities, and policy adherence. Audits may be internal (self-assessment), external (independent auditors), or regulatory (compliance verification). Security audit processes include documentation review, control testing, vulnerability scanning, penetration testing, interviews, and evidence collection.

Organizations conduct regular security audits to maintain compliance, improve security, demonstrate due diligence, and meet customer or regulatory requirements.

SOC 2 — an auditing framework developed by AICPA for evaluating service organizations' security, availability, processing integrity, confidentiality, and privacy controls. SOC 2 reports demonstrate to customers and stakeholders that organizations implement appropriate security measures protecting customer data. SOC 2 Type I audits assess control design at a point in time, while Type II audits evaluate control effectiveness over 6-12 months. SOC 2 compliance requires documented policies, access controls, encryption, monitoring, incident response, vendor management, and regular security assessments.

Technology companies, SaaS providers, and cloud services pursue SOC 2 certification to meet customer security requirements, build trust, and demonstrate commitment to data protection.