Compliance

Home > Computer Science Fundamentals > ComplianceUpdated Dec 2025
gavel

Compliance Frameworks

SOC 2 (Service Organization Control)

Auditing standard for service providers storing customer data, focusing on five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy. Type I (point-in-time) vs Type II (6-12 months). Required for SaaS companies selling to enterprises. Annual audits by certified CPA firms.

Similar Technologies
ISO 27001SOC 1SOC 3Internal AuditsSelf-Assessment
HIPAA (Health Insurance Portability)

US law protecting Protected Health Information (PHI) in healthcare. Requires administrative, physical, and technical safeguards. Business Associate Agreements (BAA) for vendors. Covered entities and business associates must comply. Significant violation penalties. HITECH Act extends requirements to cloud providers.

Similar Technologies
HITRUSTGDPR (for EU)State Privacy LawsIndustry StandardsHealthcare Regulations
PCI DSS (Payment Card Industry)

12 requirements for protecting cardholder data. Includes network security, encryption, access controls, monitoring, security policies. Four levels based on transaction volume. Annual self-assessment or third-party audit. Quarterly network scans by Approved Scanning Vendor (ASV). Non-compliance fines and loss of card processing.

Similar Technologies
PA-DSSPCI PINTokenizationPCI P2PECompliance Programs
GDPR (General Data Protection Regulation)

EU regulation for data protection and privacy. Applies to any organization processing EU residents' data. Data subject rights (access, erasure, portability). Breach notification within 72 hours. Data Protection Officer required for large-scale processing. Significant fines based on global revenue. Privacy by design principles.

Similar Technologies
CCPAePrivacy DirectiveUK GDPRLGPD (Brazil)Regional Privacy Laws
ISO 27001

International standard for Information Security Management Systems (ISMS). Risk-based approach with 114 controls across 14 categories. Requires documented policies, procedures, and continuous improvement. Third-party certification audit. Globally recognized for security excellence. Often prerequisite for government and enterprise contracts.

Similar Technologies
ISO 27002SOC 2NIST FrameworkCIS ControlsSecurity Frameworks
FedRAMP (Federal Risk Authorization)

US government standardized approach for cloud security assessment, authorization, and continuous monitoring. Three impact levels: Low, Moderate, High. Required for cloud services used by federal agencies. Involves third-party assessment organization (3PAO). Authorization to Operate (ATO) process. Reuse of security packages across agencies.

Similar Technologies
FISMAStateRAMPDoD IL LevelsNIST 800-53Government Cloud Compliance
CCPA (California Consumer Privacy Act)

California privacy law giving consumers rights over their personal information. Right to know, delete, opt-out of sale. Applies to for-profit businesses meeting revenue, consumer count, or data sales thresholds. Private right of action for data breaches. Per-violation penalties apply. Model for other US states.

Similar Technologies
GDPRCPRAState Privacy LawsPrivacy ShieldData Protection Laws
checklist

Compliance Requirements

Audit Trails & Logging

Comprehensive logging of access, changes, and security events for compliance and forensics. Who accessed what data when, configuration changes, authentication events. Immutable logs with tamper-proof storage. Centralized log management (SIEM). Retention policies per compliance requirements (typically 1-7 years). Log analysis for anomaly detection.

Similar Technologies
CloudTrailAzure MonitorCloud Audit LogsSIEM SolutionsLog Management Platforms
Encryption Requirements

Encryption at rest (AES-256 for storage) and in transit (TLS 1.2+ for network). Customer-managed encryption keys (BYOK) for sensitive data. Key rotation policies and HSM protection. Database encryption (TDE), application-level encryption for sensitive fields. Encryption requirements vary by framework (HIPAA, PCI DSS mandate).

Similar Technologies
AWS KMSAzure Key VaultCloud KMSHSMEncryption Libraries
Access Controls & Least Privilege

Role-Based Access Control (RBAC) with minimum necessary permissions. Multi-Factor Authentication (MFA) for privileged access. Regular access reviews and certification. Separation of duties for critical functions. Just-in-time access for elevated privileges. Automated de-provisioning when employees leave. PAM solutions for privileged accounts.

Similar Technologies
IAM PoliciesAzure ADOktaPAM SolutionsIdentity Governance
Data Retention & Deletion

Documented policies for data lifecycle per compliance and business requirements. Automated retention enforcement with lifecycle policies. Secure deletion ensuring data unrecoverability (cryptographic erasure, physical destruction). Legal hold capabilities suspending deletion. Backup retention separate from production. GDPR requires ability to delete on request.

Similar Technologies
Lifecycle PoliciesBackup SolutionsData ArchivalSecure Deletion ToolsRecords Management
Incident Response Procedures

Documented incident response plan with defined roles, procedures, and communication protocols. Detection, containment, eradication, recovery, post-incident review. Breach notification requirements (GDPR 72 hours, state laws vary). Tabletop exercises and testing. Integration with security operations center (SOC). Evidence preservation for forensics.

Similar Technologies
NIST Incident ResponseSANS Incident HandlingPlaybooksRunbooksIR Platforms
Vulnerability Management

Regular vulnerability scanning and penetration testing. Patch management with defined SLAs (critical patches within 30 days). Continuous security monitoring and threat detection. Security updates for OS, applications, and dependencies. Bug bounty programs for external testing. Remediation tracking and verification.

Similar Technologies
Vulnerability ScannersPatch Management ToolsSecurity ScanningPenetration TestingBug Bounty Platforms
cloud_done

Cloud Compliance

Shared Responsibility Model

Cloud provider secures infrastructure (hardware, network, facilities), customer secures workloads (data, applications, access). Responsibility varies by service model: IaaS (customer manages more), PaaS (shared), SaaS (provider manages more). Critical to understand division for compliance. Documented in compliance programs and contracts.

Similar Technologies
Full OwnershipManaged ServicesHybrid ResponsibilityThird-party HostingOn-Premises
Data Residency & Sovereignty

Legal requirements for data storage location. GDPR requires EU data in EU. China Cybersecurity Law requires data localization. Russia requires Russian citizen data in Russia. Choose cloud regions matching requirements. Cross-border data transfer mechanisms (Standard Contractual Clauses, Privacy Shield alternatives). Impact on DR and multi-region architectures.

Similar Technologies
Global StorageRegional IsolationData LocalizationHybrid CloudEdge Computing
Regional Compliance Certifications

Cloud regions have different compliance certifications. Verify region supports required frameworks (HIPAA, PCI DSS, FedRAMP). AWS Artifact, Azure Compliance Manager, GCP Compliance Reports provide attestations. Not all services available in all compliant regions. Plan architecture considering regional compliance coverage.

Similar Technologies
Global ComplianceSelf-CertificationThird-party AuditsCompliance as a ServiceRegional Providers
Audit Reports & Attestations

Cloud providers maintain compliance certifications and publish reports. SOC 2 Type II reports, ISO 27001 certificates, PCI AOC available to customers. AWS Artifact, Azure Service Trust Portal, GCP Compliance Resource Center. Use provider attestations to inherit controls. Still responsible for workload-specific compliance.

Similar Technologies
Self-AssessmentThird-party AuditsCompliance ProgramsInternal AuditsAttestation Letters
Compliance Automation Tools

Cloud-native services for continuous compliance monitoring. AWS Config Rules, Azure Policy, GCP Security Command Center. Automatically detect non-compliant resources. Enforce policies preventing non-compliant deployments. Compliance-as-code with automated remediation. Integration with governance frameworks and CI/CD pipelines.

Similar Technologies
Manual AuditsCompliance SoftwareCloud Security Posture ManagementConfig ManagementPolicy Engines
Business Associate Agreements

HIPAA requires BAAs with cloud providers and vendors processing PHI. Specifies responsibilities, permitted uses, breach notification. Standard BAAs available from major cloud providers. Required for HIPAA compliance in cloud. Review contract terms for compliance obligations. Extend to all subprocessors in chain.

Similar Technologies
Data Processing AgreementsSLAsMaster Service AgreementsPrivacy AgreementsVendor Contracts
lock

Data Protection

PII (Personally Identifiable Information)

Information identifying or can be used to identify individual: name, email, SSN, address, phone, IP address, biometrics. Regulated by GDPR, CCPA, state laws. Requires consent, access controls, encryption, breach notification. Minimize collection (privacy by design). Document processing purposes and legal basis. Enable data subject rights.

Similar Technologies
Anonymized DataPseudonymized DataAggregated DataSynthetic DataDe-identified Data
PHI (Protected Health Information)

Health information covered by HIPAA including diagnoses, treatments, insurance, medical records. Identifiable health data requires HIPAA safeguards and BAAs. Minimum necessary principle for access. Breach notification to HHS and individuals. Combine with PII protections. Extra scrutiny for genetic and mental health data.

Similar Technologies
De-identified DataLimited Data SetsAnonymized Health DataResearch DataAggregated Health Metrics
Data Classification Schemes

Categorize data by sensitivity for appropriate controls. Public (no controls), Internal (basic access control), Confidential (encryption, restricted access), Restricted (highest controls, audit trails). Tag resources with classification. Automate controls based on classification. Employee training on handling. DLP tools enforcing policies.

Similar Technologies
Single ClassificationCustom TaxonomiesSensitivity LabelsData TaggingInformation Governance
Tokenization & Data Masking

Replace sensitive data with non-sensitive tokens. Tokenization for credit cards, SSN preserving format. Data masking for non-production (static for backups, dynamic for queries). Maintains referential integrity and format. Reduces PCI DSS scope. Enables analytics and testing without exposing sensitive data. Token vault for mapping.

Similar Technologies
EncryptionHashingAnonymizationSynthetic DataData Redaction
Right to be Forgotten (GDPR)

EU data subjects can request deletion of their personal data. Must delete within one month of request. Applies to backups, archives, and third parties. Exceptions for legal obligations or public interest. Requires data discovery capabilities across systems. Automated deletion workflows. Document deletion and provide confirmation.

Similar Technologies
Data Retention PoliciesAnonymizationData ArchivalLegal HoldData Minimization
Cross-Border Data Transfers

Mechanisms for legally transferring personal data across borders. GDPR requires adequacy decision or safeguards (Standard Contractual Clauses, Binding Corporate Rules). Privacy Shield invalidated, SCCs v2.0 current mechanism. China Cross-border Data Transfer rules. Impact on multi-region architectures and global services.

Similar Technologies
Data LocalizationRegional ProcessingPrivacy ShieldBinding Corporate RulesLocal Data Centers