Compliance frameworks
| Aspect | GDPR | HIPAA | PCI-DSS | CCPA (California Consumer Privacy Act) | SOX (Sarbanes-Oxley Act) | FISMA (Federal Information Security Management Act) | NIST (National Institute of Standards and Technology) | ISO/IEC 27001 | FCRA (Fair Credit Reporting Act) | GLBA (Gramm-Leach-Bliley Act) | CMMC (Cybersecurity Maturity Model Certification) | FERPA (Family Educational Rights and Privacy Act) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Purpose | Protects personal data of EU citizens. | Protects health information of individuals. | Secures payment card information. | Enhances privacy rights of California residents. | Ensures accuracy and integrity of financial reporting. | Establishes a framework for securing federal information systems. | Improve cybersecurity in critical infrastructure. | International standard for information security management. | Regulates the collection and use of consumer credit information. | Requires financial institutions to explain their information-sharing practices. | Establishes cybersecurity standards for DoD contractors. | Protects the privacy of student educational records. |
| Scope | EU and EEA; applies to all organizations processing personal data. | Applies to healthcare providers, insurers, and healthcare clearinghouses in the U.S. | Applies to all entities accepting credit cards. | Applies to businesses collecting personal information from California residents. | Applies to publicly traded companies in the U.S. | Applies to federal agencies and entities handling government data. | Applies to organizations managing federal information systems. | Applies globally to any organization seeking cybersecurity certifications. | Applies to consumer reporting agencies and users of consumer reports. | Applies to all financial institutions and their practices. | Applies to all DoD contractors and subcontractors. | Applies to educational institutions that receive federal funding. |
| Key Components | Data protection principles; rights of data subjects; accountability requirements; breach notification. | Privacy rules; security rules; breach notification; patient rights. | Data protection; access control; monitoring and testing; security measures. | Consumer rights; data protection obligations; business requirements. | Internal controls; auditing; financial transparency; security of financial data. | Risk management; security controls; continuous monitoring; annual security reviews. | Risk assessment; security controls; privacy considerations; continuous improvement. | Risk management, security controls, continual improvement processes. | Accuracy, fairness, and confidentiality of consumer information. | Safeguards for consumer information; privacy policies and disclosures. | Implementation of security practices, documentation, and assessment. | Student privacy; rights to access and amend educational records. |
| Enforcement | Data Protection Authorities; penalties up to €20 million or 4% of global revenue. | Office for Civil Rights (OCR); penalties can reach $1.5 million per violation. | Payment Card Industry Security Standards Council; fines can vary based on the entity. | California Attorney General; penalties can exceed $2,500 per violation. | Securities and Exchange Commission (SEC); penalties can include fines and imprisonment. | Department of Homeland Security (DHS); penalties for non-compliance are typically punitive. | Conducted by agencies and organizations aligned with NIST standards. | Certification bodies evaluate compliance; non-compliance can lead to loss of certification. | Federal Trade Commission (FTC); penalties depend on the nature of the violation. | DoD and associated regulatory agencies; penalties for non-compliance can include loss of contracts. | Family Policy Compliance Office; institutions face potential loss of federal funding and legal action. | |
| Breach Notification | Required within 72 hours; notification to individuals if personal risk is high. | Required within 60 days; individuals and OCR must be notified. | No specific requirement, but compromised data must be protected and monitored. | Required within 72 hours for businesses; individuals must be informed. | No specific requirement; implications depend on public disclosures. | Requires notifying affected individuals and conducting risk assessments post-breach. | Recommended best practices include notifying affected parties promptly. | Requires notification to affected individuals as necessary; details provided in the ISMS. | Must notify consumers of unauthorized access to their credit information. | Must notify affected individuals and possibly the DoD. | Requires notification of students and parents regarding breaches of educational records. | |
| Consumer Rights | Right to access, rectification, erasure, data portability, and objection. | Right to access medical records; requests can be denied under certain circumstances. | No specific consumer rights; primarily focused on data security. | Right to know, delete, and opt-out of selling personal information. | No specific consumer rights; focused on corporate governance. | Limited consumer rights; focused on protecting government data. | Supports individual privacy and security; specifics vary by application. | Provides rights related to information security; details depend on implementation. | Right to access and request corrections to personal information. | Right to opt-out of having personal information shared; requires consent for certain uses. | Limited individual rights; focused on the protection of student information. | |
| Data Subject | Any identifiable individual within the EU/EEA. | Patients and insured individuals. | Credit card holders. | Residents of California. | Shareholders and investors. | Federal agency employees and contractors. | Federal agency data and associated individuals. | Any organization that processes sensitive information. | Individuals whose credit information is collected. | Customers of financial institutions. | Employees and individuals associated with DoD contractors. | Students and parents of students in educational institutions. |
Notes
- This table combines multiple compliance frameworks, highlighting major aspects of each.
- Specific requirements may vary based on organizational context, size, and nature of business, and entities may need to comply with multiple regulations.
- Consultation with compliance experts is recommended to ensure adherence to relevant laws and regulations for specific organizational needs.
For CEH professionals and those engaged in programming or web development, PCI-DSS, NIST, and ISO/IEC 27001 are the most directly relevant compliance frameworks. Understanding GDPR and CCPA also adds significant value when working with user data. The others play important roles in their specific contexts but may not be as directly applicable to general web development and ethical hacking.