Subsection 01.E · Compliance Fundamentals

Compliance Fundamentals

The legal and regulatory frameworks that turn security from "nice idea" into "required practice." Healthcare's HIPAA, payment processing's PCI-DSS, the EU's GDPR, public-company financial reporting's SOX, and student records' FERPA — the five regimes a working US security professional brushes against.

Compliance is not security. It is the *floor*, not the ceiling. A compliant organization meets a minimum bar defined by law or industry; a secure organization meets the actual threat. The two overlap heavily but they are not the same thing, and one of the most common career-limiting moves in security is treating them as identical.

This subsection introduces the five compliance regimes a US-trained security practitioner is most likely to encounter early. HIPAA applies to anyone handling US healthcare data — far more organizations than just hospitals. PCI-DSS applies to anyone touching payment cards, which means nearly every business that takes money online. GDPR applies whenever an EU resident's personal data is processed, which means most US companies of any size by default. SOX applies to US public companies (and the security teams that operate their IT general controls). FERPA applies to nearly every US educational institution and the vendors that serve them.

Each page covers the same axes: who's covered, what the standard requires, who enforces it, what the penalties look like, and what it actually means for a security team day-to-day. The goal is fluency, not legal expertise — enough to talk credibly with auditors, understand why your organization makes certain technical choices, and know when to call counsel.

01.E

Reference pages

01.E.01
HIPAA · Health Insurance Portability and Accountability Act
US healthcare data protection. The Privacy Rule, Security Rule, Breach Notification Rule. Covered entities, business associates, PHI. OCR enforcement and the famous "wall of shame" — what gets a hospital fined.
Live 01.E.02
PCI-DSS · Payment Card Industry Data Security Standard
The card brands' contractual standard. The 12 requirements, the four merchant levels, SAQs vs ROCs, the scope-reduction game that drives every modern payment architecture (tokenization, hosted iframes, point-to-point encryption).
Live 01.E.03
GDPR · General Data Protection Regulation
The EU's personal-data law. Data subjects' rights, lawful bases for processing, controllers vs processors, DPIAs, the 72-hour breach notice, and how a regulation written in Brussels ends up shaping how a Lafayette startup builds its login screen.
Live 01.E.04
SOX · Sarbanes-Oxley Act
Financial-reporting integrity for US public companies. The IT General Controls (ITGCs) that security teams actually own — logical access, change management, operations, information security — and how recent enforcement actions (SolarWinds, Wells Fargo) reshaped the security-team relationship to ICFR.
Live 01.E.05
FERPA · Family Educational Rights and Privacy Act
US student education records. Directory information, the "school official" exception, the rare-but-real federal funding leverage. Why every modern ed-tech vendor contract has FERPA-specific clauses and how recent breaches (Blackbaud, Illuminate, PowerSchool, MOVEit) reshaped vendor risk management in higher ed.
Live