Compliance
Common Frameworks
GDPR (General Data Protection Regulation)
EU data protection regulation.
Key Requirements:
-
Lawful basis for processing
-
Data minimization
-
Right to erasure
-
Data portability
-
Breach notification (72 hours)
-
Privacy by design
HIPAA (Health Insurance Portability and Accountability Act)
US healthcare data protection.
Key Requirements:
-
Access controls
-
Audit controls
-
Integrity controls
-
Transmission security
-
Business Associate Agreements
PCI-DSS (Payment Card Industry Data Security Standard)
Payment card data protection.
Key Requirements:
-
Network segmentation
-
Encryption of cardholder data
-
Access restrictions
-
Regular testing
-
Security policies
SOC 2 (Service Organization Control 2)
Trust service criteria.
Principles:
-
Security
-
Availability
-
Processing Integrity
-
Confidentiality
-
Privacy
Common Controls
Access Control
- Unique user IDs
- Strong authentication
- Role-based access
- Regular access reviews
- Termination procedures
Data Protection
- Encryption at rest
- Encryption in transit
- Key management
- Data classification
- Retention policies
Audit & Monitoring
- Audit logging enabled
- Log retention (1+ year)
- Regular log review
- Alerting on anomalies
- Incident response plan
Documentation
- Security policies
- Procedures documented
- Evidence collection
- Regular reviews
- Training records
Compliance Checklist
Control GDPR HIPAA PCI SOC2
Encryption Yes Yes Yes Yes
Access Control Yes Yes Yes Yes
Audit Logging Yes Yes Yes Yes
Breach Notification Yes Yes Yes Yes
Risk Assessment Yes Yes Yes Yes