█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Risk Management and Governance/Compliance and Regulatory Frameworks
40 minIntermediate

Compliance and Regulatory Frameworks

After this lesson, you will be able to: Navigate GDPR/HIPAA/PCI-DSS audit processes and the consequences of non-compliance.

Voluntary frameworks (ISO/SOC 2) say 'if you want this badge, do these things'. Regulatory frameworks (GDPR/HIPAA/PCI-DSS) say 'do these things or face fines and lawsuits'. The teeth are different.

Prerequisites:Security Policies and Standards

Three regulatory anchors

GDPR, covered in cs-dlp-06 (privacy, EU residents). HIPAA. US healthcare, PHI. PCI-DSS, anyone processing payment cards. Mandated by the card brands (Visa, Mastercard), not government, but contractually unavoidable.

💡 PCI-DSS levels

Level 1 (>6M cards/yr), full annual onsite audit. Level 2-4 (down to <20K). Self-Assessment Questionnaires (SAQs). Compliance ≠ secure: PCI-DSS is the floor, not the ceiling.

Audit process

  1. 1

    1. Pre-audit gap assessment.

  2. 2

    2. Remediation period.

  3. 3

    3. Audit fieldwork (auditor reviews evidence).

  4. 4

    4. Report drafted.

  5. 5

    5. Annual recurrence (or quarterly for some frameworks).

Consequences of failure

GDPR, fines up to 4% global revenue. HIPAA, fines up to $1.5M/yr per category, criminal charges for willful neglect. PCI, fines $5K-$100K/month, eventual loss of ability to process cards = company death.

Quick Check

Compliance ≠ ?

Fill in.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Security Policies and Standards
Back to Risk Management and Governance
Business Continuity and Disaster Recovery→