Why This Topic Matters
CISSP does not expect you to become a compliance lawyer. It does expect you to understand how major regulations and standards change control expectations, contracts, evidence, architecture decisions, and accountability. These are not side topics. They shape what “good security” must look like in real environments.
Exam lens: first identify the type of data or customer involved, then map that to the relevant framework or regulation.
HIPAA — Health Insurance Portability & Accountability Act
HIPAA is a U.S. healthcare privacy and security law focused on protecting Protected Health Information (PHI) in paper, oral, and electronic forms.
Who It Applies To
- Covered entities such as healthcare providers, health plans, and healthcare clearinghouses
- Business associates handling PHI on behalf of covered entities
- Relevant subcontractors in the PHI handling chain
Security Relevance
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Confidentiality, integrity, and availability of PHI
Business Associate Agreement (BAA)
A BAA is a legally binding agreement that defines how a business associate protects PHI and supports HIPAA obligations across the data handling chain.
Practical example: if a cloud provider hosts a hospital portal, a BAA is not optional. It is a contractual control point.
SOX — Sarbanes-Oxley Act of 2002
SOX is a U.S. law designed to protect investors by improving the accuracy, transparency, and accountability of corporate financial reporting.
Who It Primarily Applies To
- Publicly traded companies
- Certain provisions may also affect private entities and nonprofits in specific contexts
Security-Team Impact
- Internal controls around financial data integrity
- Audit trail retention and protection
- Protection against tampering in financial systems
- Evidence quality for audits and investigations
Practical example: if accounting data can be altered without detection, that is not just a technical failure. It is a SOX exposure.
FedRAMP — Federal Risk and Authorization Management Program
FedRAMP standardizes security assessment, authorization, and continuous monitoring for cloud services used by U.S. federal agencies.
What It Is Built On
- NIST 800-53 control baselines
- Cloud-specific authorization and monitoring expectations
- Alignment with federal security requirements
Who Needs It
- Cloud service providers selling to U.S. federal agencies
- Federal agencies consuming cloud services
FedRAMP vs FISMA
- FedRAMP: cloud-specific authorization and monitoring program
- FISMA: broader federal cybersecurity requirements across federal systems
Practical example: building a cloud security dashboard for a U.S. federal customer triggers a very different compliance path from ordinary commercial SaaS.
PCI DSS — Payment Card Industry Data Security Standard
PCI DSS is a global industry standard designed to protect cardholder data during collection, processing, transmission, and storage.
Who It Applies To
- Organizations that handle credit or debit card data
- Merchants, service providers, payment processors, and related parties in the card data flow
Security Relevance
- Protect stored cardholder data appropriately
- Do not retain sensitive authentication data after authorization where prohibited
- Use strong access controls
- Apply encryption and secure transmission controls
- Use segmentation and vulnerability management where needed
Practical example: if a SaaS product accepts subscription payments directly, cardholder data handling immediately introduces PCI DSS obligations.
Fast Comparison Logic
- HIPAA: healthcare data, PHI, covered entities, business associates
- SOX: financial reporting integrity, audit controls, public companies
- FedRAMP: cloud services for U.S. federal agencies
- PCI DSS: cardholder data and payment environments
What CISSP Candidates Should Retain
- Map framework first to data type and customer type.
- Know which requirements create contractual obligations, such as BAAs.
- Recognize when auditability and integrity are the real control priorities.
- Understand that cloud for federal use introduces a distinct authorization model.
- Do not confuse industry standards with government statutes.
Brain Ticklers
Q1. A hospital outsources hosting of its patient portal to a third party. What contract becomes critical before PHI is hosted?
Think: the answer is not just “an SLA.”
Q2. A public company wants stronger evidence that accounting records were not tampered with. Which framework is the closest fit?
Think: this is financial reporting integrity and audit accountability.
Q3. A cloud platform wants to sell to U.S. federal agencies. Which program becomes central?
Think: cloud-specific federal authorization.
Q4. An e-commerce platform stores CVV values after transaction completion. Which control area is it colliding with?
Think: this is payment data handling, not privacy law generally.
Q5. Which is broader across federal information systems: FedRAMP or FISMA?
Think: one is cloud-specific, one is broader.