6.1.2. External Considerations

💡 First Principle: Organizations don't operate in isolation. External forces — regulations, laws, industry standards, and contractual obligations — impose security requirements that governance must address. Failing to align with external requirements creates legal, financial, and reputational risk. The challenge is that external requirements often overlap, sometimes conflict, and constantly evolve.

Regulatory requirements — government-mandated compliance: HIPAA (healthcare data privacy and security), PCI DSS (payment card data protection), SOX (financial reporting accuracy and controls), GLBA (financial data privacy), FERPA (educational records privacy). Violations carry fines, sanctions, and legal liability. Each regulation has specific technical requirements — HIPAA mandates encryption of PHI in transit and at rest; PCI DSS requires quarterly vulnerability scanning and annual penetration testing.

Legal requirements — laws governing data handling, breach notification, privacy, and computer fraud. These vary by jurisdiction and may conflict across borders. Breach notification laws in most US states require notification within specific timeframes (typically 30-72 days). Some jurisdictions require notification to specific agencies in addition to affected individuals.

Industry standards — voluntary but often practically mandatory: NIST Cybersecurity Framework (CSF) provides a risk-based approach, ISO 27001 certifies information security management systems, CIS Controls provide prioritized security actions, SOC 2 attests to service organization controls. Customers and partners may require specific certifications before doing business with you.

Local/regional/national/global considerations — data protection laws vary dramatically. GDPR (EU) imposes strict consent requirements, data subject rights, and sovereignty requirements. CCPA/CPRA (California) provides consumer data rights. Organizations operating across borders must comply with multiple, sometimes conflicting, regulatory frameworks. Data sovereignty laws may require data to be stored and processed within specific geographic boundaries.

⚠️ Exam Trap: GDPR applies to any organization processing EU residents' data, regardless of where the organization is located. A US company selling to European customers must comply with GDPR. Jurisdiction is based on the data subject's location, not the company's.