Domain 4 of 5 · Chapter 5 of 8

Audits and Compliance

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Network+ premium course — no separate purchase.

Included in this chapter:

  • Data locality, residency, and sovereignty
  • PCI DSS and why segmentation shrinks the audit
  • GDPR: the law that follows the person
  • Audit logging, attestation, and the evidence loop
  • Exam-pattern recognition

The three compliance drivers Network+ tests

AspectData locality / sovereigntyPCI DSSGDPR
What it protectsAny data a law ties to a jurisdictionCardholder (payment card) dataPersonal data of people in the EU
Source of authorityNational / regional lawCard-brand contractual standardEU regulation (law)
Core network controlRegion and replication placementSegment and firewall the CDEEncryption, access control, logging
Scope triggerWhere the data physically residesTouching or connected to card dataTargeting people who are in the EU
Signature requirementKeep data inside the borderReduce CDE scope via segmentation72-hour breach notification

Decision tree

What data is involved?match the stem by data typePayment card data?stores / processes / transmitsPersonal data ofpeople in the EU?Must data stay ina jurisdiction?card datapersonal dataresidency rulePCI DSS: isolatethe CDESegment to cutaudit scopenot required, but recommendedreduce scopeGDPR: encrypt, log,control access72-hour breach noticeSovereignty: placedata in-regionblock cross-border copyAlways: retain integrity-protected audit logs to attestcompliance is a floor on the audit date, not proof of security

Cheat sheet

  • Compliance turns law and contract into concrete network controls
  • Data sovereignty ties data to the laws of where it physically sits
  • Satisfy a residency law by controlling region and replication, not just access
  • PCI DSS is a card-brand contract, not a government law
  • The CDE is card-data systems plus anything with unrestricted connectivity to them
  • Segmentation is not required by PCI DSS, but it shrinks the audit
  • Reduce PCI audit cost by segmenting, not by hardening the flat network
  • GDPR protects people in the EU and reaches you wherever you host
  • GDPR splits roles into data subject, controller, and processor
  • GDPR requires breach notification within 72 hours of awareness
  • The GDPR right to erasure is not absolute
  • GDPR's higher fine tier reaches EUR 20M or 4% of global turnover
  • Audit logging is the evidence a compliance audit examines
  • An audit tests controls; attestation is the signed result
  • Internal reporting is candid; external reporting is formal and deadline-bound
  • Compliance is a floor on a date, not proof of security
  • Match the regulation to the data type in the stem
  • GDPR can waive data-subject breach notice when encryption left the data unintelligible
  • Without an adequacy decision, Standard Contractual Clauses make a GDPR transfer lawful
  • PCI DSS sets fixed cadences: quarterly ASV scans, six-month rule review, one-year log retention

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. CompTIA Security+ certification (data protection, audits and assessments, compliance)
  2. PCI SSC Glossary — Cardholder Data Environment (CDE) and Segmentation Whitepaper
  3. GDPR Article 3 — Territorial scope Whitepaper
  4. GDPR Article 4 — Definitions (data subject, controller, processor) Whitepaper
  5. GDPR Article 33 — Notification of a personal data breach to the supervisory authority Whitepaper
  6. GDPR Article 17 — Right to erasure (right to be forgotten) Whitepaper
  7. GDPR Article 83 — General conditions for imposing administrative fines Whitepaper