Chapter 28 — Further Reading
Annotated resources for going deeper into compliance frameworks, audits, and the gap between compliance and security. Only the primary standards and well-regarded references are listed (Tier 1 verified canonical, Tier 2 attributed). Each entry is tagged with the learning path it most serves: 📋 GRC, 📜 Cert-prep, 🛡️ SOC, 🏗️ Engineer.
Suggested reading order: Start with the primary framework documents you are actually subject to — read the real PCI-DSS or HIPAA Security Rule text before any commentary, because the commentary is only as good as your grasp of the source. Then read the NIST CSF as the organizing lens that ties them together. Save the books and critiques for when you want the practitioner's perspective on why compliant organizations still get breached.
Primary standards and regulatory texts (read the source first)
NIST Cybersecurity Framework (CSF) 2.0 — National Institute of Standards and Technology. (Tier 1.) 📋 📜 The single most useful framework document to read in full, because it is short, readable, and outcome-oriented. CSF 2.0's six Functions (Govern, Identify, Protect, Detect, Respond, Recover) are the common language most security programs organize around. Read it as the scaffolding into which every other obligation in this chapter maps.
NIST SP 800-53 — Security and Privacy Controls for Information Systems and Organizations — NIST. (Tier 1.) 📋 🏗️ The exhaustive control catalog underpinning U.S. federal security and informing many crosswalks. You do not read it cover to cover; you use it as a reference and a source of control language. Its companion mappings (informative references) are a real-world example of published crosswalks — useful as a starting point, never as gospel.
PCI-DSS v4.0 — Payment Card Industry Data Security Standard — PCI Security Standards Council. (Tier 1.) 📋 📜 🏗️ The standard itself, plus its guidance documents. If your organization touches card data, read the real requirements and the scoping and segmentation guidance — especially the material on defining the Cardholder Data Environment and on scope reduction, which is the highest-leverage section for both cost and security. v4.0's shift toward continuous, risk-based security is worth understanding directly.
HIPAA Security Rule — U.S. Department of Health and Human Services. (Tier 1.) 📋 📜 The regulatory text governing electronic protected health information, organized into administrative, physical, and technical safeguards. Pay particular attention to the required vs. addressable distinction — the single most misunderstood feature of the rule. HHS also publishes guidance and enforcement summaries that show, concretely, how compliant-looking organizations still suffered breaches.
The EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 — European Union. (Tier 1.) 📋 📜 The full regulation. For a security professional the high-value articles concern lawful basis, data-subject rights, data minimization, "appropriate technical and organizational measures," and breach notification (the ~72-hour expectation). Read the actual articles rather than summaries; the precision of the language matters when you are deciding what your obligations are.
ISO/IEC 27001 and ISO/IEC 27002 — International Organization for Standardization. (Tier 1.) 📋 🏗️ 27001 defines the Information Security Management System (the certifiable management process); 27002 is the control catalog you select from. These are paid standards, but if your organization pursues certification you will live in them. The key mental shift they teach: 27001 certifies that you manage security as a process, not that any single control is perfect.
SOC 2 / Trust Services Criteria — American Institute of CPAs (AICPA). (Tier 1.) 📋 The AICPA's Trust Services Criteria define the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria a SOC 2 examination reports against. Understanding the criteria — and the Type I vs. Type II distinction — is essential for both producing and reading SOC 2 reports critically (see Case Study 2).
U.S. financial-sector and cross-cutting references
GLBA Safeguards Rule — U.S. Federal Trade Commission / federal banking regulators. (Tier 1.) 📋 The rule requiring financial institutions to protect customer information, central to Meridian's obligations. Read it alongside PCI-DSS to see how two different regimes (one law, one contract) impose overlapping but differently framed controls on the same bank — the exact situation a crosswalk exists to manage.
FFIEC IT Examination Handbook — Federal Financial Institutions Examination Council. (Tier 1.) 📋 The examination guidance U.S. bank regulators use. Useful for understanding what a regulatory exam (as opposed to a voluntary audit) looks like, and how examiners think about evidence and control effectiveness.
CIS Controls v8 and CIS Benchmarks — Center for Internet Security. (Tier 1.) 🏗️ 📋 A prioritized, prescriptive control set that many organizations use as a bridge between high-level frameworks (CSF) and concrete configuration. CIS publishes mappings from its controls to other frameworks — another real, usable crosswalk to study.
Books and practitioner references
CISSP All-in-One Exam Guide — Shon Harris & Fernando Maymí (McGraw-Hill). (Tier 1.) 📜 The security-and-risk-management and security-assessment-and-testing domains cover this chapter's material at exam depth: frameworks, certification vs. attestation, audit types, and the governance context. The clearest single source for the cert-prep reader.
CompTIA Security+ Study Guide — Mike Chapple & David Seidl (Sybex). (Tier 1.) 📜
Covers the governance, risk, and compliance objectives at Security+ depth, including matching regulations to data types and the vocabulary of audits and assessments. Pair with the quiz.md in this chapter.
Security Engineering, 3rd ed. — Ross Anderson (Wiley). (Tier 1.) 🏗️ 📋 Not a compliance book, but its treatment of why systems fail despite controls — and of the economics and incentives that drive security decisions — is the best antidote to floor-as-ceiling thinking. Read the chapters on assurance and on the institutional context of security.
The relevant Verizon Data Breach Investigations Report (DBIR) — Verizon. (Tier 1.) 🛡️ 📋 Published annually; its breakdowns of breach causes (stolen credentials, misconfiguration, leaked secrets) repeatedly show that the breaches happening in the real world are exactly the ones compliance checklists do not prevent. The empirical backbone for "compliance is the floor." Cite specific figures only from the edition you are reading.
On the gap between compliance and security (the chapter's thesis)
Public regulatory enforcement actions and breach post-mortems — various supervisory authorities (HHS OCR resolution summaries; EU data-protection-authority decisions; FTC actions). (Tier 2 — read the specific published case before citing details.) 📋 🛡️ The richest source of "compliant but breached" lessons. Reading actual enforcement decisions shows, in detail, how organizations that held the documents and passed the assessments still failed the substance — the NorthLine pattern of Case Study 2, drawn from the general shape of real cases. Treat each as a case study in the structural limits of compliance from §28.6.
CISA advisories and guidance — Cybersecurity and Infrastructure Security Agency. (Tier 1.) 🛡️ 🏗️ CISA's advisories and its guidance on secure configuration and known-exploited vulnerabilities illustrate how fast the threat moves relative to any standard's revision cycle — concrete support for the "frameworks lag the threat" limit. Useful for connecting compliance to live, current attacker behavior.
A closing note on how to read all of this: the standards tell you the floor. The breach reports and enforcement actions tell you why the floor is not the ceiling. Read both, and let the gap between them define where your real work begins.