There are several topics we need to look at when we discuss the Legal domain of CISSP.  First you need some background and a couple of important distinctions:

Civil Law and Common Law — The most significant difference is in civil law judicial precedents and particular case rulings do not have the same weight as they do under common law.

Civil Law and Criminal Law — The significant difference here is in the burden of proof.  In criminal law, the standard of proof is “beyond a reasonable doubt.” However in civil law all that is needed to prove a case is a preponderance of the evidence to be in your favor.

In which of the aforementioned can a possible punishment be jail time? Only criminal law.

If you see Australia in the test question, look for common law in the answer set since common law is the legal system used in the United States, Canada, the United Kingdom and most former British colonies (that includes Australia).

To satisfy your curiosity, look up criminal law, civil law, and common law and write down the definitions.  And while you’re there look up statutory, compensatory, and punitive damages. Should you see those terms, you’ll be familiar with their definitions.

There are also some definitions with regards to intellectual property law that you will need to know, things like; trademark, copyright, licenses, trade secrets and patents.

The term we come across most often of those is licenses.  How many copies of a particular software package are you licensed to use and what are the penalties if you get caught using pirated software?  You also need to understand import/export restrictions especially as they apply to crypto systems and hardware.

Some of the other topics under this domain include specific laws, investigations and ethics.

First, let’s look at specific laws.  You should have an understanding of the general requirements of these laws and where they might be applicable:

HIPAA – Health Insurance Portability and Accountability Act

Computer Fraud and Abuse Act – Title 18 Section 1030

Electronic Communications Privacy Act

Patriot Act of 2001

Gramm-Leach-Biley Act (GLBA)

Sarbanes-Oxley Act of 2002

Payment Card Industry Data Security Standards version 2.0

Family Educational Rights and Privacy Act of 1974 (FERPA aka. The Buckley Amendment)

There are also a number of different Breach Laws which, at present, are only at the state level.

Now let’s look at investigations.  From an investigative perspective, you will need to know what constitutes acceptable evidence, how to maintain a chain of custody for evidence gathered, and you should also understand forensics and the things that could invalidate the evidence in a court of law.  Always remember when gathering forensic evidence, the goal is to be able to present acceptable evidence in a court of law. You will not go to court with every piece of evidence that you gather. But you should be prepared for the eventuality.

For an ethical point of view we have the following rules written by the Computer Ethics Institute:

  1. Thou shalt not use a computer to harm other people.
  2. Thou shalt not interfere with other people’s computer work.
  3. Thou shalt not snoop around in other people’s computer files.
  4. Thou shalt not use a computer to steal.
  5. Thou shalt not use a computer to bear false witness.
  6. Thou shalt not copy or use proprietary software for which you have not paid.
  7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
  8. Thou shalt not appropriate other people’s intellectual output.
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
  10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Most importantly, for this exam, familiarize yourself with ISC2 © Code of Ethics.

So what else can I say about the Law, other than it is the Law and we must abide by it, or suffer the penalties.

One final parting comment, look up the definitions of and differences between 1) due care, 2) due diligence, 3) due process and 4) due protection.

Also, fill out the short form below for pricing information and details regarding our various training options (self paced, online mentored & instructor lead) for the CISSP.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.