In this article
CISSP for Legal and Investigation Regulatory Compliance
This article will help you answer three main questions:
- What areas of regulatory compliance should I focus on when studying for the Certified Information Systems Security Professional /CISSP/ exam?
(Systems of Law/Branches of Law)
- What types of laws should I know for the exam?
(Intellectual Property/Privacy & Data Protection/Computer Crime & InfoSec Laws)
- Is there something more that I should learn about compliance?
In essence, these questions, along with their accompanying subsections, cover a small portion of one of the CISSP CBK’s domains, namely, the domain entitled Security and Risk Management (Security, Risk, Compliance, Law, Regulations, and Business Continuity), which consists of the following topics:
- Confidentiality, integrity, and availability concepts
- Security governance principles
- Compliance √
- Legal and regulatory issues √
- Professional ethic
- Security policies, standards, procedures, and guidelines
For the most part, this article is based on the 7th edition of CISSP Official Study Guide. You can visit the (ISC)² website if you want to know more about the CISSP exam materials.
What areas of regulatory compliance should I focus on when studying for the CISSP?
1.1 Systems of Law
The most common contemporary legal systems in the world are the civil law system and the common law system.
Blue – Civil Land / Red – Common Law
Credit: “Map of the Legal systems of the world.”
1.1.1 Civil Law
According to this type of legal systems, the central sources of law are codifications in a constitution or statutes which a legislature passes. All civil law systems derive from the Roman law, or more specifically, the Corpus Juris Civilis. During its inception phase, the civil law was partly influenced by religious laws such as Canon law and Islamic law.
Unlike the common law system, regarding theory, the civil law one is based on the interpretation of legislative enactments rather than on legal norms, rules, or principles that come into being by decisions made by judicial bodies in legal cases.
According to the legal origins theory, there are four groups of civil law (with examples):
- French civil law (France, Benelux, Italy, Spain, Romania, former colonies);
- German civil law (Germany, Austria, Switzerland, Portugal, Estonia, Latvia, Greece);
- Scandinavian civil law (Sweden, Norway, Denmark, Finland and Iceland);
- Chinese law (the civil law in China is mixed with the socialist law).
1.1.2 Common Law
It is a legal system based on new principles or concepts – also known as precedents – established in courts of law on landmark cases. The relationship between these precedents and the laws or statues created by a legislature can be complex. By way of illustration, some jurisdictions’ constitutions allow judicial decisions to lay the foundations of future statutes or statutory provisions, or allow to give an interpretation to the meaning contained in the statutory provisions.
The origins of common law can be traced back to Anglo-Saxon law and a lesser extent to legal concepts from Norman law. Common law nowadays is in practice in most of the United Kingdom, Ireland, Australia, New Zealand, most of India, Pakistan, Bangladesh, Hong Kong, South Africa, Canada (excluding Quebec), the United States, on a state level, (excluding Louisiana), etc.
1.2 Branches of Law
Pursuant to CISSP 7th edition, three main categories, or branches, of law exist in the U.S. legal system:
It is a body of laws whose purpose is to preserve the public peace and protect the safety of people. The police and other law enforcement agencies are directly involved in virtually all activities related to upholding the criminal laws. A number of such laws are designed to protect society from cybercrimes. Those are Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and the Identity Theft and Assumption Deterrence Act. The fact that all these laws have in common is that they envisage criminal penalties for grievous computer crimes.
This is the most all-embracing law, and it also generates the largest amount of court cases. The Civil law exists to govern matters between citizens and organizations concerning legal disputes which do not originate by criminal law but are nevertheless settled by judicial institution for an orderly society’s sake. Popular examples of such cases judged under the civil law include contract disputes, real estate transactions, employment matters, and estate/probate procedures. What differentiates civil laws and criminal laws is the fact that unlike the latter case where the law enforcement is entrusted with the duty to observe the application of this category of laws, in the former case it is incumbent upon the person who believes he has been wrong to initiate legal proceedings before the court.
Generally speaking, administrative law serves to ensure that administrative policies, procedures, and regulations are being observed. The American administrative law is codified in the Code of Federal Regulations, also known as “the CFR.”
CISSP Instant Pricing- Resources
What types of laws should I know for the exam?
Most of the material covered on the CISSP exam is on U.S. legislation, and so is this writing. The graph below displays three prominent legal areas.
2.1 Intellectual Property
“Intellectual Property” is a term, a collective reference of sorts, which encompasses four main types of intangible assets: copyrights, trademarks, patents, and trade secrets.
This image is a derivative of “Copyright, Patent, or Trademark?”
The Digital Millennium Copyright Act
According to this law, eight broad categories of works qualify for copyright protection:
Literary works (software falls under this category; however, only its visual representation is protected – i.e., the source code – and not the ideas or processes)
- Musical works
- Dramatic works
- Pantomimes and choreographic works
- Pictorial, graphical, and sculptural works
- Motion pictures and other audiovisual works
- Sound recordings
- Architectural works
“Definition of Copyright” by
In spite of the fact that there is a formal procedure to obtain copyright that goes through registration with the U.S. Copyright Office, the copyright as a right arises the very moment the work is created. Consequently, if you can prove in court that you are the author of a particular work, then you will be copyright protected. Nevertheless, exceptions do exist; for instance, a work is deemed “for hire” when is created by an employee for his employer during the working hours of the former.
The periods of copyright protection are 70 years after the death of the last surviving author, provided that the identity(s) of the author(s) is (are) known. In cases when that is not the case, the copyright protection lasts 95 years from the date of first publication or 120 years from the date of creation.
In a nutshell, the DMCA envisages:
- copy-prevention of widespread digital media such as DVDs and CDs;
- limitation of ISPs’ liability in events of their network being used by criminals to violate the copyright;
- permission to copy licensed software for the purposes of backup, maintenance, and testing;
- lastly, it explains how the copyright principles are to be applied to the constantly growing sphere of webcasting.
These are words, slogans, or logos used to identify a company or company’s products or services. As with the copyright, trademarks do not need to be registered in order to gain legal protection; nonetheless, an official recognition could be given to your mark if you decide to register it with the United States Patent and Trademark Office (USPTO). The acceptance of a trademark as such hinges on two main criteria –
1) it should not be similar to another trademark, and
2) it should not be descriptive of the goods and services that the applicant offers. In the United States, trademarks enjoy a 10-year initial period of protection, and it can be renewed unlimited times.
Simply put, they protect inventions. A patent will leave the exclusive rights regarding an invention in the hands of its owner for a period of 20 years, but after the end of that period, the invention becomes part of the public domain. An invention as such should possess three inherent prerequisites:
- Must be new
- Must be useful
- Must not be obvious.
In the technology domain, patents covering hardware devices and manufacturing processes have been issued for many years now. There is still uncertainty, however, on how patents for software inventions would hold up to the scrutiny of most courts.
- Trade Secrets
The knowledge of details related to a particular intellectual property could be per se critical for business, as a great deal of damage would ensue if a competitor knows what makes the product or the service of the company in question so unique and successful. Good examples of such cases are the secret formula for Coca-Cola or the KFC’s secret mixture of herbs. In cases like these, the most appropriate tool to protect such intellectual property is perhaps through the usage of instruments within the realm of trade secrets – e.g., to not disclose, to not register and/or to preserve the secret by bounding employees by means of a nondisclosure agreement (NDA). In fact, the trade secret protection is the preferred method of intellectual property protection chosen by many software companies, most notably Microsoft.
European Union /EU/ Privacy Legislation
Under Art. 7 of the EU Data Protection Directive from 1995, the personal data of EU citizens should be collected and processed only by at least one of the following legal grounds:
1) Consent, 2) Contract, 3) Legal obligation, 4) Protection of vital interest of the individual concerned (‘data subject), 5) Task of public interest, 6) A reasonable balance between data controller’s business interests and the privacy of data subjects.
In accordance with the EU “adequacy rule,” even organizations from outside the EU should comply with the EU Data Protection Directive when processing the personal data of EU citizens. As concerns the EU-U.S. data transfers, as of 12 July 2016, a decision by the European Commission, “EU-U.S. Privacy Shield,” was adopted, which, in effect, replaces the Safe Harbor mechanism that was struck down by the European Court of Justice in October, 2015, in the wake of Snowden revelations.
This new framework for Transatlantic exchanges of personal data of EU citizens promises, among other things, “regular reviews,” “effective supervision mechanisms,” “tightened conditions for onward transfers,” and “limitation of data retention.”
U.S. companies need to apply for registration to be on the Privacy Shield list and self-certify that they meet the high data protection standards laid down by the arrangement. This is an annually renewable registration.
It should be noted also that a comprehensive reform of data protection rules in the EU should come into force in May 2018.
U.S. Privacy Legislation
The right of privacy is a matter of ever-increasing concern in the United States (and all over the world) in the past couple of years. Even though the U.S. Constitution does not guarantee the right of privacy, a myriad of federal laws has been enacted, most of them in recent years, in order to prevent the government from collecting, using and retaining private information of citizens, or health-care, financial, and educational institutions. These laws are, as follows:
Fourth Amendment to the U.S. Constitution
The groundwork of the right to privacy is to be found here:
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Apparently, this provision bans government personnel from searching private property unless this action is justified on the grounds of a warrant or probable cause. The courts also ruled that the scope of the Fourth Amendment is applicable by extension to wiretapping and other invasions of privacy.
Privacy Act of 1974
As far as privacy legislation is concerned, this is probably the most significant law on how the government should process private information about individual citizens. In short, prior consent of the affected individuals is almost always needed when a federal government agency undertakes disclosure of their private information to third parties. Additionally, agencies should retain only relevant records and dispose of them once they are no longer needed for the legitimate purpose for which they are collected. Lastly, individuals are allowed access to the records which the government keeps on them, and they also have the right to request incorrect records to be amended.
Electronic Communications Privacy Act of 1986
The ECPA criminalizes the invasion of the electronic privacy of a person. It forbids the unjustified interception or disclosure of electronic communications, such as email, voicemail, and even mobile telephone conversations.
Communications Assistance for Law Enforcement Act (CALEA) of 1994
With the enactment of this law, proprietary economic information becomes part of the general term ‘property,’ and the theft of such information may be regarded as industrial or corporate espionage.
It also demands all communication carriers to provide universal technology means (thus avoiding technological lock-out) through which law enforcement will be able to wiretap on the legal basis of a court order.
Health Insurance Portability and Accountability Act (HIPAA)
1996 is the year in which the Congress passed this law, whose purpose was to reform, modernize and introduce changes to the laws regulating health insurance and health maintenance organizations (HMOs). The privacy and security provisions of HIPAA are of utmost importance to the entities operating in the healthcare sector (hospitals, physicians, insurance agencies, etc.), which are obliged to impose robust security measures throughout the entire time they process and store patients’ medical information. Also, the above mentioned entities must clarify and disclose in writing the rights to every individual who is the subject of medical records.
In 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH). Implemented through the HIPAA Omnibus Rule in 2013, the HITECH purpose was to update some of the HIPAA’s privacy and security requirements. For example, all dealings between business associates (organizations which takes care of protected health information (PHI) on behalf of an entity falling under the scope of HIPAA) and an entity covered by HIPAA must be outlined in a written contract named a business associate agreement (BAA).
Furthermore, under the new HITECH Breach Notification Rule, if a data breach affects more the 500 people, then the HIPAA-governed entities must notify: a) the affected individuals, b) the Secretary of Health and Human Services, and c) the media.
Data Breach Notification Laws
Outside of the federal HITECH’s data breach notification rule, the rest of this group of laws varies considerably from state to state. By way of example, the state of California passed SB 1386 in 2002, which prescribes an immediate disclosure to individual of a known or suspected breach of personally identifiable information (PII) (Note: The “immediate notification” was promulgated for the first time). As of 2016, only Alabama, New Mexico, and South Dakota do not have state data breach notification laws.
2.3 Computer Crime /aka Cybercrime/ & Infosec Laws
At first, criminal acts perpetrated via computer means were prosecuted under the conventional criminal laws. Due to its modern nature, however, legislators eventually decided to pass statutes specifically designed to clearly define the concept of computer crime and set out concrete penalties for different crimes under this category. Although most states have enacted local (state) laws concerning cybersecurity issues, the most appropriate laws often are the federal ones given the nature of cybercrimes which transcend the state borders.
Computer Fraud and Abuse Act
A law enacted to cover cybercrimes that cross state boundaries exclusively. It prohibits:
- unauthorized access to a federal system (any computer in use by the government or a financial institution)
- meddling with medical records in a computer system and thereby impair or likely to impair activities concerning the standard health services provided to an individual.
- inflicting considerable malicious damage to a federal computer system (i.e., in excess of $1,000)
- the use of a federal computer for fraud
The Computer Fraud and Abuse Act
It outlaws the engineering of any kind of malware (i.e., a malicious code) that may negatively affect the normal functioning of a computer system, punishes an inadvertent infliction of damage, and provides a legal mechanism to victims of cybercrimes to pursue civil action such as an injunction and compensation for damages.
The Computer Security Act (CSA)
This law concerns itself with the important task to maintain baseline security standards for all federal agencies. It divides those responsibilities between the National Security Agency (NSA) for classified computers and the National Institute of Standards and Technology (NIST) for the remaining federal government systems. In order to satisfy the security requirements embedded in the CSA, this law also prescribes other measures such as security plans, guidelines, and training on how to handle sensitive information.
~Federal Sentencing Rules~
A set of guidelines whose purpose is to help judges construe cybercrime laws, as the title suggests. One should remember three prominent provisions:
Prudent man rule – in their line of duty individuals in charge need to exercise the same caution and due care that ordinary, prudent people would.
Extenuating circumstance – demonstrating due diligence during the conduct of cybersecurity duties may reduce the sentence
Three burdens of proof of negligence –
- there was a recognized obligation;
- the accused did not abide by recognized standards;
- there was a causal relationship between the negligent deed and the subsequent damages.
National Information Infrastructure Protection Act of 1996
Amendments to the Computer Fraud and Abuse Act which broadens its scope so as to cover computer systems used in international commerce and other subjects of the national infrastructure (e.g., electric power grids, gas pipelines, telecommunication networks, and railroads). Every act against the critical national infrastructure is considered a felony.
Paperwork Reduction Act of 1995 and Government Information Security Reform Act of 2000 (GISRA)
Companies must obtain Office of Management and Budget (OMB) approval prior requesting certain types of public information via an interview and other similar forms. There are a number of record-keeping requirements as well.
The goals of GISRA:
- Effective control over information resources which facilitate federal assets and operations
- Ensure federal government interoperability and the implementation of impeccable security measures
- Involvement in management and oversight tasks on extant information security risks at a civilian, law enforcement, and national security level
- Provide for a minimum set of controls aimed at protecting federal systems and information
- These responsibilities fall within the competence of NIST and NSA but also on the shoulders of individual agency operatives.
Moreover, GISRA sets out the notion of “mission critical system”:
- Designated as a national security system
- Protected by procedures specifically created to accommodate classified information
- Any negative interaction with the information in the system would have a detrimental effect on an agency’s mission
Last but not least, GISPA must establish evaluation and auditing authority for mission-critical systems.
Federal Information Security Management Act
Another law that is in the sphere of government agencies They are required to implement an information security program concerning their operations. This law furthermore imposes the following obligations on the agencies: to perform periodic assessments of risks; to perform periodic testing of the quality of information security policies; to ensure information security matters are addressed throughout the entire life-cycle of each information system; to inform personnel via security awareness training; to create procedures for detecting/reporting/responding to cybersecurity problems.
Children’s Online Privacy Protection Act of 1998
A law that presents a series of requirements to websites with which they must comply:
A website must show a privacy note and clearly, declare what kind of information it collects and whether this information is disclosed to third parties. Parents must be offered the option to make revisions to any information gathered about their children and even permanently delete this information from the website’s records. Besides, parents must give consent to the collection of information about children under the age of 13 prior to the beginning of the data collection.
Identity Theft and Assumption Deterrence Act
With the rise of the Internet, stealing someone’s identity has become a very popular criminal deed. This law from 1998 is here to fight such crimes with tough measures, as it provides very severe criminal penalties for – up to 15 years in prison (+) a $250,000 fine – for anyone found guilty of violating it.
Is there something more that I should learn about compliance?
Since the beginning of the new millennium, the compliance environment which pertains to information security has grown more and more complex. Hence, it is not a surprise that so many companies appoint IT compliance officer(s) whose job is to help an organization meet its compliance obligations.
Typical regulatory compliance laws are HIPAA, the Federal Information Security Management Act (FISMA), the Sarbanes-Oxley Act (SOX), and Payment Card Industry Data Security Standard (PCI DSS), to name a few.
With respect to the last one, PCI DSS, all organizations that process, store, or transmit credit card data must comply with this law. PCI DSS sets forth 12 main requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
When it comes to regulatory compliance, compliance audits comprise a very important part. Those are usually formal in nature, and companies sometimes (as it is with the PCI DSS) are required to go to independent auditors who will verify controls and then send a report directly to regulators.
Dimov, D. (2013). Differences between the privacy laws in the EU and the US. Available on http://resources.infosecinstitute.com/differences-privacy-laws-in-eu-and-us/ (12/10/2016)
European Commission. Protection of personal data. Available on http://ec.europa.eu/justice/data-protection/ (12/10/2016)
ESA. What is Intellectual Property. Available on http://www.esa.int/About_Us/Law_at_ESA/Intellectual_Property_Rights/What_is_intellectual_property (12/10/2016)
Gregory, P (2007). CISSP certification can serve as introduction to regulatory compliance. Available on http://searchsecurity.techtarget.com/tip/CISSP-certification-can-serve-as-introduction-to-regulatory-compliance (12/10/2016)
http://law2.umkc.edu. The Right of Privacy. Available on http://law2.umkc.edu/faculty/projects/ftrials/conlaw/rightofprivacy.html (12/10/2016)
http://searchfinancialsecurity.techtarget.com (2009). PCI DSS (Payment Card Industry Data Security Standard). Available on http://searchfinancialsecurity.techtarget.com/definition/PCI-DSS-Payment-Card-Industry-Data-Security-Standard (12/10/2016)
Ieuan Jolly, Loeb & Loeb LLP. Data protection in United States: overview. Available on http://us.practicallaw.com/6-502-0467 (12/10/2016)
Kelly, A. Cybercrime Laws In The United States. Available on http://www.aaronkellylaw.com/cybercrime-laws-united-states/ (12/10/2016)
Legal systems: common law and civil law. Available on https://www.brightknowledge.org/knowledge-bank/law-and-politics/spotlight-on-law/legal-systems-common-law-and-civil-law (12/10/2016)
List of national legal systems. Available on https://en.wikipedia.org/wiki/List_of_national_legal_systems (12/10/2016)
PCI DSS 12 requirements (2012). Available on http://searchsecurity.techtarget.com/definition/PCI-DSS-12-requirements (12/10/2016)
Stewart, J., Chapple, M., Gibson, D. (2015). Certified Information Systems Security Professional Study Guide (7th Edition).
Recent Articles and Updates
- The CISSP CBK Domains: Information and Updates
- OWASP Top 10 #7: Insufficient Attack Protection
- OWASP Top 10 #6: Sensitive Data Exposure
- OWASP Top 10 #5: Security Misconfiguration
- OWASP Top 10 #4: Broken Access Control
- PHP Lab: Review the code and spot the vulnerability
- Steal iCloud Keychain Secrets via OTR
- OWASP Top 10 #3: Cross-Site Scripting (XSS)
- Top 5 Strategies to Avoid Getting Hacked Online
- OWASP Top 10 #2 - Broken Authentication Session Management
- PHP Lab: Analyze the code and spot the vulnerability
- OWASP 2017 Top 10 vs. 2013 Top 10
- HBO Hacked, Game of Thrones script leaked on the Internet