EC-Council CEH

Certified Ethical Hacker Domain 6: Information Security Policies, Laws and Acts

July 8, 2019 by Lester Obbayi


In this article, we’ll discuss the differences in information security policies and what goes into designing good ones. We give examples of each, discussing industry-wide accepted security standards and laws that different countries have put in place over time to combat the ever-increasing threat of cyber-crime.

CEH candidates will be required to have a basic understanding of this domain; it is the least weighty of the seven CEH domains, with only 1.9% of the total exam weight and only two test items.

Overview of Information Security Policies

In the information security industry today, organizations will often lay down their security plan, as discussed by the top management. Accepted plans will then be passed to middle management, team leaders and eventually to the executives. These security plans will often be contained in documents referred to as policies, which will be of different types and applications. The exam will review candidates’ abilities to properly identify these policies depending on given scenarios.

Types of Information Security Policies

Information security policies are high-level documents defining the vision of the organization’s security goals, scope, responsibilities and needs. They can generally be categorized into three main types:

  1. Organizational (master) policy: This can also be considered a general outline (overall strategy) of the entire organization’s security program
  2. System-specific policy: This can be considered as the accepted rules for specific systems or computers in the organization. Accepted rules can be on hardware, software or even hardening requirements
  3. Issue-specific policy: This type of policy concerns itself with functional aspects that may require more attention within the organization

Policies may fall into any of the categories above. The ability of the candidate to demonstrate the ability to effectively categorize policies is a plus during preparation for the exam. Candidates need also to have a general understanding of these high-level policies and know what standards, security baselines and security procedures each entail.

Examples of Security Policies

The CEH exam also examines the basic policies that are required while building a security program within the organization. It should be noted that this list of policies is not exhaustive: the examples are covered as the most common policies (but there are much more online if you are interested in Googling).

  1. Acceptable Use Policy (AUP)
  2. Access Control Policy (ACP)
  3. Change Management Policy
  4. Information Security Policy
  5. Incident Response Policy

Privacy Policies at the Workplace

Candidates will be tested on their ability to assess the areas of security that are important in an organization and how these influence the security policies to be implemented.

During such an assessment, several factors will be of key importance. For instance, the company structure, size and budget. Workplace security policies must be regularly revised, and factors such as legal compliance updates, business changes and incidents or imminent threats are just a few that candidates will be required to understand

Overview of the Common Laws and Standards

Payment Card Industry Data Security Standard (PCI-DSS)

The PCI-DSS standard is an information security standard for use in organizations that handle branded credit cards for the major card schemes. A “card scheme” is simply a network that is linked to payment cards, such as credit and debit cards. A financial institution may become a member of a scheme, allowing it to issue or obtain cards operating on the network of the card scheme.  

Candidates need to have a very basic understanding of how three-party and four-party schemes work. The most important thing to know, though, is that PCI DSS covers payment processing and fines can be incurred by not complying.

ISO/IEC 27001:2013

This standard specifies all the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. Candidates will be required to have a very general/basic understanding of the requirements for assessment and treatment of the risks associated with information security. Candidates should also note that the requirements set out in ISO/IEC 27001:2013 are very generic, and thus will apply to all organizations regardless of size, type or nature.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a 1996 legislation in the United States that provides provisions for data security and privacy that is intended to safeguard medical information. This legislation has risen to prominence over the years as a result of numerous data breaches (cyber-attacks that have also included ransomware) which have affected health providers and insurers. Candidates will be required to have a very general overview/understanding of this legislation. There are five sections of this legislation; however, the section that will matter is Title II: HIPAA Administrative Simplification. This is the section people refer to when they speak of HIPAA compliance.

Candidates must be able to identify information that is protected by HIPAA (what is considered protected health information), who is covered, administrative requirements and the penalties that can be faced in case of violation.

Sarbanes-Oxley Act (SOX)

Due to fraud at Enron, WorldCom and Tyco, the Sarbanes-Oxley Act went into effect back in 2002. The aim of this act was to protect stakeholders and the general public from accounting errors and fraudulent activities within organizations. This act was designed to improve the accuracy and accountability of corporate disclosures.

SOX is very much still relevant today. It applies to accounting firms and third parties which provide financial services to some organizations. It also applies to all publicly-held American and international organizations that have registered equity and/or debt services with the U.S. Securities and Exchange Commission (SEC). Candidates will be required to have a general understanding of the SOX act.

Federal Information Security Management Act (FISMA)

FISMA, passed in 2002, is a United States federal law which is part of the larger E-Government Act. It allows federal agencies to develop, document and implement an information security and protection program. The main aim of this act was and remains to reduce any security risks to federal information and/or data while at the same time managing the spending on information security. Candidates should also be aware of FISMA best practices, benefits of FISMA compliance and the penalties associated with non-compliance.


Information security continues to evolve, with new and unforeseen attacks emerging almost on a daily basis. All these seems to indicate that more laws and restrictions are going to emerge in the future, with even more nations enforcing seeming dictatorial laws. Candidates must familiarize themselves with the changing aspects of cyber-laws and future trends. However, candidates should also know to study smart and not take in too much in this domain, due to the number of items to be tested. Study smart and good luck!



  1. CEH Exam Blueprint v3.0, EC-Council
  2. HIPAA (Health Insurance Portability and Accountability Act), TechTarget
Posted: July 8, 2019
Articles Author
Lester Obbayi
View Profile

Lester Obbayi is a Cyber Security Consultant with one of the largest Cyber Security Companies in East and Central Africa. He has a deep interest in Cyber Security and spends most of his free time doing freelance Penetration Tests and Vulnerability Assessments for numerous organizations.

Leave a Reply

Your email address will not be published. Required fields are marked *