CISSP Domain – Legal, Regulations, Investigations and Compliance

March 25, 2011 by Kenneth Magee

There are several topics we need to look at when we discuss the Legal domain of CISSP.  First you need some background and a couple of important distinctions:

Civil Law and Common Law — The most significant difference is in civil law judicial precedents and particular case rulings do not have the same weight as they do under common law.

Civil Law and Criminal Law — The significant difference here is in the burden of proof.  In criminal law, the standard of proof is “beyond a reasonable doubt.” However in civil law all that is needed to prove a case is a preponderance of the evidence to be in your favor.

In which of the aforementioned can a possible punishment be jail time? Only criminal law.

If you see Australia in the test question, look for common law in the answer set since common law is the legal system used in the United States, Canada, the United Kingdom and most former British colonies (that includes Australia).

To satisfy your curiosity, look up criminal law, civil law, and common law and write down the definitions.  And while you’re there look up statutory, compensatory, and punitive damages. Should you see those terms, you’ll be familiar with their definitions.

There are also some definitions with regards to intellectual property law that you will need to know, things like; trademark, copyright, licenses, trade secrets and patents.

The term we come across most often of those is licenses.  How many copies of a particular software package are you licensed to use and what are the penalties if you get caught using pirated software?  You also need to understand import/export restrictions especially as they apply to crypto systems and hardware.

Some of the other topics under this domain include specific laws, investigations and ethics.

First, let’s look at specific laws.  You should have an understanding of the general requirements of these laws and where they might be applicable:

HIPAA – Health Insurance Portability and Accountability Act

Computer Fraud and Abuse Act – Title 18 Section 1030

Electronic Communications Privacy Act

Patriot Act of 2001

Gramm-Leach-Biley Act (GLBA)

Sarbanes-Oxley Act of 2002

Payment Card Industry Data Security Standards version 2.0

Family Educational Rights and Privacy Act of 1974 (FERPA aka. The Buckley Amendment)

There are also a number of different Breach Laws which, at present, are only at the state level.

Now let’s look at investigations.  From an investigative perspective, you will need to know what constitutes acceptable evidence, how to maintain a chain of custody for evidence gathered, and you should also understand forensics and the things that could invalidate the evidence in a court of law.  Always remember when gathering forensic evidence, the goal is to be able to present acceptable evidence in a court of law. You will not go to court with every piece of evidence that you gather. But you should be prepared for the eventuality.

For an ethical point of view we have the following rules written by the Computer Ethics Institute:

  1. Thou shalt not use a computer to harm other people.
  2. Thou shalt not interfere with other people’s computer work.
  3. Thou shalt not snoop around in other people’s computer files.
  4. Thou shalt not use a computer to steal.
  5. Thou shalt not use a computer to bear false witness.
  6. Thou shalt not copy or use proprietary software for which you have not paid.
  7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
  8. Thou shalt not appropriate other people’s intellectual output.
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
  10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

Most importantly, for this exam, familiarize yourself with ISC2 © Code of Ethics.

So what else can I say about the Law, other than it is the Law and we must abide by it, or suffer the penalties.

One final parting comment, look up the definitions of and differences between 1) due care, 2) due diligence, 3) due process and 4) due protection.

Also, fill out the short form below for pricing information and details regarding our various training options (self paced, online mentored & instructor lead) for the CISSP.

Posted: March 25, 2011
Articles Author
Kenneth Magee
View Profile

J Kenneth (Ken) Magee is president and owner of Data Security Consultation and Training, LLC, which specializes in data security auditing and information security training. He has over 40 years of IT experience in both private industry and the public sector with the last 21 devoted to IT security and Risk Management.

Ken holds degrees from Robert Morris University and Fairleigh Dickinson University. He holds 30 certifications including: CTT+, CEH, CPT, SSCP, CISSP-ISSMP, CAP, CISA, CISM, ISO 27001 PA, GIAC-GWAPT/GSEC/GSNA, CIA-CGAP, Security+, and CDP. He is a Senior Instructor with the InfoSec Institute.