What you need for the exam!

CISSP
EXAM
CRAM Laws and Regulations
 I N T R O D U C T I O N : CISSP EXAM DOMAINS

1. Security and Risk Management 15%

2. Asset Security 10%

3. Security Architecture and Engineering 13%

4. Communication and Network Security 13%

5. Identity and Access Management 13%

6. Security Assessment and Testing 12%

7. Security Operations 13%

8. Software Development Security 11%

 D O M A I N 1 : SECURITY & RISK MANAGEMENT

1.1 Understand, adhere to, and promote professional ethics

1.2 Understand and apply security concepts
1.3 Evaluate and apply security governance principles
1.4 Determine compliance and other requirements
1.5 Understand legal and regulatory issues that pertain to
information security in a holistic context
1.6 Understand requirements for investigation types (i.e.,
admin, criminal, civil, regulatory, industry standards)
 D O M A I N 1 : LEGAL & REGULATORY

legal and regulatory issues that pertain to

information security in a
➢ Cyber crimes and data breaches
➢ Trans-border data flow
➢ Licensing and intellectual property
requirements
➢ Privacy
➢ Import/export controls
 D O M A I N 1 : LEGAL & REGULATORY

Focuses on U.S. law

Criminal Law jail / prison
contains prohibitions against acts such as murder, assault, robbery,
and arson.
Civil Law Monetary disputes and penalties
include contract disputes, real estate transactions, employment,
estate, and probate.
Administrative Law government does a lot of this
defines standards of performance and conduct for major industries,
organizations, and government agencies.

CISSP exam focuses on security-related generalities

of law, regulations, investigations, and compliance
 D O M A I N 1 : LEGAL & REGULATORY

The first major piece of US cybercrime-specific legislation

Made it a crime to:
Unauthorized access to classified information or financial
information in a federal system
Use a federal computer to perpetrate a fraud
Cause malicious damage to a federal computer system in
excess of $1,000
Modify medical records in a computer that impairs treatment

Unauthorized and malicious activities on federal systems

 D O M A I N 1 : LEGAL & REGULATORY

Provided punishment guidelines to help federal judges

interpret computer crime laws.
Outlined three burdens of proof for negligence:
First, the person accused of negligence must have a
legally recognized obligation.
Second, the person must have failed to comply with
recognized standards.
Third, there must be a causal relationship between the act of
negligence and subsequent damages
 D O M A I N 1 : LEGAL & REGULATORY

Federal Information
Security Management Act

Required formal infosec operations for federal gov’t

Requires that government agencies include the activities
of contractors in their security management programs
Repealed and replaced the Computer Security Act of 1987
and Government Information Security Reform Act of 2000
NIST responsible for developing the FISMA implementation
guidelines
unlikely that specifics of NIST guidelines for FISMA are on exam
 D O M A I N 1 : LEGAL & REGULATORY

Covers literary, musical, and dramatic works.

There is precedent for copyrighting computer software -
it’s done under the scope of literary works.
Copyright law protects only the expression inherent in computer
software → the actual source code
Copyright ownership always defaults to the creator of a work
EXCEPT in “works for hire”
Copyright protection is 70 years or longer, depending on situation
1st major revision included CD/DVD copy protections
 D O M A I N 1 : LEGAL & REGULATORY

Trademarks Intended to avoid marketplace confusion

cover words, slogans, and logos used to identify a company and
its products or services.
Patents must be 1) new 2) useful and 3) not obvious
protect the intellectual property rights of inventors.
Trade Secrets
intellectual property that is critical to their business and must not
be disclosed. avoids disadvantages of copyrights and patents
Licensing
4 types you should know are 1) contractual 2) shrink-wrap
3) click-through and 4) cloud services.
 D O M A I N 1 : LEGAL & REGULATORY

Trademarks 10 years
can potentially last forever, but it has to be renewed every ten
years.
Patents 20 years
generally granted for 20 years from the date the patent
application is filed.
Copyright 70 years
lasts for the life of the author plus an additional 70 years.
Trade Secrets Indefinitely (forever)
intellectual property that is critical to their business and must not
be disclosed.
 D O M A I N 1 : LEGAL & REGULATORY

Two sets of governing regulations of interest:

International Traffic in Arms Regulations (ITAR)
controls the export of items that are specifically designated as
military and defense items

Export Administration Regulations (EAR)

cover a broader set of items that are designed for commercial
use but may have military applications

govern export of sensitive hardware and

software products to other nations.
 D O M A I N 1 : LEGAL & REGULATORY

Regulation from Department of Commerce’s Bureau of

Industry and Security
Used to be virtually impossible to export even relatively
low-grade encryption technology outside the United States
Regulations now designate the categories of retail and
mass market security software
Permit firms to submit these products for review for export
approval by the Commerce Department
 D O M A I N 1 : LEGAL & REGULATORY

made theft of proprietary economic information an act of espionage

changed the legal definition of theft so that it was no longer
restricted by physical constraints
defines the term "economic espionage" as the theft or
misappropriation of a trade secret…
…with the intent or knowledge that the offense will benefit any foreign
government, foreign instrumentality, or foreign agent
 D O M A I N 1 : PRIVACY LAWS IN THE USA

4th Amendment
the basis for privacy rights is in the Fourth Amendment to the U.S.
Privacy Act of 1974
limits the ability of federal government agencies to disclose private
information without prior written consent of the affected individuals
Electronic Communications Privacy Act (EPCA) of 1986
makes it a crime to invade the electronic privacy of an individual
Comm Assistance for Law Enforcement Act (CALEA) of 1994
amended EPCA to make wiretaps possible for law enforcement with an
appropriate court order, regardless of the technology in use.
 D O M A I N 1 : PRIVACY LAWS IN THE USA

know PII and PHI !

Health Insurance Portability and Accountability Act
(HIPAA)
privacy and security regulations requiring strict security measures
for hospitals, physicians, insurance companies
Health Information Technology for Economic and Clinical
Health Act of 2009 (HITECH)
updated many of HIPAA’s privacy and security requirements
organizations that handle protected health information (PHI) on
behalf of a HIPAA covered entity

PII = Personally Identifiable Information

PHI = Personal Health Information
 D O M A I N 1 : PRIVACY LAWS IN THE USA

Gramm-Leach-Bliley Act (GLBA)

focused on services banks, lenders, and insurance
severely limited services they could provide and the information
they could share with each other
Children’s Online Privacy Protection Act (COPPA)
makes a series of demands on websites that cater to children or
knowingly collect information from children
Family Educational Rights and Privacy Act (FERPA)
grants certain privacy rights to students older than 18 and the
parents of minor students
 D O M A I N 1 : PRIVACY LAWS IN THE USA

USA PATRIOT Act of 2001

greatly broadened the powers of law enforcement
organizations and intelligence agencies
covered several areas, including monitoring electronic
communications and how gov’t deals with ISPs
made it possible to obtain much broader wiretapping
authorizations

Became law a few weeks after 9/11 attacks in 2001

 D O M A I N 1 : PRIVACY LAWS IN THE USA

Identity Theft and Assumption Deterrence Act

makes identity theft a crime against the person whose
identity was stolen
provides severe criminal penalties (up to a 15-year prison
term and/or a $250,000 fine)

became law in 1998

 D O M A I N 1 : PRIVACY LAWS IN THE USA

Payment Card Industry

Data Security Standard

a widely accepted set of policies and procedures intended to

optimize the security of credit, debit and cash card transactions
created jointly in 2004 by four major credit-card companies: Visa,
MasterCard, Discover and American Express
BASED ON 6 MAJOR OBJECTIVES
> a secure network must be maintained in which transactions can be conducted
> cardholder information must be protected wherever it is stored
> systems should be protected against the activities of malicious hackers
> cardholder data should be protected physically as well as electronically.
> networks must be constantly monitored and regularly tested
> a formal information security policy must be defined, maintained, and followed
 D O M A I N 1 : PRIVACY LAWS

European Union Privacy Law enacted in 1998

directive outlining privacy measures required for protecting personal
data processed by information systems
organizations based outside Europe must consider the applicability
of these rules
Privacy Shield approved by the EU in July 2016
agreement between the EU and the US outlining seven requirements
for the processing of personal information
allows the Department of Commerce and the Federal Trade
Commission (FTC) to certify businesses that comply with regulations
Compliant business offered “safe harbor” from prosecution
 D O M A I N 1 : PRIVACY LAWS

European Union General Data

Protection Regulation

comprehensive law covering the protection of personal information

applies to all organizations that collect data from EU residents or
process that information on behalf of someone who collects it.
KEY PROVISIONS
> a data breach notification requirement that mandates that companies
inform authorities of serious data breaches within 24 hours
> creation of centralized data protection authorities in each EU member state
> provisions that individuals will have access to their own data
> data portability provisions that will facilitate the transfer of personal
information between service providers at the individual’s request
> the “right to be forgotten” that allows people to require companies to
delete their information if it is no longer needed
INSIDE AZURE
M A N A G E M E N T

THANKS
F O R W A T C H I N G!