CISSP Domain 1 - Laws and Regulations

Laws

ITAR, 1976 - Defense goods, arms export control act

FERPA - Family Educational Rights and Privacy Act of 1974 - protects the privacy of student education records

GLBA - Graham, Leach, Bliley - Credit related PII (Personally identifiable information)

ECS - Electronic Communication Service (Europe); notice of breaches

Fourth Amendment - Basis for privacy rights is the fourth amendment of the US constitution

1974 US Privacy Act - Protection of PII on federal databases

1980 Organization for Economic Cooperation and Development (OECD) - Provides data collection, specifications, safeguards

1986 (amended in 1996) US Computer Fraud and Abuse Act - Trafficking in Computer passwords or information that caused a loss of $1000 or more or could impair medical treatment.

1986 Electronic Communications Privacy Act - Prohibits eavesdropping or interception w/o distinquishing private/public

Communications Assistance for Law Enforcement Act (CALEA) of 1994 - Amended the Electronic Communications Privacy Act of 1986.  CALEA requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order, regardless of the technology in use.

1987 US Computer Security Act - Security Training, develop a security plan, and identify sensitive systems on govt agencies.

1991 US Federal Sentencing guidelines - Responsibility on senior management with fines up to $290 million.  Invoke prudent man rule.  Address both individuals and organizations.

1996 US Economic and Protection of Proprietory Information Act - Industrial and corporate espionage

1996 Health Insurance and Portability Accountability Act (HIPAA) - United States legislation that provides data privacy and security provisions for safeguarding medical information. It applies to Health Insurance providers, Health Providers aka hospitals, and Healthcare clearing houses aka where data is stored and analyzed.

1996 US National Information Infrastructure Protection Act - Encourage other countries to adopt similar frameworks

2009 Health Information Technology for Economic and Clinical Health (HITECH) - Congress amended HIPAA by passing this act. This law updated many of the privacy and security requirements.  HITECH also introduced new data breach notification requirements.

Regulations and Frameworks

SOX - Sarbanes Oxley, 2002 after ENRON and World Online debacle - requires independent review by external accountants.

Executives are now held liable if the organization they represent is not compliant with the law.

Negligence occurs if there is a failure to implement recommended precautions, if there is no contingency/disaster recovery plan, failure to conduct appropriate background checks, failure to institute appropriate information security measures, failure to follow policy or local laws and regulations.

• Section 302 of SOX - CEO's and CFO's can be sent to jail when information they sign           is incorrect.
• Section 404 of SOX - Internal controls assessment, describing logical controls over             accounting files, good auditing, and information security.

COSO - Committee of sponsoring organizations of Treadway commission

Framework to work with Sarbanes-Oxley 404 compliance.

Need for information security to protect the individual.  Privacy is the keyword here, only use information of individuals for what it was gathered for.

Goals for Organizations

ITSEC is the European version of TCSEC that came from the USA (Orange book):

Differences:

• Strong in Anti-Spam and legitimate marketing
• Directs public directories to be subjected to tight controls
• Takes an OPT-IN approach to unsolicited commercial electronic communications
• User may refuse cookies to be stored and user must be provided with information
• Member states in the EU can make their own laws e.g. retention of data

COBIT - Control Objectives for Information and related Technologies

Examines the effectiveness, efficiency, confidentiality, integrity, avaliability, compliance, and reliability of high level control objectives.  Having controls, GRC heavy auditing, metrics, regulated industry. Goals for IT.

ITIL - Information Technology Infrastructure Library - Defacto standard/framework for the IT service management industry.  Most recent version was 2011.

OCTAVE - Self directed risk management

BS7799 aka ISO 27002 - British Standard absorbed into ISO 17799 which was then renamed as ISO 27002

Direction on how to improve utilizing best practices, an information security management system (ISMS)

ISO 27001 - Formally defines mandatory requirements for a ISMS.

PDCA:

Part of ISO 27001

Expands to:

• Plan - Establish ISMS
• Do - Implement / Operate ISMS
• Check - Monitor / Review ISMS
• Act - Maintain / Improve ISMS

PCIDSS - Payment Card Industry Data Security Standard - Compliance enforced by the credit card companies (visa/mastercard/american express).

Types of Laws:

Criminal - Penalties Jail/Fine (Punishment / Deterrant)

Civil - Liability, due care, due dilligence

Regulatory - EPA act, HIPAA, SOX

Intellectual Property - WIPO (World intellectual property organization run by the UN)

Due Care - Means when a company did all it could have reasonably to try and prevent a security breach / compromise / disaster and took the necessary steps required as countermeasures / controls (safeguards).

Due Diligence - Means that a company properly investigated all of its possible weaknesses and vulnerabilities AKA understanding the threats.

I will cover intellectual property more indepth below.

Intellectual Property Laws

Patent - Grants ownership of an invention and provides enforcement for owner to exclude others from practicing the invention.  After 20 years the idea is open source to application.

Copyright - Protects the express of ideas but not necessarily the idea itself

Terms of 70 years after death of individual or 75 years after end of company.

Two caveats - First use and First Sale

Trade Secret - Something that is propriety to a company and important for its survival and profitability (ie Coke formula)

Trademarks - Words, names, product shape, symbol,  color, or combination used to distinquish them from competitor products - lasts 10 years

Wassenaar agreement (WA) - Dual use of goods, previously cryptographic algorithms had been recognized as munitions and couldn't be "sold/used" by foreign countries. Concerned export and import restrictions.

Source material: Sunflower CISSP Guide Version 2.0 (2017) by Maarten de Frankrijker