CISSP All-in-One Exam Guide Chapter 3: Compliance PDF

CISSP All-in-One Exam Guide 162 an administrative investigation, particularly if the violation resulted in some loss or bad press for the organization. In the worst case, someone can get fired. Typically, however, someone is counseled not to do something again and that is that. Either way, you want to keep your human resources (HR) staff involved as you proceed. Criminal A seemingly administrative affair, however, can quickly get stickier. Suppose you start investigating someone for a possible policy violation and along the way discover that person was involved in what is likely criminal activity. A criminal investigation is one that is aimed at determining whether there is cause to believe beyond a reasonable doubt that someone committed a crime. The most important thing to consider is that we, as information systems security professionals, are not qualified to determine whether or not someone broke the law; that is the job of law enforcement agencies (LEAs). Our job, once we have reason to believe that a crime may have taken place, is to preserve evidence, ensure the designated people in our organizations contact the appropriate LEA, and assist them in any way that is appropriate. Civil Not all statutes are criminal, however, so it is possible to have an alleged violation of a law result in something other than a criminal investigation. The two likeliest ways to encounter this is regarding possible violations of civil law or government regulations. A civil investigation is typically triggered when a lawsuit is imminent or ongoing. It is similar to a criminal investigation, except that instead of working with an LEA you will probably be working with attorneys from both sides (the plaintiff is the party suing and the defendant is the one being sued). Another key difference in civil (versus criminal) investigations is that the standard of proof is much lower; instead of proving beyond a reasonable doubt, the plaintiff just has to show that the preponderance of the evidence supports the allegation. Regulatory Somewhere between the previous three (administrative, criminal, and civil investigations) lies the fourth kind you should know. A regulatory investigation is initiated by a govern- ment regulator when there is reason to believe that the organization is not in compliance. These vary significantly in scope and could look like any of the other three types of inves- tigation depending on the severity of the allegations. As with criminal investigations, the key thing to remember is that your job is to preserve evidence and assist the regulator’s investigators as appropriate. Chapter Review The fact that the Internet is a global medium does not negate the power of governments to establish and enforce laws that govern what can be done by whom on networks within each country. This can create challenges for cybersecurity professionals whose organizations Chapter 3: Compliance 163 have clients, partners, or activities in multiple jurisdictions. The most important thing you can do as a CISSP is develop a good relationship with your legal team and PART I use that to ensure you are aware of all the legal and regulatory requirements that may pertain to cybersecurity. Then, after you implement the necessary controls, check with your lawyer friends again to ensure you’ve exercised due diligence. Keep checking, because laws and regulations do change over time, particularly if you are operating in multiple countries. Quick Review Law is a system of rules (written or otherwise), created by a government, that apply equally to everyone in the country. Regulations are written rules issued by an executive body, covering specific issues, and apply only to the specific entities that fall under the authority of the agency that issues them. Civil law system: Uses prewritten rules and is not based on precedent. Is different from civil (tort) laws, which work under a common law system. Common law system: Made up of criminal, civil, and administrative laws. Customary law system: Addresses mainly personal conduct and uses regional traditions and customs as the foundations of the laws. Is usually mixed with another type of listed legal system rather than being the sole legal system used in a region. Religious law system: Laws are derived from religious beliefs and address an individual’s religious responsibilities; commonly used in Muslim countries or regions. Mixed law system: Uses two or more legal systems. Criminal law deals with an individual’s conduct that violates government laws developed to protect the public. Civil law deals with wrongs committed against individuals or organizations that result in injury or damages. Civil law does not use prison time as a punishment, but usually requires financial restitution. Administrative, or regulatory, law covers standards of performance or conduct expected by government agencies from companies, industries, and certain officials. Many attacks cross international borders, which make them harder to prosecute because doing so requires deconflicting the laws of the various countries involved; attackers use this to their advantage. CISSP All-in-One Exam Guide 164 Island-hopping attacks are those in which an attacker compromises an easier target that has a trusted connection to the ultimate target. An advanced persistent threat (APT) is a sophisticated threat actor that has the means and the will to devote extraordinary resources to compromising a specific target and remaining undetected for extended periods of time. A data breach is a security event that results in the actual or potential compromise of the confidentiality or integrity of protected information by unauthorized actors. Personally identifiable information (PII) is data that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. Each country has specific rules that control what can be legally imported and exported. This applies particularly to some cryptographic tools and techniques. A transborder data flow (TDF) is the movement of machine-readable data across a political boundary such as a country’s border. Data localization laws require that certain types of data be stored and processed in that country, sometimes exclusively. Intellectual property (IP) is a type of property created by human intellect that consists of ideas, inventions, and expressions that are uniquely created by a person and can be protected from unauthorized use by others. A license is an agreement between an intellectual property (IP) owner (the licensor) and somebody else (the licensee), granting that party the right to use the IP in very specific ways. Trade secrets are deemed proprietary to a company and often include information that provides a competitive edge. The information is protected as long as the owner takes the necessary protective actions. Copyright protects the expression of ideas rather than the ideas themselves. Trademarks protect words, names, product shapes, symbols, colors, or a combination of these used to identify products or a company. These items are used to distinguish products from the competitors’ products. A patent grants ownership and enables that owner to legally enforce his rights to exclude others from using the invention covered by the patent. Due diligence can be defined as doing everything within one’s power to prevent a bad thing from happening. It is normally associated with leaders, laws, and regulations. Due care means taking the precautions that a reasonable and competent person would take in the same situation. It is normally applicable to everyone, and its absence could be used to show negligence. Administrative investigations are focused on policy violations. Chapter 3: Compliance 165 Criminal investigations are aimed at determining whether there is cause to believe that someone committed a crime. PART I A civil investigation is typically triggered when a lawsuit is imminent or ongoing, and is similar to a criminal investigation, except that instead of working with law enforcement agencies you will probably be working with attorneys from both sides. A regulatory investigation is initiated by a government regulator when there is reason to believe that the organization is not in compliance. Questions Please remember that these questions are formatted and asked in a certain way for a reason. Keep in mind that the CISSP exam is asking questions at a conceptual level. Questions may not always have the perfect answer, and the candidate is advised against always looking for the perfect answer. Instead, the candidate should look for the best answer in the list. 1. When can executives be charged with negligence? A. If they follow the transborder laws B. If they do not properly report and prosecute attackers C. If they properly inform users that they may be monitored D. If they do not practice due care when protecting resources 2. To better deal with computer crime, several legislative bodies have taken what steps in their strategy? A. Expanded several privacy laws B. Broadened the definition of property to include data C. Required corporations to have computer crime insurance D. Redefined transborder issues 3. Which of the following is true about data breaches? A. They are exceptionally rare. B. They always involve personally identifiable information (PII). C. They may trigger legal or regulatory requirements. D. The United States has no laws pertaining to data breaches. Use the following scenario to answer Questions 4–6. Business is good and your company is expanding operations into Europe. Because your company will be dealing with personal information of European Union (EU) citizens, you know that it will be subject to the EU’s General Data Protection Regulation (GDPR). You have a mature security program that is certified by the International Organization for Standardization (ISO), so you are confident you can meet any new requirements.

CISSP All-in-One Exam Guide Chapter 3: Compliance PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue