Software Licensing & Import/Export Law

As a Security professional should also be familiar with the legal issues surrounding software licensing agreements. There are four main types of License Agreement in use today. Refer to below mindmap for details.

Also, Import/Export law will help company to control their Information across multiple countries.

Case Study:
Below case study will help us to understand “why” encryption export control is required for a Company/Enterprise.

  • Let us assume one of the Hosts in South Africa is trying to communicate to one of the hosts in India & traffic exit from your Perimeter router via the Internet.
  • Also assume this host in South Africa is using some form of an encryption algorithm which is allowed in South Africa, India but “not” in “Singapore.” Because different country may have different laws regarding the transmission of data or encryption standard.
  • Considering the nature of the IP packet flow, this traffic stream may take many many different routes – let us assume in this case via Singapore.
  • In this case, your end to end host communication is violating the Law of Singapore;
  • Hence, if there are chances to break a foreign national’s data laws; we must control data flow to avoid violations & this must be included in “Risk Management.”
  • The solution of such a problem could be to use Pinned Path(Avoiding flow via Singapore) in WAN Technologies: MPLS, Frame Relay, ATM.

Computer Crimes and respective Laws

In the Cyberworld Computers are heavily used to do Cyber Crime. Hence, because of these undesirable things – Organization wanted to keep them from happening again. Accordingly, it leads to the beginning of Computer Crimes Law. Actually, this is true for all Crime Law -> Law is created to avoid Crimes to re-occur in Future.

Below mindmap explains the Computer Crimes and their objectives. To protect Organizations from Computer Crimes, U.S. has developed a series of Computer Crime Laws over the years. Refer to below mindmap for all required details.

Laws, Regulations, Compliance

Every country follows some kind of Legal system. Below figure shows different types of Legal system.

Since CISSP discuss more on U.S. Laws and Regulation; hence we will restrict our-self to U.S. only. We can observe that the U.S. follow “Common Legal System”.
As an IT professional / Security professional; we understand that Laws and regulations have a significant impact on “How we work & behave day to day”. Hence below picture depicts some of the essential laws as covered by CISSP course content.

Over the last decade, the regulatory environment governing information security has grown increasingly complex. Organisations may find themselves subject to a wide variety of below laws

  1. Computer Crime Laws
  2. Intellectual Property Law
  3. Software Licensing Law
  4. Import/Export Law
  5. Privacy Law

Also, some regulations imposed by regulatory agencies or contractual obligations such as PCI-DSS, which could be a mandate to run your Business efficiently. Refer to below screenshot to know more details about PCI-DSS.

There could be other regulatory compliance such as
Auditing – For gathering shreds of evidence, finding the weakness in a system
Reporting – In case there is a “Breach.”
Metrics – To identify the effectiveness of your control & trend identification.