As a Security professional should also be familiar with the legal issues surrounding software licensing agreements. There are four main types of License Agreement in use today. Refer to below mindmap for details.
Also, Import/Export law will help company to control their Information across multiple countries.
Case Study: Below case study will help us to understand “why” encryption export control is required for a Company/Enterprise.
Let us assume one of the Hosts in South Africa is trying to communicate to one of the hosts in India & traffic exit from your Perimeter router via the Internet.
Also assume this host in South Africa is using some form of an encryption algorithm which is allowed in South Africa, India but “not” in “Singapore.” Because different country may have different laws regarding the transmission of data or encryption standard.
Considering the nature of the IP packet flow, this traffic stream may take many many different routes – let us assume in this case via Singapore.
In this case, your end to end host communication is violating the Law of Singapore;
Hence, if there are chances to break a foreign national’s data laws; we must control data flow to avoid violations & this must be included in “Risk Management.”
The solution of such a problem could be to use Pinned Path(Avoiding flow via Singapore) in WAN Technologies: MPLS, Frame Relay, ATM.
Privacy is becoming more threatened as all of us increasingly relies on computing technology & Digital content. There are several approaches/laws the government has taken to addressing privacy issues. Below figure illustrate the U.S. & European Privacy Law.
In the Cyberworld Computers are heavily used to do Cyber Crime. Hence, because of these undesirable things – Organization wanted to keep them from happening again. Accordingly, it leads to the beginning of Computer Crimes Law. Actually, this is true for all Crime Law -> Law is created to avoid Crimes to re-occur in Future.
Below mindmap explains the Computer Crimes and their objectives. To protect Organizations from Computer Crimes, U.S. has developed a series of Computer Crime Laws over the years. Refer to below mindmap for all required details.
Every country follows some kind of Legal system. Below figure shows different types of Legal system.
Since CISSP discuss more on U.S. Laws and Regulation; hence we will restrict our-self to U.S. only. We can observe that the U.S. follow “Common Legal System”. As an IT professional / Security professional; we understand that Laws and regulations have a significant impact on “How we work & behave day to day”. Hence below picture depicts some of the essential laws as covered by CISSP course content.
Over the last decade, the regulatory environment governing information security has grown increasingly complex. Organisations may find themselves subject to a wide variety of below laws
Computer Crime Laws
Intellectual Property Law
Software Licensing Law
Also, some regulations imposed by regulatory agencies or contractual obligations such as PCI-DSS, which could be a mandate to run your Business efficiently. Refer to below screenshot to know more details about PCI-DSS.
There could be other regulatory compliance such as Auditing – For gathering shreds of evidence, finding the weakness in a system Reporting – In case there is a “Breach.” Metrics – To identify the effectiveness of your control & trend identification.