Understand legal issues that pertain to information security in a global context
Understand legal issues that pertain to information security in a global context

This course covers the first of 4 modules of Domain 1 of the CISSP, covering security and risk management. It will focus on the CIA Triad, governance principles, compliance, and legal issues.

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • What confidentiality, integrity, and availability is and how it applies to information security and how to apply those concepts in the real world
  • How to apply security governance principles
  • Compliance, and how it plays a huge role within security and risk management
  • The legal and regulatory issues that pertain to cybersecurity within a global context

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


So moving into section four to understand legal issues. It has to be remembered that CISSP is a global certification. Consequently, we have to talk about laws in the international context. Now one word that I can give you about the exam, this is not like a bar exam for attorneys. You won't be asked detailed questions about these if you're a CISSP say in Canada, about laws that might exist along the same line but in Japan. Having a general understanding of the concepts that each of these laws presents is more along the lines of what you would likely face. Let's move into our section four. 

So here's the listing of the topics we're going to cover in this particular module. We're going to expand on the topic I introduced a moment ago and talking about legal. It is absolutely no secret, in fact, it's front page news that we have an increasing amount of computer crime. But while we may have an increasing amount of computer crime, the question has to be asked, how much more effective is law enforcement in dealing with computer crimes as opposed to the common criminal events, let's say burglary or car theft? What in fact creates a computer crime? What are we looking at? Well, when we look at cyber crime, as it's commonly being called these days, we have to evaluate what is actually going on and try to compare it to what is happening in other laws to try to get an equivalence between them to help to aid or understand it? We're looking at the loss of intellectual property and sensitive data, whatever intellectual property and sensitive data might be in a given case. For us, we have to look at the opportunity costs. This of course is the cost of what we could have done with whatever was stolen or whatever was compromised if the bad event had not happened. What are we spending to resolve that that we could have spent doing something far more positive and productive? 

We very much must concern ourselves with damage to our branding, and image because public perception has a great deal to do with what our stock prices do, how we're valued and what is considered to be a very important function in the way that we conduct our business. We have to worry about penalties and compensatory payments. There may be fault found in our organization and that can exact a very large fine against us. We always have to look at the cost of countermeasures, the cost of the mitigation strategies because these are costs to our bottom line and as important as they are, as necessary as the measures they're paying for are, we must manage those costs to keep them in line. The basic principle is always to protect at a level of cost that is commensurate with the value of the asset that we're protecting. And then the added expense of recovery from these cyber attacks. So we have various forms of intellectual property laws. We have to define what intellectual property means. 

Now strictly defined, this means an invention or product of the mind. And it can take a variety of forms but it must be something that we can put into a form that the law can actually grasp. For example, when someone steals something from someone else, let's say that I have a baseball bat, if someone steals the baseball bat from me, they steal the bat and I no longer have it. Now that may seem a simplistic way of looking at this but it makes for legal landscapes somewhat complicated. If I had information, how can someone steal it? If they take it from me and I no longer have a copy, that one is obvious theft but what about if they simply make a copy and they take the copy away and yet I still have the information? You see this is part of what complicates the legal landscape and can make things difficult to define and enforce. So the way that the law is able to deal with these are through vehicles like patents, copyrights, trademarks and trade secrets, all definable things committed to some specific form that can then be governed by loss because now we've turned them into an actual defined commodity. Sometimes these things move across international boundaries and so regulations are set up to track the movement of various types of objects such as arms, computers, cryptographic systems and we do that through the ITAR, the International Traffic In Arms Regulation, Export Administration Regulations and the Wassenaar Arrangement. 

Now Wassenaar was passed to try to bring some sense, some regulations, some stability to regions and international relationships around the world. What it attempts to do is to promote greater transparency and it's attempting to prevent de-stabilizing accumulations of arms in various places. In this particular area of intellectual property, privacy and the information that is governed by privacy regulations is a very, very popular and very hot topic. The rights and obligations for individuals and organizations with respect to the collection, use, retention and disclosure of personally identifiably information is really what we're talking about within the entire subject of privacy. With that in mind, the Organization For Economic Cooperation and Development or OECD has set up these Guidelines in order to govern the kinds of exchanges, collection, use and disclosure of individually identifiable information. It defines a few parties. 

The Data Controller is the party that is doing the collection or doing the creation of regulated information out of various forms from various sources. These principles are incorporated in virtually all of the privacy regulations you can find around the world. Specifically in the US, in Canada and of course in the EU as embodied in the GDPR, the General Data Protection Regulation. The Data Controller must be plain spoken in its purpose specification. This is its statement about we would like to collect this information from you and this is what we're going to use it for. They must state that they're going to limit what they're collecting to the use that they have described to the data subject which would be any of us from whom they're getting this information. In that use should change in anyway or for any reason, the Data Controller is required to come back to us, the subjects, explain that and ask for our cooperation, our authorization to be able to use it in this other way. The Data Controller must outline that they're collecting what they have determined to be the minimum amount of information needed to meet the stated need. The Data Controller is by law going to be held accountable and so, the principle of data quality specifies that once the Data Controller collects it, they will guard it against contamination or unauthorized manipulation or change. As I said, the Data Controller's going to be held accountable for this and therefore they must set up various forms of controls, detection mechanisms and so on to ensure that whatever their data holdings on whatever individuals they have, they have met all the applicable regulatory requirements and that will include putting in place a breach response process. That of course means that they have to determine what security safeguards will be needed and given all of this, it means that they will base it on a risk management process to ensure that they have put in place proper controls commensurate with the value of the data that they've got. They must be open, they must be transparent about what their holdings are and what actions have been taken or planned. And they must engage the individuals from whom they've collected this information. They must be forth coming if the individual wants to know what the entity is holding on it, what they've done with it, providing an accounting of disclosure by some regulations. But this is intended to foster a balance between what the Data Controller intends to do with the information and this assumes of course that the Data Controller is of a commercial nature as opposed to governmental and on balance with the privacy of that individual making sure that the individual is kept informed and engaged in the overall process. 

Now fundamental to this is the idea that breaches will happen and that breaches must be managed, we must try to keep them from happening to the extent possible but that we must have a plan for responding to them when they occur. Now what we have is we have events and events can happen and be anything from something that is purely routine involving no kind of information of any importance, whatever, simply let's say the indication that your system has taken some action. An event is not necessarily positive or negative until it's examined. When it's examined, and it's found out to be of a negative quality, then we regard it as being an incident. Now an incident is typically a negative event but it may not involve the exposure of privacy-covered information in a human readable form. If that happens, now we regard the incident as containing a breach. And a breach is an unwanted, undesired, unauthorized disclosure of individually identifiable information in a human readable form. Now we have data disclosures that are authorized and that are of a character that we do want such as official requests, disclosure of data to ourselves or to those we designate. And a breach is certainly a data disclosure, though an unwanted one. So we need to be sure that as these events occur, we take close examination of them so that we can determine what the nature is so that we will know what then to do to respond to make sure that we've identified the compliance requirements and the appropriate steps to cope with the event, whatever its character. Now these are some examples of relevant laws that we have in the United States, the European Union and the UK just to pick some. As you saw in previous slides, these laws are now springing up all over the world. They share a lot of the similar characteristics that you saw in the OECD Guidelines. Now the United States we have the Gramm-Leach-Bliley Act which has to do with individually identifiable information in the financial services or commercial sector. We have the Health Insurance Portability and Accountability Act Of 1996. The famous or if you prefer, infamous HIPAA law. In the European Union, we have the Regulation for Electronic Communication Service and of course in the EU, we have the GDPR, the General Data Protection Directive. In the UK, we have the UK Privacy and Electronic Communications Regulations of 2003. 

These are simply some examples and these three examples share a great many of the characteristics of these laws that require us to look at individually identifiable data and safeguard its privacy from all those who are unauthorized for its possession and that in the event that a breach does occur, that we respond in a proper, timely and effective manner to contain that breach. Well, that concludes our first module. That is the first set of modules within domain one, security and risk management. 

In the next module, we're going to continue security and risk management domain, so I hope you'll join me for the next module. Thank you.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics