CISSP Legal and Regulatory Issues that Pertain to Information Security in a Global Context – Bk2D1T5

CISSP Legal and Regulatory Issues that Pertain to Information Security in a Global Context in this explaining cyber crimes and data breaches, licensing and intellectual property requirements, digital rights management, standard contractual clauses and data privacy laws.

Module Objectives
  1. Recognize the role of digital rights management (DRM) solutions in protecting intellectual property.
  2. Recognize modern international legal restrictions on import/ export of data and IT tools.
  3. Explain how modern legal frameworks affect international data flow and how the information security industry is responsible for many compliance requirements.

Cyber Crimes and Data Breaches

The modern IT landscape affords criminals with a host of options for engaging in nefarious activity, including updated versions of traditional crimes. Criminals may, for instance, conduct age-old activities such as fraud, theft, blackmail, and extortion but use modern appliances to extend their reach, speed, and efficiency. There are also new criminal statutes that have created new classes of crimes the security practitioner should be aware of.

A brief description of some (but certainly not all) possible computer- related crimes:
  • Malware: In many jurisdictions, governments have made the creation and dissemination of malicious software a crime.
  • Unauthorized access: The modern version of trespassing, the simple act of accessing a system/network in an unauthorized manner is against the law in many countries.
  • Ransomware: A new version of the old crime of extortion; the attacker gains access (often illegally) to the victim’s data, encrypts it, and offers to sell the victim the encryption keys to recover the data. Ransomware tools have become so pervasive and effective that, in many cases, even federal law enforcement entities have advised victims to pay the ransom: https://securityledger. com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/.
  • Theft: Stealing data—or hardware on which data resides—can be a lucrative criminal enterprise.
  • Illegal use of resources: In many situations, attackers conduct unauthorized access not to get anything  directly  from  the victim but to use the victim’s IT assets for the attacker’s benefit. This can take the form of storage (where the attacker is using  the victim’s memory to stash files and data the attacker has acquired elsewhere), or processing (where the attacker is using the victim’s CPU to conduct malicious activity such as staging DDoS attacks).
  • Fraud: By engaging the victim in some way (often through an appeal to the victim’s greed or sympathy), the attacker is able to illegally acquire the victim’s Common tactics include: the attacker posing as someone else (often as someone related to the victim, through social media); the attacker gaining access to the victim’s bank account; the attacker preying on those who are not media-savvy such as the elderly.

Data breach notification is another area of law that has become ubiquitous; many countries (and jurisdictions within countries, such as U.S. states) have created legislation requiring any entity that has personal data within its possession to notify the subjects of that data if the data is disclosed in any unauthorized fashion. Any organization that is not in compliance with these laws (that is, any organization that loses personal data and does not make sufficient notification in a timely manner) faces severe financial penalties in many jurisdictions. The security practitioner should be aware of all such applicable laws for every jurisdiction in which their organization operates.

Related Product : Personal Data Protection & General Data Protection Regulation Training & Certification

Licensing and Intellectual Property Requirements

Intangible assets are called intellectual property. This can include proprietary material such as software owned by the organization.

Proprietary software is usually distributed under an agreement between the owner of the software (the vendor) and customers through the use of a license; an agreement codifying the terms (price, duration, number of copies) that govern the use of that software.

There are many modern forms of licensing. These include but are not limited to the following:
  • Site licensing: An organization purchases a right to use the software for all members of the organization’s staff, usually for a stated duration and with a cap on the number of copies used.
  • Per-seat licensing: An organization purchases the right to use a specific number of copies of the software for its personnel, or to pay a certain price (usually less than the common retail price) for every copy it uses.
  • Shareware: The owner of the software allows anyone to use the software within given constraints. Often, this takes the form of a Creative Commons license, where noncommercial use of the software is free, but any business use of the software requires payment.
  • Public domain: Use of the software is free (as is modification and customization of the application itself), but technical support or extra features come at a premium.

In many organizations, the security office has become the de facto software librarian; the organizational entity that is tasked with maintaining the list of authorized copies of software used by the organization and ensuring the organization is complying with the terms of the license(s).

Digital Rights Management (DRM)

Organizations that seek to enforce and maintain their intellectual property rights commonly implement some sort of digital rights management (DRM) solution. DRM tools often create an additional layer of access control within the organization for those files/data sets that contain proprietary material.

One DRM example many candidates may be familiar with is the encoding used on DVDs and DVD players. The customer buys the DVD from the owner of the intellectual property (the movie). The customer  can play the DVD on a DVD player; the customer can carry that DVD to another DVD player and still play it. The customer owns the DVD and can view the movie whenever the customer wants. However, the encryption built into the DVD (and the encryption-aware application in the DVD players) will not allow the customer to copy the movie (without the use of additional decryption measures). This enforces the intellectual property owner’s rights over the movie; the owner is selling the right to view the movie not to copy and redistribute it. The customer can even sell the DVD to someone else—selling the customer’s right to watch the movie. But the customer can’t sell the movie itself to someone else because the customer doesn’t own the movie.

DRM sometimes offers additional capabilities as well. In the DVD example, the DRM solution is also used to enforce laws in some jurisdictions, pertaining to the content and nature of DVD content. This is a “region” system where different countries are categorized by region, depending on the laws of those countries regarding content. A DVD purchased in a Region 1 country, for instance, will not play on a DVD player purchased in (and encoded for) a Region 2 country, and vice versa.

DRM solutions should have the following traits:
  • Persistency: The access controls follow the protected material wherever the material goes. In the DVD example, the encryption is carried on the DVD no matter where the customer carries the DVD.
  • Dynamic policy control: The DRM solution should be subject to a  centralized administrative function that allows the owner of the intellectual property to update and modify permissions  as This characteristic has less to do with consumer DRM and usually involves enterprise rights management (ERM, which is also referred to as information rights management, IRM) within an organization that creates intellectual or proprietary material.
  • Automatic expiration: The DRM solution should recognize a time limit on permissions for specific data sets/files. When the time limit has been reached, access may be revoked (in the case of a software license expiring) or the material may become public domain (when the private ownership rights expire).
  • Continuous audit trail: The DRM solution should ensure that every protected element (each file or data set) is able to recognize and annotate access events (opening/viewing/ running/copying/etc.) on itself and maintain that record.
  • Interoperability: The DRM solution should function properly within the environment of whoever is running the DRM and work in concert with that organization’s existing access control methodologies and tools. This means the DRM solution can integrate with the organization’s file structure, email, etc.

DRM solutions often involve the use of system agents: elements of the DRM solution application that are installed on all client devices within an organization. Each device used to access DRM-protected material must be DRM-aware (that is, the device must recognize files protected by the DRM solution and how to distinguish permissions for specific files). In some organizations, this may be challenging; the DRM solution agent will need to be added to the baseline configuration of the organization’s environment, and in any organization where personnel are allowed to use personal devices, users will need to allow installation (and maintenance and often external audit) of the DRM agent on their devices.

Import/Export Controls

The security practitioner should be aware that IT hardware and software is often subject to international trade restrictions, mainly for national defense purposes. In particular, encryption tools are seen by many governments as a threat to global stability and rule of law.

One such restriction scheme is the Wassenaar Agreement, a multilateral export control restriction program involving 41 participating countries; these countries agree not to distribute (export) certain technologies (including both weapons and, of more concern to our field, cryptographic tools) to regions where an accumulation of these materials might disturb the local balance of power between nation-states. Security practitioners employed or operating in either a Wassenaar signatory country or in a region where import of these materials is controlled by the Agreement need to be aware of these prohibitions and understand what encryption tools may or may not be used.

Many countries have their own internal laws governing the import/ export of encryption technologies in addition to international treaties. For instance, Russia and some Baltic states, Myanmar, Brunei, and Mongolia have outright bans on the import of cryptographic technologies. Government rationale for these prohibitions is usually twofold: the government is concerned that some citizens may use this technology to prevent the government from intercepting their communications (ostensibly, the government is worried about unmonitored criminal activity, but this prohibition often includes some aspect of government intent to reduce private political action, such as subversion and revolution), and the government is also concerned that imported cryptographic tools may  contain purposeful flaws and defects (specifically, backdoors) allowing the host nation of the vendor to intercept encrypted traffic.

Some countries (notably, the United States) also have their own laws preventing export of some encryption technologies because encryption can be used for both criminal and military purposes.

Trans-Border Data Flow

In the modern data security field, the movement of data across international boundaries is technologically easy and ubiquitous, but legally it is risky and challenging.

The largest such challenge is currently posed by the European Union and its privacy law mandates—specifically, the GDPR. The GDPR (and its statutory predecessors) is expressly intended to prevent the personal data of EU citizens from going to any country (that is, any hardware device located in any country) that does not have a national personal privacy law that is in accordance with EU law in terms of breadth and individual protection.

It’s important for practitioners operating in a global environment to know which countries have laws that comply with the GDPR (and are allowed to receive/process data sets that contain personal information of EU citizens) and which do not. The following is a partial list, current as of the date of publication—the candidate is strongly advised to review current laws/policies before taking the exam (the EU publishes a list on Web: http://ec.europa.eu/justice/data-protection/international-transfers/ adequacy/index_en.htm).

Countries with national laws that adhere to the GDPR:
  • All EU countries
  • Andorra
  • Singapore
  • Switzerland
  • Japan
  • Israel
  • Australia
  • Argentina
  • Uruguay
  • Canada
Countries without national laws that adhere to the GDPR:
  • The United States (unless the entity receiving/processing the data subscribes to the Privacy Shield program or creates standard contractual language/policy compliant with the GDPR)
  • Everywhere else
Privacy Shield

Because of the overarching influence of both the GDPR and American business interests, it is strongly recommended that the candidate understand some basic elements of the Privacy Shield program.

Privacy Shield is a voluntary United States program for American companies that want to do business that involves processing privacy data of EU citizens. U.S. companies that want to take part in the program must apply through the U.S. Department of Commerce website (https://www.privacyshield.gov/welcome), using the form specified for the company’s particular industry.

  • For airlines and shipping companies, the Department of Transportation is the relevant regulator.
  • For all other companies, the Federal Trade Commission (FTC) is the relevant regulator.
Companies applying to take part in the Privacy Shield program agree to the following:
  • Create internal policy/policies that position the company to adhere to and comply with the GDPR.
  • Submit to regulation by the relevant regulator.
  • Self-certify via the Privacy Shield website, and recertify annually.

For the sake of simplicity, the Privacy Shield program can be thought of as a voluntary mechanism for U.S. companies to agree to follow EU data protection law.

Standard Contractual Clauses

If a multinational organization headquartered in a non-approved country wants to process/receive EU citizen personal data, that organization can apply for specific approval by creating contract language that makes a transaction conform to the GDPR. Simply put: if an organization in a non-approved country outside the EU wants to engage in business with parties in the EU and that business involves PII of EU citizens, the organization must stipulate in the contract between the parties that the business activity will comply with the GDPR. This contract wording is referred to as “standard contractual clauses.” These clauses must be included in every contract the organization creates with EU entities.

Standard contractual clauses must be approved by either the EU Commission or by a government entity in an EU country (if the business activity is only occurring in that country). Once the language of a standard contractual clause is approved, it may be used for many different contracts.

Privacy Terms

Many data privacy laws use a common terminology; the candidate should be familiar with the following terms and concepts.

  • Personally identifiable information (PII): PII, as it is referred to in the industry, is any data about a human being that could be used to identify that person. The specific elements of what data constitutes PII differs from jurisdiction to jurisdiction and from law to These are some elements that are considered PII in some jurisdictions and laws:
    • Name
    • Tax identification number/Social Security number
    • Home address
    • Mobile telephone number
    • Specific computer data (MAC address, IP address of the user’s machine)
    • Credit card number
    • Bank account number
    • Facial photograph

Under some laws, PII is referred to by other terms as was mentioned earlier in this domain: for instance, medical data in the United States is referred to as electronic protected health information (ePHI) under HIPAA.

  • Data subject: The individual human being that the PII refers to.
  • Data owner/data controller: An entity that collects or creates The data owner/controller is legally responsible for the protection of the PII in their control and liable for any unauthorized release of PII. Ostensibly, the owner/controller is an organization; the legal entity that legitimately owns the data.In some cases (in certain jurisdictions, under certain laws), the data owner is a named individual, such as an officer of the company, who is the nominal data owner. In actual practice, however, we usually think of the data owner as the managerial person or office that has the most day-to-day use and control of the data; that is, the department or branch that created/collected the data and which puts the data into use for the organization.
  • Data processor: Any entity, working on behalf or at the behest of the data controller, that processes Under most PII-related laws, “processing” can include absolutely anything that can be done with data: creating, storing, sending, computing, compiling, copying, destroying, and so forth. While the data processor does have to comply with applicable PII law, it is the data owner/controller that remains legally liable for any unauthorized disclosure of PII even if the processor is proven to be negligent/malicious.

  • Data custodian: The person/role within the organization who usually manages the data on a day-to-day basis on behalf of the data owner/controller. This is often a database manager or administrator; other roles that might be considered data custodians could be system administrators or anyone with privileged access to the system or data set.

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/