Regulations and Laws – ISC2 CC Security Principles
Why Are Regulations and Laws Important in Information Security?
Regulations and laws form the foundational framework within which organizations must operate when handling data, protecting privacy, and securing information systems. Understanding them is critical because:
• Legal Compliance: Organizations that fail to comply with applicable laws and regulations face fines, sanctions, lawsuits, and reputational damage.
• Protection of Individuals: Many regulations exist specifically to protect the privacy and rights of individuals, such as customers, patients, and employees.
• Organizational Accountability: Laws establish clear expectations for how organizations must behave, creating accountability for security practices.
• Global Operations: In today's interconnected world, organizations often operate across multiple jurisdictions, each with its own set of legal requirements.
• Professional Responsibility: Security professionals have an ethical and professional obligation to understand and support compliance with relevant laws and regulations.
What Are Regulations and Laws in the Context of Security?
In information security, laws are rules enacted by government bodies (legislatures, parliaments, etc.) that are legally binding and enforceable by the judicial system. Regulations are more specific rules or directives issued by government agencies or regulatory bodies that provide detailed requirements for compliance with broader laws.
Key categories include:
1. Privacy Laws
These laws govern how organizations collect, store, use, and share personal information.
• GDPR (General Data Protection Regulation): A European Union regulation that provides strict data protection and privacy requirements for individuals within the EU and EEA. It applies to any organization that processes the data of EU residents, regardless of where the organization is based.
• HIPAA (Health Insurance Portability and Accountability Act): A U.S. law that protects the privacy and security of health information (PHI – Protected Health Information).
• CCPA (California Consumer Privacy Act): A U.S. state law that gives California residents more control over the personal information that businesses collect about them.
2. Computer Crime Laws
• CFAA (Computer Fraud and Abuse Act): A U.S. federal law that criminalizes unauthorized access to computer systems.
• Computer Misuse Act (UK): Addresses unauthorized access to computer material, unauthorized access with intent to commit further offenses, and unauthorized modification of computer material.
3. Industry-Specific Regulations
• PCI DSS (Payment Card Industry Data Security Standard): While technically an industry standard rather than a law, it is contractually enforced and governs how organizations handle credit card data.
• SOX (Sarbanes-Oxley Act): A U.S. law that sets requirements for financial reporting and internal controls for publicly traded companies.
• GLBA (Gramm-Leach-Bliley Act): Requires financial institutions to explain their information-sharing practices and to safeguard sensitive data.
• FERPA (Family Educational Rights and Privacy Act): Protects the privacy of student education records.
4. International and Cross-Border Considerations
• Organizations operating internationally must comply with the laws of each jurisdiction where they operate or where their data subjects reside.
• Data sovereignty refers to the concept that data is subject to the laws of the country in which it is located or collected.
• Transborder data flow regulations may restrict or impose conditions on moving personal data across national boundaries.
How Do Regulations and Laws Work in Practice?
Enforcement Mechanisms:
• Laws are enforced by government agencies (e.g., the FTC in the U.S., the ICO in the UK, or Data Protection Authorities in the EU).
• Violations can result in civil penalties (fines), criminal penalties (imprisonment), or both.
• Regulatory bodies may conduct audits, investigations, and impose corrective actions.
Organizational Compliance:
• Organizations typically establish compliance programs that include policies, procedures, training, and monitoring to ensure they meet legal requirements.
• A Data Protection Officer (DPO) may be required under certain regulations (e.g., GDPR) to oversee compliance.
• Due diligence involves understanding what laws and regulations apply to the organization.
• Due care involves taking reasonable steps to comply with those requirements.
The Relationship Between Laws, Regulations, Standards, and Policies:
• Laws: Enacted by legislative bodies; legally binding.
• Regulations: Created by government agencies to implement and enforce laws; legally binding.
• Standards: Established by industry groups or standards organizations (e.g., ISO, NIST). May be voluntary or required by regulation.
• Policies: Internal organizational documents that define how the organization will meet legal and regulatory requirements.
• Procedures: Step-by-step instructions for implementing policies.
Understanding this hierarchy is essential: laws take precedence over regulations, which take precedence over standards and internal policies.
Key Concepts to Remember:
• Criminal Law vs. Civil Law: Criminal law deals with offenses against society (e.g., hacking), while civil law deals with disputes between parties (e.g., breach of contract, negligence).
• Administrative Law: Regulations created by government agencies that carry the force of law.
• Liability: Organizations and individuals can be held liable for failing to comply with laws and regulations. This can include negligence (failure to exercise due care).
• Jurisdiction: The authority of a legal body to govern, legislate, or enforce law within a defined territory. Jurisdiction is a critical consideration when dealing with cybercrime and data protection across borders.
• Contractual Obligations: Sometimes compliance requirements come from contracts (e.g., PCI DSS compliance may be required by a merchant agreement), not directly from law.
• Intellectual Property (IP): Laws protecting creations of the mind, including copyrights (original works of authorship), trademarks (brand identifiers), patents (inventions), and trade secrets (confidential business information).
Exam Tips: Answering Questions on Regulations and Laws
1. Know the Purpose, Not Just the Name: The ISC2 CC exam is unlikely to ask you to recite specific legal text. Instead, focus on understanding what each law or regulation protects and who it applies to. For example, HIPAA protects health information, GDPR protects EU residents' personal data, and SOX addresses financial reporting integrity.
2. Focus on the Security Professional's Role: Remember that as a security professional, your role is to support and enable compliance, not to provide legal advice. If a question asks what you should do when facing a legal question, the best answer often involves consulting with legal counsel or a compliance team.
3. Understand Due Diligence vs. Due Care: Due diligence is about knowing what is required (research, understanding laws). Due care is about doing what is required (implementing controls, following best practices). Questions may test whether you understand the distinction.
4. Hierarchy Matters: If a question presents a conflict between a law and an organizational policy, the law always takes precedence. Laws and regulations override internal standards, policies, and procedures.
5. Think Globally: The exam takes an international perspective. Be aware that different countries have different laws, and organizations must comply with the laws of every jurisdiction where they operate or where their data subjects reside.
6. Privacy is a Key Theme: Many questions will relate to privacy regulations. Understand core privacy principles: purpose limitation, data minimization, consent, right to access, right to be forgotten (erasure), and breach notification requirements.
7. Distinguish Between Types of Law: Be prepared to identify whether a scenario involves criminal law (prosecution by the state), civil law (lawsuits between parties), or administrative/regulatory law (enforcement by government agencies).
8. Watch for Distractor Answers: Some answer choices may reference real laws but apply them to the wrong context. For example, HIPAA only applies to healthcare-related entities and their business associates – it would not be the correct answer for a question about financial data protection.
9. Breach Notification: Many regulations require organizations to notify affected individuals and/or regulatory authorities within a specific timeframe after a data breach. GDPR, for example, requires notification within 72 hours. Know that breach notification is a common regulatory requirement.
10. Eliminate Absolutes: Be cautious of answer choices that use absolute language like always or never. Legal and regulatory compliance often involves context-dependent decisions. The correct answer typically reflects a balanced, reasonable approach consistent with due care and due diligence.
11. Compliance ≠ Security: Remember that being compliant with laws and regulations does not automatically mean an organization is secure. Compliance establishes a minimum baseline, but true security often requires going beyond minimum legal requirements.
Summary:
Regulations and laws are essential to information security because they define mandatory requirements for protecting data, systems, and privacy. Security professionals must understand the landscape of applicable laws, support their organizations' compliance efforts, and recognize that legal obligations vary by jurisdiction and industry. On the exam, focus on understanding the intent and applicability of major regulations, the role of the security professional in compliance, and the hierarchy of laws over organizational policies.
