CCT 030: Understanding Legal and Regulatory Issues (CISSP Domain 1)
Apr 24, 2023CCT 030 - RCR 127 - CISSP Exam Essentials- Understanding Legal and Regulatory Issues in Cyber Security (Domain 1)
[00:00:00] Welcome to the CISS P Cyber Training exam the first time. Hi, my name is Sean Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISS P exam and grow your cybersecurity.
Alright, let's get started.
Good morning everybody. This is Sean Gerber again with CISS P Cyber Training. I hope you all are having a beautiful day today. It is gorgeous here in Wichita, Kansas, and it is amazing, so I cannot complain. At all. Ha. I hope everybody's doing good. And you're studying for your CISSP exam.
It's I know getting ready for the CISSP is a challenge. I remember going through it myself and just thinking, oh my goodness. When is this ever going to end? But it will end and you will pass. Garon teed right now. Only you can decide that and [00:01:00] determine the amount of time that you're willing to work on it, but the one thing about this is the CISSPCyber training is we wanna provide the information you need to pass the CISSP exam, but also on top of that, give you the information you need to be a successful.
Person or in information security within your organization, wherever you may go. So that is another key factor. So not just giving you how you'd pass the test, give you the background so that one you do pass the test cuz that's the most important part. But two, give you the information to be able to be a successful security professional within your business that you.
So today we're gonna be talking about legal and regulatory issues around information security. Now you might be going, yawn, this is extremely boring. And guess what? You're probably correct. It is not the most exciting and engaging topic that there is, but I will tell you that it's an important factor in what you do both for the test and for your career in.
So understanding legal and [00:02:00] regulatory issues is a paramount because it has a lot of legs or it can cause a lot of issues with you and your company that you're working with. Now, one example around this would be Equifax, so we'll use the situation that occurred a few years back when the Equifax.
Credit agency was hacked. And as a result of that, there were some things that they were supposed to have done that did that they did not do well. And because they didn't do those well, some people were fired. And so as a person who's studying for the security professionals exam of the C I S P, if you don't do this well, It could have an problem or some situations that may occur within your career.
So it's important to pay attention and it's important to do what it's asking you to do in the C I S P. So we're first thing we're gonna talk about as it relates to regulatory issues in information security, privacy is a big factor. Now, I know you all have heard this probably time and again as it relates to.
The security [00:03:00] professionals and as it relates to the exam, but privacy, obviously for individuals, it's focusing on protecting individuals personal information from unauthorized access, use, or disclosure. Now, this comes up almost every day. I was maybe not every day, probably every other day in my normal job, and we're dealing with some.
Privacy. So if I have a tool that is watching data that's leaving the organization, is it affecting people's privacy? Is it watching what they're sending to their family? Is it watching what they're sending home it? What is it doing? And no. So if it's watching those things, Is, are people's privacy situations, are they being compromised?
And so that's something you're gonna deal with and about at the end of it is that every country out there has some level of different idea around privacy. And not to say that they have, they're very. Contrasting and very different. Most of these privacy laws that you'll see are on the globe are relatively similar.
[00:04:00] However, there are subtle nuances to it. As it relates to, like in China, the Pippo law, which is a privacy information protection law. I think that's what it is. Their law is focused. Primarily on the individuals, but a large subset of individuals. Obviously they want privacy for all their people, but they're primarily to focused on individuals or on companies that are looking specifically for lots and lots of the Chinese citizens.
So it just depends on the country, but privacy is a big factor that you will deal with in the legal and regulatory. Confidentiality. This principle pertains to the protection of sensitive information from unauthorized disclosure. So we talk about the CIA triad the confidentiality, integrity, and availability, while this principle does pertain to that information.
And you must maintain the confidentiality of this information across multiple segments. Now, it's interesting as I'm talking with senior leaders within companies that I've worked with in the past, one of the points that they bring up [00:05:00] is as I, I feel like my job is finally working where it should, when I have these senior leaders trained to the point of they're asking about confidentiality.
When they're asking about confidentiality, that tells me that they're finally starting to get it. So there's a lot of. Things that can happen when you as a security professional, talk about that within your company. Now, one of the pro PO possible controls around confidentiality is the encryption of data CLA and data classification.
Also, it's around preventing unauthorized access or disclosure of the sensitive data. So that's just protecting the individual data itself. Now there's another one around data breach notification. Now, this is a concept that involves legal and their requirements for an organization to notify individuals or companies or potential governments around the event of a data breach.
Now in the United States, there's multiple data breach. Requirements that are out there that are now in place, but also that are coming, there's data breach [00:06:00] notifications within the eu. I've noticed that they have some in their new cyber law and then also in China, there's various data breach notification laws that are in place or coming to be in place.
So this, what it basically comes down to is if something happens and you have a data breach within your organization, you must. The part that this gets really squishy is in the fact that when these data breaches occur, what constitutes a data breach? Do we really know? So let's just say for example, you have a piece of malware that gets within your environment and it starts sending data out.
Okay, let's just say it actually, let's don't even say that it got data out. Let's just say that it. Impacted your systems, maybe caused some ransomware, maybe encrypted a few systems, but there was no breach of data. So is that an incident? Is it a data breach? What is it? And so you, what ends up happening is that some of these requirements out there, these regulatory bodies will [00:07:00] require you to say they thought say it's a breach, so therefore you must report it.
Other people don't really, or other regulatory bodies may not say that's a breach. They may say it's something of an incident. You as an organization working with your legal team need to determine if what is a breach and what is. And I would highly recommend you do get with your legal team to, to work through that process because the data breach notification is like the CISSPwill tell you that you must require, you're required to, to brief up individuals of a, an event that may occur within your organization, but your organization may not want to say something yet that you may not have enough information for you to.
Annotate that you actually have a breach. So it's a very squishy concept, and I'm not telling you not to reply to the governments and tell them if and when you had a breach, but I am saying is that you need to really understand with your compliance and legal folks, when would you acknowledge that something has occurred?
And that's an important factor and you need to really get clear on that within your company and your organization [00:08:00] because it could be very squishy. And the last time you wanna start working through that is when you actually have an issue. And then you have to talk to your legal team and they're like, I have no idea what you're talking about.
Because they will, right? When you do this and you come into them about, Hey, we just had a situation occur, they're gonna go, what are you talking about? So get ahead of this now before it becomes an actual. Integrity. So an another aspect around this is the principle that ensures information is accurate, complete, and reliable.
So ensuring that your data is complete, if there's nothing worse than a situation where you cannot trust your data. And so if the data isn't complete and it isn't accurate, You now basically don't want to use it. You don't think you should use it. So those are important factors to know before you get into this space and your legal team needs to be aware of what is integrity.
Now, this would come down to implementing controls to prevent unauthorized modification, destruction, corruption of data, ensuring data integrity throughout the entire [00:09:00] life cycle from basically creation to destruction. All of that needs to be in place. So it's an important factor that you bring in your legal teams when you are looking at integrity.
Now legal regulatory requirements. I've hinted to these a little bit as well already, but this is a concept that emphasizes the importance of adhering to relevant laws. Now, you will understand that depending upon in the United States, depending on what law that you actually, or what where your jurisdiction of your company is at, you may have different laws in different states that require.
Aspects. And if that's the case, you now have to determine with your legal team, I keep bring, coming back to your legal team, you need to grip work with them to determine which of these laws do you have to notice. So as an example the. When you're talking about California's breach notification laws are very different than Iowa's, and they're a little bit different than what they are in New Hampshire.
So you're gonna need to decide is if my ba, if my company is based out of Iowa, [00:10:00] do I need to report? Based on how they would want it in California. Now, it just depends, right? So if you have a small company that is just their only headquarters is in Iowa, then obviously you would file the laws that are within Iowa.
But if your business is something that's basically spans United States, maybe you have multiple offices, maybe you have customers that are spanning the United. And you decide where do I need to, which one do I need to follow? Even if you're, even if you're based out of Iowa, which one of those do I need to follow?
And you may have worked with your legal team, and they may give you guidance to say because that we have customers throughout the United States, you may want to utilize California or New Hampshire's because it is the most. Now what that means is just basically if you have notification of any sort of privacy regulat regulations that are causing your company, then you need to go ahead and let your customers or your [00:11:00] people know.
Now, that may be the case within New Hampshire or California, but it may not be the case in Iowa. But if you have lots of customers throughout the country, you know what? You may just default to the fact of we're gonna give the same level of breach notification. That you would if you were in California or New Hampshire, because we feel it's the right thing to do.
So those are things you're gonna have to work through with your legal team to understand what is best for you and your company. Due diligence now, this is a concept of taking responsible care and diligence on protecting information assets. One of the things that's going to be a factor is you're gonna have to deal with.
Did I do the proper due diligence in protecting this data? So what exactly does that mean? So let's say for example, you have a some data that's sitting within your company. So let's say it's sitting within an S3 bucket and this S3 bucket, and you're gonna need to understand some technical pieces around this when you're.
Going for your C I S P, because as the technology changes, they're gonna be asking you different questions [00:12:00] around this technology. But let's just say it's in an Amazon S3 bucket. So if you're not familiar with what that is, let's just say it is a storage location within Amazon that allows you to transfer data in and move data out.
So it's just like a Dropbox, if you would say, for. So now this Amazon S3 bucket is sitting out there. Now you have API connections that are connected to this S3 bucket. So this API connections allow for this data to go in and out of this bucket. So what ends up happening is you are having this S3 bucket that is now broadcast and available to the internet via API connect.
So if that's the case, is that a good thing or a bad thing? If you have done the due diligence to have that, there are very specific API keys that are allowed into this bucket that would be positive. If you know that these keys are only provided to X, Y, and Z, that would be positive. If you know that to gain access to these, this S3 bucket, using these API keys, you need to have some level of single [00:13:00] sign on or multi-factor authentication.
That would be a positive. So those are right there. I just did due diligence to. That bucket is protected. Now, is that enough? That's up to you and your team to determine if that's the case. But at the end of all of this, did you do enough within your DIL due diligence to include risk assessments, implementing appropriate controls, regularly, monitoring and auditing information, all of those things.
Did you do that to help ensure that data within that S3 bucket is protected? So that's an important factor you need to really think about. Now the next one is accountability. This is a principle that emphasizes the responsibility of the organization and the individuals for their actions and consequences of those actions as it relates to information security.
So when you're dealing with accountability, what does that mean? I have seven children and as you guys all know if you've listened to this podcast for any period of time, they are fun. So I have three children from [00:14:00] China and one from Uganda that are adopt four that are adopted, and they have three biological children.
So I've total of seven and it is amazing, right? So they are one of those that they keep you on your. But I talk to my children about accountability. They go, what do you mean? The bottom line is if your actions that you do have consequences. So as an example, my daughter, she decided that she was going to be a bit negative and have some challenges in our house.
So as a result, there were consequences that came with that. And then if any of you have ever dealt with teenage girls and teenage boys can be this way too, but. After four girls, I've learned a little bit that teenage girls, they, they're interesting. And so as a result, there were consequences for this young teenage girls' activities.
And, there she has to now pay the piper and losing phone privileges, losing TV privileges, losing some of these other privileges so that, what she just does, tries to get it through her head that what she did has a. So same thing when it comes to [00:15:00] information security, if there are consequences for things that may occur, so if individuals do things within your organization that are contrary to your policies, then there are consequences that may have to be instilled and implemented.
One example, I had an individual. That was sending data out to his home. Gmail account, had a conversation with the individual first. He thought it I just didn't realize that's what he told me. I didn't realize what I was doing, but when it was all said and done, he knew exactly what he was doing and so therefore we had to get a little bit more specific and prescriptive and that.
Then in turn, Potentially put him in a situation where he could lose his job if he doesn't stop doing these activities. So there are consequences, and you have to have those consequences documented for employees to ensure that they understand the expectations of what could happen. But again, you need to have clear roles, responsibilities, and ownership around these different topics because if you don't it, it makes things extremely challenging for your [00:16:00] employees that are working within your.
So now one of the questions as we deal with the C I SS P exam is why are their regulatory compliance issues and why is it important to follow them? So when we're looking to follow these pieces, there's risk mitigation that's involved with the aspects of regulatory compliance points, and what are the risk mitigation aspects?
If you don't comply with what these. Entities are asking of you, there can be significant consequences as we talked about accountability that could occur within your organization. Now as it relates to the new there's, it's called c cia, the New Critical Information Regulatory. Compliance, something, I don't know.
It's C I R C I A. It's here in the United States and it's around reporting for ransomware events. There. It's in draft regulation, but if you don't follow it, it could have the same level of significant pen penalties as gdpr. Gdpr had, and I'm not totally up on gdpr, the, some of the [00:17:00] fines that just, other than when it first got implemented, It was around 4% of your gross profit that you would make with a gross revenue within your company that you would've to paint a fine.
Now, if you're not familiar with what that means, basically, If you own a company, you have gross revenue that comes in, let's just say it's $1 million, and that gross revenue you, after you pay all of your expenses, at the end of all that, your net income, your profit is X. Now, most companies will make between six, seven, 10%.
In their gross profit. If you're at 10%, let's just say of your profit, you're now, you made a hundred thousand dollars on that $1 million of gross revenue. So 1 million or a hundred thousand dollars in gross or in profit is what you made, but you're being taxed basically fined on the 1 million. So if you're 4% of your 1 million that comes, cons constitutes $40,000.
You have to pay that in a fine. If your overall profit is 10. And [00:18:00] your revenue and your fine is 4%. You not only made $60,000 instead of $100,000, so that can dramatically impact how you operate your business to the point of your whole profit for that year could be gone almost because of this.
Fine. So you, again, those are the things that you have to keep in mind, and that's if your margin is 10%, if your margins are 6%, you now are really taking a humongous hit as it relates to your overall. So again, you don't wanna mess with that. It's important that you do follow what these regulatory requirements do, because that does help re mitigate the risk to your company.
It also affects your reputation and trust. Compliance with these legal requirements does help you become more trustworthy within the business community. And by doing so, people will trust you. They will give you money, they will give you their business. So it's important that you do. From both your customers, your partners, and the stakeholders that help you with your business.
So you [00:19:00] want to ensure that's why you do comply with these legal and compliance aspects. It's also a competitive advantage if you don't comply to these aspects. You can run into a situation where your competitors do, and if your competitors do, and let's say it's non. Compliance that you have to do, but your competitors do follow the regulatory requests and requirements that are out there.
Now they can use that as marketing fodder and they can potentially take customers away from you. So there's a lot of aspects. I, one good example of this is in the United States is def a r s, and there are, there's a defense federal acquisition regulation, something like that. If you want to have the ability to do.
Contracts with the US government, you have to follow def r s. There's a new product out called Cmmc Charlie Mike, Charlie, and that is the follow on to def r s for you to be in business, you have to do cmmc. Getting that done ahead of time is an important piece and so therefore, compliance is very important.
Legal and regulatory requirements for information security. These are also aspects that you [00:20:00] must follow as it relates to being called out when I already mentioned gdpr, hipaa, P C I D S S. All of these aspects are factors that you will need to comply and all CISs P candidates, you're looking to go for the test.
You really need to understand the legal and regulatory requirements associated with those. You will deal. Guaranteed. And so that's what's important about this test. Just because you take the test and you pass it, these things are gonna continually come back. And if you really understand them going into the test, you understand them well, then the test isn't gonna be as difficult.
The problem that the test runs into is it's designed to be for CISOs, for somebody that's in management. Unless you're in management, you really don't understand some of these concepts, so that's why the test can be so challenging. The bottom line is if you listen to the podcast, you'll get a good understanding of how CISOs and how senior management within the security space really truly understand.
And then lastly, we're gonna deal with professional ethics. What are some aspects [00:21:00] around that? If you really need to understand that as you're dealing with professional ethics, it's your professional, it's your integrity, it's your accountability. All of those pieces will highlight the importance of adhering to these legal and compliance requirements.
Okay, so now we're gonna get into some key laws, regulations, and standards that impact information security such as D P R, hipaa, P C I D S, and so forth. Cause we talked about those briefly. What are those? And that you have to be aware of them. So when you're dealing with gdpr, this is the general data privacy regulation and that the, that regulation is provided out there in the EU that you must go ahead and comply with.
Now, it first started. Back, oh, I'm gonna say it was probably like 10 years ago. I can't even remember. It's gone by so fast. But the aspect of it is that you must protect individual's information. So as an example, if you have someone that's in I don't, and the EU still falls under it, I think it's a little squishy.
But let's say France for example, [00:22:00] so if you have an employee that's in France and you are monitoring information on that employee that employ information must stay within the EU or must stay within France, And if it does, if it leaves France, then from there it must be anonymized. Now I'm, I'll be honest, I am not an expert in GDPR to the point where, yeah, some, cuz I'm sure someone's listening to podcasts going yes.
Oh, that's not correct. There, there's probably some nuances to what I'm telling you that are maybe a little bit on the off side of FARs gdpr, but overall the concept is this. And so therefore, what ends up happening, Is that data has to be protected and stay locally within that environment. Now it can move around and I think it can stay, go within the eu the different countries of the EU and stored in data centers.
But ideally, they would like that data to stay in the country where it resided, where it was created. And so if I want to gain access to that data, then there's some requirements that go out and say that, Sean, if he wants to [00:23:00] see it, he, there's some things that have to occur. Now, one thing that comes into this is you have to also be with gdpr anonymize it to the point where IP addresses are considered.
Privacy information. So IP addresses, workstation names, obviously username, passwords, all of those can be privacy things as well as email. So you have to, it gets really squishy, pretty, and it gets to be challenging pretty quick when you're dealing with gdpr. However, there are processes in place for that data to be used by third parties and by various entities.
So it's not insurmountable, but. Are definitely steps that you have to go through. Another one to think about, as I talked about cmmc here in the United. This is one where it's a regulatory requirement for, it's the cybersecurity Maturity model. Certification, yeah. Maturity Model Certification, yeah. So if you are here in the United States, and you are a government contractor, you have to be certified in C M C.
What [00:24:00] does that mean? In the past, using DEF Rs, which was the data defense Federal Defense, federal acquisi, Reporting something like that. Yeah I can never remember the acronyms. There's too many of 'em. But the d a s program, if you wanted to be a contractor, then you would have to self-report your security.
Profile within that, the constructs of that regulation. So if you say, yep, I've got these firewalls, I've got this security in place, I've got this. They would let you do that and you'd self-report saying, yes. Okay, Sean did that. Sean's company X. Yes, they have those protections. Unfortunately, they found out too late that many of these folks.
Basically lie, and they would say, yes, we have them. Or they wouldn't really truly understand what they even had or didn't have. And so then they would have issues with that. So the Cmmc came down where they were requiring, depending upon the size of your company, that you go in and get certified, that your company has these level of protections.
So it's an important [00:25:00] factor. If you wanna do business with the US government in the defense industry, because they were finding out that countries that will go unnamed, were stealing this information. And as they were stealing this information, what ended up happening is that controls were not sufficient to be able to press protect it.
So that's an important factor of why c m Cmmc was put in. P C I D S S. This deals with the payment card industry's data security standards, and it also is implied for people that are using credit cards. Now, this P C I D S the Visas of the world, they worked really hard to, and MasterCards. To create a standard that would then, if you followed the standard based on the size of your organization and how much credit card data you put through their companies, if you followed the standard, you were able to use their credit cards if you did not follow the standard.
Then what would end up happening is that they would relinquish the ability for you to use their credit cards. If you're a small business and not being able to use credit [00:26:00] cards, that's a bad thing. So you cannot then do business. So P C I D S has a set of standards and a framework in which you need to follow that framework.
And so it's an important factor that you follow these frameworks and we'll get into frameworks at other podcasts that we. In the future here, but bottom line is they're an important factor and you do need to follow those. Now we talked about breach incident or incident response in breach data breach management.
One of the things is if you don't follow these breach response aspects, you can be fined. And we talked about what does that fine look like if it's 4%, those are all, and they, these countries do this because they feel that is, in some cases, their only lever, their only. To make a company be sufficient or be responsible and report these aspects, so you will deal with that.
Now, the other aspect that can come into is, let's say the data breach response. You follow that, but maybe you didn't follow it to the letter. There are legal aspects where you [00:27:00] could be sued. That's an important factor that you need to be. Now, I will tell you as you're a security person, if you, as you come out of getting the C I S P, so let's just use some of these background of where maybe you come from.
If you come from a security analyst role, you probably don't deal a lot with legal unless you're maybe in a SOC security operations center or you are an analyst that works, maybe forensics. You might deal with legal, but maybe you don't deal with legal a lot in your current role. If you're studying for the C I S P, I guarantee you as you become.
More within the organization and you move up the ladder with your career, you will deal more and more with legal and with compliance. That's, I deal almost, probably 70% of my daily work is with them in some form or fashion. But it's important that you do understand that. The other thing that comes into this is when we're talking about.
Legal aspects around that can get kinda squirrely is cloud computing. And I talked about a little bit just about gdpr, where it can get squirrely in that [00:28:00] you have data that's in a cloud that's in the eu and you are allowing individuals within China to access this data. What does that mean?
That can be very squishy. Now, if is the data just normal data? Privacy type data where it's usernames, passwords, something that's personally identifiable, is that something that you gain access to that can actually cause challenges. So you'd have to work with your legal and compliance team to help you with that.
So it's, that's just something you need to consider as well. Now there's some emerging ones. We recently talked about this the emerging technologies that are coming out. Obviously ai the chat GPTs of the world. That's a huge factor, and I'll come back to that here in just a second.
You have ones with incident reporting, which I mentioned with ceria. The, there's various governmental entities. I know just China came up with another one and I guess one of the hot button ones we'll just come back to is the chat, G P T and the regenerative ai, which is your [00:29:00] artificial intelligence, your regenerative ai, which is the chat bots that are picking out what you say and how you say it are basically the content.
There's different types of regulations that are coming out. China just came out with one. United States is mulling I don't think they actually came out with it. It's in draft, but it's on short final cause in China, it isn't like the United States. Where they debate things for years and years.
They actually will put regulations out very quickly. Now there's downsides to that. You, these quick responses can cause cascading effects through countries when maybe they're not totally thought out and allowed time to think about them. But on the flip side, because they can react so quickly, they can get ahead of some of these challenges before.
Genie has been let completely outta the bottle, which I would say that at this point with ai or with your regenerative ai, it's pretty much outta the bottle. So any legal aspects or privacy things that come into play, it's gonna be hard to dial that back in. [00:30:00] But that being said, there's various regulations out there right now that are being drafted or implemented that will help restrict the chat G P T.
And one point that comes back to is Italy just came in and is not allow. That product within their entire country. Just because I think if one, it's gonna impact jobs, but also the fact that they're not really convinced on the whole privacy pieces around the chat G P t application. So there is a lot more to follow.
I assume that I'm gonna be having some podcasts that we focus specifically around chat G p T as most people talk about it cuz it's the buzzword and the interesting part. This bot's been around for probably about five or six years total, but when it got released to the public and what people saw it could do, and it being at that time only, the third version, G P T three it caused a lot of stir and the new G p T four as of recording this podcast I think it's coming out here in the middle of this summer, is going to be even more [00:31:00] powerful, like 20.
250,000 times more powerful. It's pretty crazy how this is gonna impact everybody's lives. Who knows how this is all gonna play out, so we shall see. But all I can tell you is that if you are an information security, that's a positive thing because all this technology, all it does is help increase your job security.
All right. That's all I have for today. You are, I hope you all are having a wonderful day. I hope you guess it's amazing for you. Go out to CISSP cyber training and check me out there at cs p cyber training.com. And there's some great free things out there. There's the exam questions, there's a study guidance so forth, so going out over there, you can do it. I know you can. I really do. I know you can do it and check me out and we'll catch you on the flip side. Have a wonderful day. See ya.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!