Page 262 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 262
Laws
Throughout these sections, we’ll examine a number of laws that relate
to information technology. By necessity, this discussion is U.S.-centric,
as is the material covered by the CISSP exam. We’ll look briefly at
several high-profile non-U.S. laws, such as the European Union’s
General Data Protection Regulation (GDPR). However, if you operate
in an environment that involves foreign jurisdictions, you should
retain local legal counsel to guide you through the system.
Every information security professional should have a
basic understanding of the law as it relates to information
technology. However, the most important lesson to be learned is
knowing when it’s necessary to call in an attorney. If you think
you’re in a legal “gray area,” it’s best to seek professional advice.
Computer Crime
The first computer security issues addressed by legislators were those
involving computer crime. Early computer crime prosecutions were
attempted under traditional criminal law, and many were dismissed
because judges thought that applying traditional law to this modern
type of crime was too far a stretch. Legislators responded by passing
specific statutes that defined computer crime and laid out specific
penalties for various crimes. In the following sections, we’ll cover
several of those statutes.
The U.S. laws discussed in this chapter are federal laws. But
keep in mind that almost every state in the union has also enacted
some form of legislation regarding computer security issues.
Because of the global reach of the internet, most computer crimes
cross state lines and, therefore, fall under federal jurisdiction and
are prosecuted in the federal court system. However, in some
