Page 297 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 297
Summary
Computer security necessarily entails a high degree of involvement
from the legal community. In this chapter, you learned about the laws
that govern security issues such as computer crime, intellectual
property, data privacy, and software licensing.
There are three major categories of law that impact information
security professionals. Criminal law outlines the rules and sanctions
for major violations of the public trust. Civil law provides us with a
framework for conducting business. Government agencies use
administrative law to promulgate the day-to-day regulations that
interpret existing law.
The laws governing information security activities are diverse and
cover all three categories. Some, such as the Electronic
Communications Privacy Act and the Digital Millennium Copyright
Act, are criminal laws where violations may result in criminal fines
and/or prison time. Others, such as trademark and patent law, are
civil laws that govern business transactions. Finally, many government
agencies promulgate administrative law, such as the HIPAA Security
Rule, that affects specific industries and data types.
Information security professionals should be aware of the compliance
requirements specific to their industry and business activities.
Tracking these requirements is a complex task and should be assigned
to one or more compliance specialists who monitor changes in the law,
changes in the business environment, and the intersection of those
two realms.
It’s also not sufficient to simply worry about your own security and
compliance. With increased adoption of cloud computing, many
organizations now share sensitive and personal data with vendors that
act as service providers. Security professionals must take steps to
ensure that vendors treat data with as much care as the organization
itself would and also meet any applicable compliance requirements.
