CISSP For Dummies

2017-07-07 02:10:07

Our discussion of the major categories and types of laws consists of U.S. and international law, including many key concepts and terms that are important to understand for the CISSP exam.

U.S. common law

Under the common law system of the United States, three major categories of laws are defined at the federal and state levels: criminal, civil (or tort), and administrative (or regulatory) laws.

Criminal law

Criminal law defines those crimes committed against society, even when the actual victim is a business or individual(s). Criminal laws are enacted to protect the general public. As such, in the eyes of the court, the victim is incidental to the greater cause.

Criminal penalties

Penalties under criminal law have two main purposes:

Punishment: Penalties may include jail/prison sentences, probation, fines, and/or financial restitution to the victim.

Deterrence: Penalties must be severe enough to dissuade any further criminal activity by the offender or anyone else considering a similar crime.

Burden of proof under criminal law

To be convicted under criminal law, a judge or jury must believe beyond a reasonable doubt that the defendant is guilty. Therefore, the burden of proof in a criminal case rests firmly with the prosecution.

Classifications of criminal law

There are two main classifications of criminal law depending upon severity, such as type of crime/attack or total loss in dollars:

Felony: More serious crimes, normally resulting in jail/prison terms of more than one year.

Misdemeanor: Less serious crimes, normally resulting in fines or jail/ prison terms of less than one year.

Civil law

Civil (tort) law addresses wrongful acts committed against an individual or business, either willfully or negligently, resulting in damage, loss, injury, or death.

Civil penalties

Unlike criminal penalties, civil penalties don’t include jail or prison terms. Instead, civil penalties provide financial restitution to the victim as follows:

Compensatory damages: Actual damages to the victim including attorney/ legal fees, lost profits, investigative costs, and so on.

Punitive damages: Determined by a jury and intended to punish the offender.

Statutory damages: Mandatory damages determined by law and assessed for violating the law.

Burden of proof under civil law

Convictions under civil law are typically easier to obtain than under criminal law because the burden of proof is much less. To be convicted under civil law, a jury must believe based upon the preponderance of the evidence that the defendant is guilty. This simply means that the available evidence leads the judge or jury to a conclusion of guilt.

Liability and due care

The concepts of liability and due care are germane to civil law cases but are also applicable under administrative law, which we discuss in the next section.

The standard criteria for assessing the legal requirements for implementing recommended safeguards is to evaluate the cost of the safeguard and the estimated loss from the corresponding threat, if realized. If the cost is less than the estimated loss and the organization doesn’t implement a safeguard, then a legal liability may exist. This is based on the principle of proximate causation, in which an action taken or not taken was part of a sequence of events that resulted in negative consequences.

Under the Federal Sentencing Guidelines, senior corporate officers may be personally liable if their organization fails to comply with applicable laws. Such individuals must follow the prudent man rule, which requires them to perform their duties:

In good faith,

In the best interests of the enterprise, and

With the care and diligence that ordinary, prudent persons in a like position would exercise under similar circumstances.

The concepts of due care and due diligence are related but distinctly different:

Due care: The steps that an organization takes to implement security best practices

Due diligence: The prudent management and execution of due care

Technical Stuff Lawyer-speak

Although the information in this sidebar is not tested on the CISSP examination, when attempting to learn the various laws and regulations in this domain, you’ll find it helpful to know the correct parlance (fancy-speak for jargon) used. For example:

18 U.S.C. § 1030 (1986)(the Computer Fraud and Abuse Act of 1986) refers to Section 1030 in Title 18 of the 1986 edition of the United States Code, not “18 University of Southern California squiggly-thingy 1030 (1986).”

Federal statutes and administrative laws are usually cited in the following format:

The title number (titles are grouped by subject matter)

The abbreviation for the code: For example, U.S.C. is United States Code; C.F.R. is Code of Federal Regulations

The section number (§ means “The Word Formerly Known As Section”)

The year of publication

Other important abbreviations to understand include:

Fed. Reg.: Federal Register

Fed. R. Evid.: Federal Rules of Evidence

PL: Public Law

§§: Sections; for example, 18 U.S.C. §§ 2701–11

v.: versus; such as, United States v. Moore. Note: The rest of the civilized world understands vs. to mean versusand v. to mean version or volume, but remember two important points here: Lawyers are not part of the civilized world, and they apparently charge by the letter (as well as by the minute).

Another important aspect of due care is the principle of culpable negligence. If an organization fails to follow a standard of due care in the protection of its assets, the organization may be held culpably negligent. In such cases, jury awards may be adjusted accordingly, and the organization’s insurance company may be required to pay only a portion of any loss.

Administrative law

Administrative (regulatory) laws define standards of performance and conduct for major industries (including banking, energy, and healthcare), organizations, and officials. These laws are typically enforced by various government agencies, and violations may result in financial penalties and/or imprisonment.

International law

Given the global nature of the Internet, it’s often necessary for many countries to cooperate in order to bring a computer criminal to justice. But because practically every country in the world has its own unique legal system, such cooperation is always difficult and often impossible. As a starting point, many countries disagree on exactly what justice is. Other problems include:

Lack of universal cooperation: We can’t answer the question, “Why can’t we all just get along?” but we can tell you that it’s highly unlikely that a 14-year-old hacker in some remote corner of the world will commit some dastardly crime that unites us all in our efforts to take him down, bringing about a lasting world peace.

Different interpretations of laws: What’s illegal in one country (or even in one state in the U.S.) is not necessarily illegal in another.

Different rules of evidence: This problem can encompass different rules for obtaining and collecting evidence and different rules for admissibility of evidence.

Low priority: Different nations have different views regarding the seriousness of computer crimes; and in the realm of international relations, computer crimes are usually of minimal concern.

Outdated laws and technology: This is related to the “low priority” problem. Technology varies greatly throughout the world, and many countries (not only third-world countries) lag far behind others. For this reason and many others, computer crime laws are often a low priority and aren’t kept current. This problem is further exacerbated by the different technical capabilities of the various law enforcement agencies that may be involved in an international case.

Extradition: Many countries don’t have extradition treaties and won’t extradite suspects to a country with different or controversial practices, such as capital punishment. Although capital punishment for a computer crime may sound extreme, recent events and the threat of cyber-terrorism make this a very real possibility.