Legislative and Regulatory Compliance and the CISSP Exam

By Lawrence C. Miller, Peter H. Gregory

A basic understanding of the major types and classifications of U.S. and international law, including key concepts and terms, is required for the CISSP exam.

Common law

Common law (also known as case law) originated in medieval England, and is derived from the decisions (or precedents) of judges. Common law is based on the doctrine of stare decisis (“let the decision stand”) and is often codified by statutes. Under the common law system of the United States, three major categories of laws are defined at the federal and state levels: criminal, civil (or tort), and administrative (or regulatory) laws.

Criminal law

Criminal law defines those crimes committed against society, even when the actual victim is a business or individual(s). Criminal laws are enacted to protect the general public. As such, in the eyes of the court, the victim is incidental to the greater cause.

Criminal penalties

Penalties under criminal law have two main purposes:

  • Punishment: Penalties may include jail/prison sentences, probation, fines, and/or financial restitution to the victim.
  • Deterrence: Penalties must be severe enough to dissuade any further criminal activity by the offender or anyone else considering a similar crime.

Burden of proof under criminal law

To be convicted under criminal law, a judge or jury must believe beyond a reasonable doubt that the defendant is guilty. Therefore, the burden of proof in a criminal case rests firmly with the prosecution.

Classifications of criminal law

Criminal law has two main classifications, depending on severity, such as type of crime/attack or total loss in dollars:

  • Felony: More serious crimes, normally resulting in jail/prison terms of more than one year.
  • Misdemeanor: Less serious crimes, normally resulting in fines or jail/prison terms of less than one year.

Civil law

Civil (tort) law addresses wrongful acts committed against an individual or business, either willfully or negligently, resulting in damage, loss, injury, or death.

Civil penalties

Unlike criminal penalties, civil penalties don’t include jail or prison terms. Instead, civil penalties provide financial restitution to the victim:

  • Compensatory damages: Actual damages to the victim, including attorney/legal fees, lost profits, investigative costs, and so on.
  • Punitive damages: Determined by a jury and intended to punish the offender.
  • Statutory damages: Mandatory damages determined by law and assessed for violating the law.

Burden of proof under civil law

Convictions under civil law are typically easier to obtain than under criminal law because the burden of proof is much less. To be convicted under civil law, a jury must believe based upon the preponderance of the evidence that the defendant is guilty. This simply means that the available evidence leads the judge or jury to a conclusion of guilt.

Liability and due care

The concepts of liability and due care are germane to civil law cases, but they’re also applicable under administrative law, which we discuss in the next section.

The standard criteria for assessing the legal requirements for implementing recommended safeguards is to evaluate the cost of the safeguard and the estimated loss from the corresponding threat, if realized. If the cost is less than the estimated loss and the organization doesn’t implement a safeguard, then a legal liability may exist. This is based on the principle of proximate causation, in which an action taken or not taken was part of a sequence of events that resulted in negative consequences.

Under the Federal Sentencing Guidelines, senior corporate officers may be personally liable if their organization fails to comply with applicable laws. Such individuals must follow the prudent man (or person) rule, which requires them to perform their duties:

  • In good faith.
  • In the best interests of the enterprise.
  • With the care and diligence that ordinary, prudent people in a similar position would exercise under similar circumstances.

Administrative law

Administrative (regulatory) laws define standards of performance and conduct for major industries (including banking, energy, and healthcare), organizations, and government agencies. These laws are typically enforced by various government agencies, and violations may result in financial penalties and/or imprisonment.

International law

Given the global nature of the Internet, it’s often necessary for countries to cooperate in order to bring a computer criminal to justice. But because practically every country in the world has its own unique legal system, such cooperation is always difficult and often impossible. As a starting point, countries sometimes disagree on exactly what justice is. Other problems include

  • Lack of universal cooperation: We can’t answer the question, “Why can’t we all just get along?” but we can tell you that it’s highly unlikely that a 14-year-old hacker in some remote corner of the world will commit some dastardly crime that unites us all in our efforts to take him down, bringing about a lasting world peace.
  • Differing interpretations of laws: What’s illegal in one country (or even in one state in the U.S.) isn’t necessarily illegal in another.
  • Differing rules of evidence: This problem can encompass different rules for obtaining and collecting evidence, as well as different rules for admissibility of evidence.
  • Low priority: Different nations have different views regarding the seriousness of computer crimes; and in the realm of international relations, computer crimes are usually of minimal concern.
  • Outdated laws and technology: Related to the low-priority problem. Technology varies greatly throughout the world, and many countries (not only the Third World countries) lag far behind others. For this reason and many others, computer crime laws are often a low priority and aren’t kept current. This problem is further exacerbated by the different technical capabilities of the various law enforcement agencies that may be involved in an international case.
  • Extradition: Many countries don’t have extradition treaties and won’t extradite suspects to a country that has different or controversial practices, such as capital punishment. Although capital punishment for a computer crime may sound extreme, recent events and the threat of cyberterrorism make this a very real possibility.

Besides common law systems (which we talk about in the section “Common law,” earlier in this chapter), other countries throughout the world use legal systems including:

  • Civil law systems: Not to be confused with U.S. civil law, which is based on common law. Civil law systems use constitutions and statutes exclusively and aren’t based on precedent. The role of a judge in a civil law system is to interpret the law. Civil law is the most widespread type of law system used throughout the world.
  • Napoleonic code: Originating in France after the French Revolution, the Napoleonic code has spread to many other countries in Europe and elsewhere. In this system, laws are developed by legislative bodies and interpreted by the courts. However, there is often no formal concept of legal precedent.
  • Religious (or customary) law systems: Derived from religious beliefs and values. Common religious law systems include Sharia in Islam, Halakha in Judaism, and Canon law in Christianity.
  • Pluralistic (or mixed) law systems: Combinations of various systems, such as civil and common law, civil and religious law, and common and religious law.