LAW's and Regulations

TheProfezzor

I am preparing for CISSP and currently going through the "Law's and Regulations" domain. One thing that bothers me is the LAW's. I a not an American and I see a whole lot of regulations, that are either meant for American institutions or for American states. The LAW's merely apply to me. My question is, how well do I need to get hold of all these LAW's, since I heard that CISSP is vendor independent. Since it's already vendor independent, shouldn't it be region independent too?
What sort of questions should I expect from this domain?.

62Vette

think this would be kinda hard for anyone to answer. The pool of questions is so large, how can anyone say for sure what, if any, question you will see? You might not even see any questions referencing any specific US laws.

TheProfezzor

62Vette wrote: »

think this would be kinda hard for anyone to answer. The pool of questions is so large, how can anyone say for sure what, if any, question you will see? You might not even see any questions referencing any specific US laws.

I meant to ask, has anyone ever gotten any questions, specifically asking about a particular statement of a US based law?. I understand getting the concepts and the reasons behind the LAW's but, do they want specifics?

sojourn

I agree with you on this.

For the Legal domain, I personally concentrated on the proper handling of evidence, the types of evidence, computer forensics etc. This is more relevant to the security professional than the laws themselves.

Companies have lawyers for a reason. A CISSP is not a lawyer.

Grafixx01

I believe that you find more laws in the domain because the U.S. is the one who creates most of the laws regarding IT security. The U.S. seems to be the one who is at the forefront of the laws for IT and other countries are moving along but it seems that they are a little behind. I think that is why the focus of the laws you see seem to be more towards the U.S.

Case in point, I'm studying for CWNA and while reading the book, and even when reading the book for the CWTS exam, more mention and detail is given to the FCC and other U.S. regulating bodies over other countries governing bodies. I don't know if its because that is where more laws and regulations exist (within the U.S.) or if it is just because the book is being sold in the U.S. so most won't bother or worry much about other countries laws and regulations unless they truly interact with them.

sojourn

It's because the CWNP is US-based qualification, created by a US-based entity. Same with CISSP - ISC2 are a US entity. The majority of people who have obtained the CISSP qualification are US citizens. It makes sense for the laws referenced to be US laws.

TheProfezzor

So, I have to memorize all LAW's contained in the domain for the CISSP exam, even when I know that I might not ever be able to address them or use them?

Grafixx01

TheProfezzor wrote: »

So, I have to memorize all LAW's contained in the domain for the CISSP exam, even when I know that I might not ever be able to address them or use them?

Unfortunately, yes.

TheProfezzor

Grafixx01 wrote: »

Unfortunately, yes.

Well, this sucks :P

JDMurray

When the CISSP was a paper-based exam it had item topics on U.S. laws and regulations that pertained to InfoSec (e.g., PCI, HIPAA, SOX, GLBA, Title 18, CFAA) that were referenced in the Law, Investigation, and Ethics domain of the CISSP CBK. Those items were dropped from the paper exams given in non-US territories, making the CISSP exam shorter by seven items or so.

Now with the computer-based exams it is possible to automatically adjust the items in the exam for the region that the exam is given. This could mean one day the European CISSP exam might contains items on European laws/regulations, the Japanese CISSP exam might contains items on Japanese laws/regulations, etc.. For now it's likely they still drop the items that are US-specific and pad the exam out with more non-scored research items.

I suppose if you don't like memorizing information about laws and regulation you can take the CISSP exam in another country. I wonder if the English language CISSP exam contains US-specific items when taken in Japan, Europe, or Latin America. I would assume not.

LionelTeo

There is a reason to memorize those laws. If you work in a US MNC, even you are not in US, you still had to adhere to the US laws as the laws make by US had territorial effect.

However, in regards to law, pay more attention to privacy (especially laws from one country to another). Both country laws apply for anything that goes from one country to another.

Another section to pay attention would be chain of custody, all the type of evidence. And if you see consult the lawyer, never dismiss it as a possible answer. Remember, we are not expert in these, as such answer choice such as consulting a lawyer is actually the best option in some of the scenario.

tprice5

Pasted directly from Shon Harris AIO...

"NOTE The CISSP exam does not cover specific laws, as in the Federal
Information Security Management Act and Sarbanes–Oxley Act, but it does cover
the security control model frameworks, as in ISO standards, CobiT, and COSO."