2 cissp ® Official Study Guide Eighth Edition

Laws 
129
However, as can be easily imagined, criminal and civil law can’t possibly lay out rules and 
procedures that should be followed in every possible situation. Therefore, executive branch 
agencies have some leeway to enact administrative law, in the form of policies, procedures, 
and regulations that govern the daily operations of the agency. Administrative law covers 
topics as mundane as the procedures to be used within a federal agency to obtain a desk 
telephone to more substantial issues such as the immigration policies that will be used to 
enforce the laws passed by Congress. Administrative law is published in the Code of Federal 
Regulations, often referred to as the CFR. 
Although administrative law does not require an act of the legislative branch to gain the 
force of law, it must comply with all existing civil and criminal laws. Government agencies 
may not implement regulations that directly contradict existing laws passed by the legisla-
ture. Furthermore, administrative laws (and the actions of government agencies) must also 
comply with the U.S. Constitution and are subject to judicial review. 
To understand compliance requirements and procedures, it is necessary to be fully versed 
in the complexities of the law. From administrative law to civil law to criminal law (and, 
in some countries, even religious law), navigating the regulatory environment is a daunting 
task. The CISSP exam focuses on the generalities of law, regulations, investigations, and 
compliance as they affect organizational security efforts. However, it is your responsibility 
to seek out professional help (i.e., an attorney) to guide and support you in your efforts to 
maintain legal and legally supportable security.
Laws 
Throughout these sections, we’ll examine a number of laws that relate to information tech-
nology. By necessity, this discussion is U.S.-centric, as is the material covered by the CISSP 
exam. We’ll look briefl y at several high-profi le non-U.S. laws, such as the European Union’s 
General Data Protection Regulation (GDPR). However, if you operate in an environment 
that involves foreign jurisdictions, you should retain local legal counsel to guide you through 
the system. 
Every information security professional should have a basic understand-
ing of the law as it relates to information technology. However, the most 
important lesson to be learned is knowing when it’s necessary to call in an 
attorney. If you think you’re in a legal “gray area,” it’s best to seek profes-
sional advice.

Download 19,3 Mb.

Do'stlaringiz bilan baham: