CCT 306: CISSP Domain 1.5: Understanding Legal, Regulatory, and Compliance Requirements

Check us out at:  https://www.cisspcybertraining.com/

Get access to 360 FREE CISSP Questions:  https://www.cisspcybertraining.com/offers/dzHKVcDB/checkout

Get access to my FREE CISSP Self-Study Essentials Videos:  https://www.cisspcybertraining.com/offers/KzBKKouv

What happens when cybersecurity meets the engine room of the business? We dig into the partnership between the CISO and COO and show how shared risk, clear language about money, and practical tabletop drills turn security into operational resilience. Ransomware, supply chain delays, and customer impact aren’t just IT issues—they’re revenue issues—so we map exactly how to build alignment before a crisis hits.

We break down CISSP Domain 1.5 with a plain-English tour of law categories and the statutes you actually need to know: CFAA and NIIPA for unauthorized access and critical infrastructure, FISMA and the NIST standards for federal-grade security programs, and the federal modernization that centralized oversight under DHS. Then we go deeper into intellectual property: what copyrights, trademarks, patents, and trade secrets protect; how DMCA and AI complicate ownership; and how licensing and click-through terms can quietly put your data and code at risk if you don’t read them with counsel.

Cross-border data is now daily business, so we unpack export controls on chips and encryption, transborder data flow obligations, and privacy regimes that carry real teeth: GDPR’s 72-hour notification, China’s PIPL and local representation, and state laws like CCPA that mirror EU rights. The practical takeaway is a tighter incident playbook: define “breach” with evidence-based thresholds, pre-wire stakeholder communications, and use tabletop exercises to test both technical recovery and regulatory reporting.

If you’re studying for the CISSP or leading a security program, this is the legal-ops blueprint you can use today. Subscribe, share this with your ops and legal teams, and leave a review to tell us which regulation gives you the biggest headache—we’ll tackle it next.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

SPEAKER_01: 0:25 

Good morning everybody. It's Sean Griber with CISSP Cyber Training and hope you all are having a beautifully blessed day today. Today is Monday, and we are going to be focused on the various aspects related to the CISSP as far as training goes. And today's focus is 1.5 or understanding legal and regulatory issues that pertain to information security. Obviously, the ultimate goal is to understand how some of these legal and regulatory issues could impact you. One from a cybersecurity standpoint, and two for taking the test, right? Because the ultimate goal is you want to pass the CISSP exam, and we want to give you the tools and skills you need to do such a thing. But true to form, we're going to start just like we always do with some news in the cyber world that we're seeing and some things that you need to be aware of related to that. Okay, this is from Dark Reading, and this is around the CISO and the COO, a partnership for protecting operational excellence. So the reason I try to bring up some of these higher level kind of articles, uh, one is that there's a lot of people that talk about all the different vulnerabilities that are out there, but I also want to kind of bridge that gap between the cybersecurity world and the operational world. And as you're studying for the CISSP, you know that you guess what? You're gonna have to understand all of these various concepts related to management and to the overall cybersecurity posture. So the key idea here around this article is that the CISOs and the COOs must partner proactively because cybersecurity now directly affects all operational continuity and performance. And I've seen this profession personally in my world is where you have to work with the COO. Now, if you're not sure what the COO is, it's the chief operating officer for your company and they deal with all the operations that goes on. And they're the ones when it comes to operations for an organization, that comes down to money. If you have money, if your company is making money, the COO is usually in charge of that. So you working directly with the COO as a cybersecurity representative is an important part in almost anything that you do. Because the reason is a lot of these situations, you have shared risks, right? So example would be ransomware. And this could disrupt your production, your supply chains, your revenue, and overall your customer service. And that's where the COO lives and dies, is in that space. And so it's important for you as a CISO to be able to do that or as a cybersecurity professional. Now I call out the CISO because that's just the title given to it, but your organization, like we've mentioned many times at uh CISSP Cyber Training, may be an organization that doesn't have an air quotes CISO, but you may have someone that is very similar, a position that's quite similar to it. It could be a vice president of cybersecurity, it could be a vice president of uh IT, any of those pieces. You might be wearing multiple hats at your organization, but you should have a really strong relationship with your COO because of these operational risks that could happen. Now you need to have alignment before the overall crisis occurs. And this includes regular dialogue, ensuring that both sides understand the critical processes, and that is a big one. Do you understand both critical processes within your organization? One as a CISO and two as the operations person. And then having that partnership between two organizations is a strong, strong way to be able to use to protect your company. And we talk about adding value to your organization. I did that when I was working with that very large multinational, the Coke Industries. We had to understand who is our operational person and then what how do they make money? What are the best critical aspects around it? It was an important part of what we did. And so, therefore, you have to have these relationships with these folks. Now, I will say that it depends upon the size of your organization and how connected they are to cyber, that might be a little harder in some cases just because they don't understand it. Therefore, it's up to you to get smart on what they do. If you get smart on what they do and how they do their business, you and that comes down to learning the language on how they talk about money. What are the different terms that they use, right? So you've got uh Ebada, you've got um the various aspects around tax structures, you've got income streams, you've got all the pieces that they would typically want to know from a financial standpoint, you need to know what those mean in relation to the cybersecurity space as well. Now, again, you need to also, when you're building this with them and you're working through this, you need to really look at some joint crisis planning. And this is where the tabletops come into play. Having a good tabletop and having a good plan around that tabletop will do wonders for building those relationships. And I would tell you that sometimes these operational folks go, I don't have time for this. But all they have to do is show them a few of these situations where ransomware is a factor. Now I will tell you if they don't want to learn this stuff, your operational teams, and they really truly just don't care about what cyber does, they're just trying to do their daily activities. This is a piece of kind of career advice. Uh depending upon the company you're with, you may not want to stay there. And the reason I say that is because if you don't have support now, if something were to bad were to happen, uh you definitely will not have support. You you think they will. They'll support you to get the process and the things fixed, but what will end up happening potentially is they will throw you under the bus once it's all over with. Now, that may be okay with you. That's that's something you have to choose. Uh, but if you don't have a Roger relationship with your COO or your senior leadership, uh you may want to consider looking for a new employment at a different place. And again, we've talked about this over and again. The best time to look for a job is when you have one. So if you are in the, you're not real sure if that's someplace you need to be. I was talking to one of my students earlier this week, uh, and she mentioned the point that she's like, I just don't know if I want to stay here. It's hard to, I don't know if I want to do this. And I basically had a chat with her and saying, hey, Margie, you know what? If based on your situation, uh, I would start looking for something else. And but I said the best time to look is when you have a job. So no hurry, no pressure, but get yourself in a situation so that you want to do something different. Now she wants to be a security architect, or she is a security architect, she's actually a very in a very prominent financial institution, and she but she wants to move on. She always wants to have the ultimate job as being the CISO, but she doesn't know if that's what she really wants to do. And I said, hey, you know what? There's architect jobs out there galore. And if you wanted to do that and move into it into a different role and then move up with that company, you can do it, especially if you're still young. So the point of it comes down to is a long way around saying build a relationship with your COO and your senior management. If you don't have that relationship with them, then maybe consider something else different. Uh, then outcome again, a mature CISO and COO partnership improves your resilience, continuity, and response effectiveness. It most definitely and surely does. So it's an important part for you to understand related to all of that. All right, so that's all we've got for the news today. But real quickly, before we get started on today's topic, we're gonna quickly grow over CISSP Cyber Training. Yes, at CISSP Cyber Training, you can get all the content that you need to pass a CISSP exam the first time. I've got gobs of videos, I've got tons of audio, I've got all the questions you could need. There's by over 2,000 questions that are there. I've got a 20 250 point or question test that's coming out here real soon. Uh, it is packed and everything's available for you at CISSP Cyber Training. Again, go check it out. And the best part is well, I don't know if it's the best part, but it's an option. It's a differentiator between the other folks that are offering this, is you can get direct access to me. I can help you as being your personal coach and walking through this. I also can help you in your cybersecurity roles, uh, just like I did with Margie. The ultimate goal is to help you get your CISSP done, but that is step one. We want to help you with your overall career and help you maximize the amount of money you can make or the amount of impact you can have with your company and your life. So again, go out and check out CISSP Cyber Training. Okay, so let's get into what we're gonna talk about today. Okay, so this is over domain one, 1.5. Understand legal and regulatory issues that pertain to information security. So, what are some of these things that you have to deal with? Well, guess what? They continue to grow, but we're gonna get into some key topics that you will probably have to deal with at some point in time in the near future, especially if you're a security professional, if you have not already done so. So there's categories of law. We have different types of law. We have a criminal law, we have civil law. So we're gonna first talk about this and how they play out. Now, criminal law is designed to preserve the peace, keep society safe. That's where you have police people, right? That's the ultimate goal. You have murder, assault, robbery, arson, all those things fall within the criminal law piece that could cause chaos and pandemonium in a civil society. So therefore, you do those things, you will be fined as a criminal. These include penalties, community service. Could just go as far as the death penalty, depending upon what you do. This includes uh computer or cybercrime. Uh, the cybercrime, my wife and I were watching a show on TV, and they had a cut, this young lady decided she was going to break into somebody's email with just getting access to the password, downloading all the emails, and then going and saying, uh looking at everything. Well, yeah, she's a young lady, wants to be a doctor. You know, again, this is a TV drama. Oh my goodness. Well, she's gonna go to jail and break a lot of big rocks into little rocks at some point in time. Yes, when she gets caught, because yes, she will get caught because it's a show, but they always get caught. But in most cases, everybody gets caught. They do at some point in time. You make a mistake and you get busted. Civil law, this is where it's the bulk of the body of laws, and these are designed to provide orderly society, right? So you only have so many murderers, rapists, and bad people out there, right? I mean, most people think badly, but not everybody actually acts on it. So the bulk of the laws are around civil laws, and these are designed to provide an orderly society, following the same process, though, as the criminal law. Now, this difference is enforcement. Law enforcement is not used in civil law unless it's used to keep order, i.e., if there's something against you, like you have a restraining order or something against you, and then the police have to be called in because you're going overboard. Now that can happen, right? But in the most cases, the law enforcement is not involved. The person who's affected is the one who files the suit. And they come in and will say, hey, you know what, you did something bad to me. And this is where the government plays the administrative or arbitrary or arbitrator role. Now, there's also administrative law. This is empowered by the executive branch and the governments and the agencies. Now, this is where you have wide-ranging ability to enact laws, but they're basic regulatory requirements to enforce such things as immigration, which has been a huge hot topic as of late. But whether you like it or not, they do have the right to be able to enforce that. Uh and how they go about it, that is a whole different animal. But at the end of the day, that's what they do. So you need to understand the basic knowledge through these various legal aspects. And to know one thing I wanted to mention is that in the fact that you have a criminal case, so say you go and you rob somebody, and they end up finding you not guilty of robbery, but the family knows that you did it, they just didn't have it with beyond a reasonable doubt that you actually committed the crime, they can file a civil lawsuit against you and then garnish wages, do all of those pieces that could impact your life. So they criminal and civil can work uh hand in hand together. Administrative laws can also work with criminal law because if they find something that you're guilty of, such as like an a let's say, for example, the EPA sees that you're dumping toxins into a river. Okay, well, that's an administrative law set up by the EPA. You can't do that. But if it's criminal and it's negligent and you're doing it on purpose, then they could find you with in relation to a criminal lawsuit. And then therefore, admin or civil lawsuits could follow as well. So they're all tied together. The big thing is that you need to really truly have legal counsel to help you if you're dealing with some of these aspects. You are not a lawyer, and you probably play one on TV, but because you do that, that does not mean you understand law. Always, again, I'm telling you this as a person that has dealt with it, yeah. Never ever go anywhere without your lawyer. You gotta have one. And the the reason is lawyers aren't superhuman, they're just they understand the law and how it works and they know the intricacies much better than you do. And so, therefore, that is why they command the high dollars that they get. Now, cybercrimes and data breaches. Well, let's kind of get into that just a tad. So, computer crime, this is expanding into many areas and facets of life. It is a necessity. It is not something in the past where it's like, well, this is a great ulterior, alternative. I can't even think a big$10 word. It's a great thinking term, right? It's something out there that, yeah, you may think about this stuff all the time, and it may be in academia, but it doesn't affect us real people. That's a bunch of bully, right? Yeah, now we know that it affects everybody. And these old laws that are out there right now are being updated as we speak. Now, this doesn't always pertain to the current world. These laws don't. These laws are a bit outdated. So therefore, as they're being updated over time, it's imperative that you stay abreast of any of the changes that may be occurring. There's the Computer Fraud and Abuse Act, CFAA. This is the first major piece of cybercrime legislation that came out related to cyber and computer. And it's originally part of the Comprehensive Crime Control Act or CCA, CCCA. And it's designed, it's designed to not infringe on state rights. Now, if you're not familiar with the United States, we were designed, we came up as uh 13 independent states, a little bit of history. And in that 13 independent states, they were very against a centralized government, and they wanted all independent rights for each of the states. And so, therefore, because of that, they have they really kind of hold to that. Now, the world has changed, and it the central government has taken a much larger role. Some would say not for a good thing, but it's taken a much larger role in the United States. And so, therefore, the states are not nearly like they were back in the early 1700s. That being said, states do want to clamor to have state rights. And so when this came out, it was focused on how do I do this with not infringing on state rights. States have the right to govern themselves. Now there's a Computer Fraud and Abuse Act. Okay, there's some key examples around that. This includes class access to classified or financial information. You has the ability to modify medical records, traffic in computer passwords, if you cause malicious damage to a federal computer system. All of those things are some examples that you can get tagged for with this Computer Fraud and Abuse Act. Now, there's been some various amendments to it. These are outlawed the creation of malicious code, uh, any computer affecting interstate commerce, and then allows victims to pursue civil action against you. Haha, see, there's that civil action aspect. Now, as you know, one of the big things in the United States that people may not understand is interstate commerce. You can kill somebody, and that's terrible, and that you should go to jail for a long time. And hopefully, if in my belief is that if you did it with malice and you were somebody that was actually targeting that individual, you should be hanging by the nearest tree. But that being said, that is up to the courts to decide. However, if you affect interstate commerce with people, uh that's like killing somebody that as nasty as that is, that's very localized in one spot. If you affect interstate commerce, that's affecting a lot more people. And therefore, the guess what's a real quick way for the feds to come after you with everything they have is when you're uh affecting interstate commerce. Because what? It deals with the money. Yep, follow the money, baby. If you do that, if you affect money, people will listen and people will focus on you. The National Information Uh Infrastructure Protection Act, the NIIPA. This is an amendment to the CFAA. Again, this is acronym Soup. I am so sorry, but I'm not sorry because that's just the way it is. So you're gonna have to know this for the CISSP, you're gonna need to understand what each of these, not each of these, you will you I they will ask you a question on this, I guarantee you, because they always do, because they know people just get their mind upside down and all of it. But the point of it is try to understand the concepts, right? What do each of these do? And they're not gonna, I shouldn't say that, they highly unlikely they're gonna throw one that, well, it's actually not the CFAA, it's the CFAZ. They're not gonna do something like that, something trivial. But they will want you to understand what do each of these do, what what's the importance around them? So the amendment to the CFAA is broadens the international commerce aspects. Again, there's the money, it affects national infrastructure and then threats to international or accidental or intentional or accidental damage to critical infrastructure and makes it a felony. So, bottom line is if you attack the United States and you're using against infrastructure, this is where you can get your first felony. One of many, right? So this is not like a collection or getting out baseball cards, but you can get many felonies for doing some of these cyber things because they don't just affect one thing, they affect lots of others. The Federal Information Management Act, FISMA. You hear a lot about that one. That one's one that you see quite frequently, and this requires government agencies to have a security program. So you might be have been hired because of this requirement around having a security program. And NIST is to help provide some guidelines around that. This includes some key points, such as periodic risk assessments, policies and procedures, uh, subordinate plans for providing, and security awareness training. All of these things, again, you try to put this in a situation where if you just focus on the cybersecurity framework, you would probably get about 99% of what you need. But this FISMA, FISMA is requiring security awareness or security program for your company, and they require many of these things. Now we'll get into NYDFS and they require a CISO, but they also will require many of these things as well. So they all kind of build on each other. The ultimate point is they're trying to put enough levers in place that you actually put a security program in your company, and hence that is why they do these things. The federal cybersecurity laws of 2014, this modernized the federal government cybersecurity piece. It's also confused with the 2002 FISMA. So it relies on the centralized federal security with Department of Homeland Security, and there are some exceptions to this. So defense related to cybersecurity, this is the Secretary of Defense or now the Secretary of War. And then the intelligence-related cybersecurity is the DNI or the director of national intelligence. So if it's dealing with the Secretary of War or any sort of that's tied to national defense, uh, then it would not fall under the sub federal cybersecurity law of 2014. But everything else does, right? So it's all under DHS. You'll see a lot of the hacking things that do occur are tied to DHS and their activities in protecting the United States homeland. Now, if you're listening to this and you're outside of the United States, uh, your country probably has something very similar to this. I mean, I've just seen the stuff from the Aussies, the Brits, the French, they all have something and very common. Uh they they all are, and we've made this comment before, they copy from each other. They take one from one and they put it in the other. But realistically, they should have something very similar to it. Now, the test will be focused on US based stuff, most likely. Uh, there are some different types of aspects around the UK that are brought up into this, but the ultimate goal is you need to understand how this is for the United States, but then take it to the country you're from and then just rinse and repeat. That's about like one percent of the stuff that you're gonna go through. Focused on the United States if that the rest of it is all agnostic. It doesn't really matter. So the NIST standards that are published for this, you got 853, 171, and the NIST Cybersecurity Framework are all tied to help protect these the federals or help be part of the federal cybersecurity law of 2014. Now we're going to get into licensing and intellectual property requirements. This is a big factor. And depending, I kind of have a special place in my heart about IP protection. I did that for many years, and so I kind of have a little bit extra oomph behind that. So licensing and intellectual property, this is where the secret sauce that makes your business work. Now this can be very simple. I'll give you an example. I am actually creating a coffee bar for my coffee truck. And if you're you're probably going, what does this have to do with cybersecurity? Ah, here's the piece. So as I'm doing this coffee bar, I'm actually making it. I designed it, I'm actually going to build it, and it's a prototype of what needs to occur. It's my intellectual property on how to build a coffee bar. Now, did I take ideas from other people? Yes. I took some concepts from other people and looked at those and then figured out how that would work for my world. So I'm going to create this coffee bar. Now, if could I patent it? Yes. Could I make billions off of it? Heck no. But is it my IP? It is. It's my intellectual property. Now, because I am at the franchise, I have to share any of the proceeds with them up to they get 90%, I get 10%, right? So there's a percentage breakout, which is totally fine. Didn't matter about that. The point though is that intellectual property created is part of what I do. So therefore it is what I create. That's why it's important for you understanding that IP can be as simple as a concept around a coffee bar, or it could be as complex as the rocket landing system on the Raptor rockets for Musk's SpaceX, right? So it could be any of that stuff, right? It doesn't really matter. It just could be also even codes or formulas that you use that makes your business super successful in what you do. Now these are collective assets with various rights based on their owners, their copyrights, trademarks, patents, and trade secrets. These are all different pieces that are tied to intellectual property. They will vary from country to country on the level of protection and how long they're kept for. So as an example, when I was working in the IP space, the United States had IP protections for about 20 years. But these same protections, if you had IP that was based in another country, are not nearly as long. It just depends on the country and what you're actually trying to protect. So I had IP lawyers that would walk me through what each of these were. Because some of the code that we would use would be intellectual property. And we had to figure out how to deal with that. Musk has to deal with it with all of his automated driving cars. He has all a fleet of IP lawyers that he is working with. So the Copyright Digital Millennium Copyright Act. Oh, that's a lot of stuff, right? DMCA. So this is basically original works of authorship. You made it and protects it from duplication. This was a factor that happened back probably in the early 2000s where DCMA really came into its being. But it's a large grouping of works that fall into buckets. You got literary, musical, sound recordings, etc. Now, AI is going to turn this thing on its head because of the fact that you now have recordings of, as an example, of podcasts that I could actually do AI recordings of this, which this is not, but you could do AI recordings of this content and it would sound darn near just like me. And this is a large group of this, because this all falls within intellectual property. So this is a formal process to obtain copyrights. You have there to go through this with the U.S. government. And basically, and all this really does say is that yes, you submitted it to the government, and it starts a paperwork trail. Just because you submit your copyright to the U.S. government does not mean you have it protected, but it the paperwork trail has begun. You will have to get yourself, like I said, an IP lawyer or a person, a lawyer that specializes in some sort of copyright protection if you want to really truly put some level of protections around what you do in your work. Now, this provides protection up to 70 years after the death of the last author. And then it basically brings, it's designed in 1998 and it brings into everything into the digital world, right? So protection from digital reproductions from CDs and DVDs, you're probably saying, What is that? But if you those those don't exist much anymore, but I'm sure they're out there somewhere. So yeah, I remember when the VHS tape was like, oh my goodness, this is awesome. And now you have CDs, DVDs, and you're like, oh, those are great. And then those are gone back from the 90s. They're gone. Uh it limits liability to ISPs where data is downloaded, and then there's various exceptions to law for a service provider. Uh, a good example of that is my son Wilver Christmas, a few many years back. He he decided to try to live on the dark side a little bit. And next thing you go, hey dad, did you know that this movie is out already? I'm like, no, it's not. He goes, Yeah. And he starts downloading it, and I'm like, wait, what is that? It hadn't even finished in theaters yet. I go, stop, stop, you can't do that. And I mean it not more within about like two minutes. I got an email from my provider saying, you are downloading illegal content. I'm like, stop. So he deleted it and we got rid of it all and it stopped right there. But the point was, I was like, yeah, they know what you're doing. So don't do it. And yeah, you can get around it with Tor and other areas, I know, but when it's all said and done, let do use your powers for good, not evil. So there's also trademarks. This is another piece of this. This is where you protect creative work, such as logos, slogans, and everything else. And it's very strong, powerful products that can be added. Now, the logos, we'll use an example. McDonald's. Yep, you see the big M, you know who's that is. Starbucks, from a coffee standpoint, you know who that is. Traveling Tom's Coffee, you will know who that is in the future. So I hope so, at least. That's that's the goal. It's designed to avoid confusion in the market while protecting intellectual property. You can add a TM that's Tango Mike when using it in daily activities, such as making cybersecurity the simplest TM, right? You can do that. Uh once it's registered at uh the within and it has a little R with a circle around it, then it's registered trademark. Uh, you can file a trademark with U.S. Patent Office or the Trademark Office. Uh, it's intent to use and it's not necessarily using it right now. So if you intend to use it, uh so like making cybersecurity simple for businesses. I won't I haven't done that yet, but I'm gonna do it. Well, even if you're not using it, you still can go ahead and submit it to the U.S. Patent and Trademark Office. It must not be confusing to another trademark. So you gotta make sure that you do the due diligence to go, it must be for the simplest for small and medium businesses. Um, you know, cybersecurity making cybersecurity simplest for small and medium businesses. Okay, making cybersecurity simplest for businesses. Well, that that's pretty similar, right? That would not fly. So you have to come up with something that's a little bit different than that. Use ChatGPT or any sort of AI product to help you with deciding what that might be. Patents, these provide 20 years of exclusive rights. After 20 years, uh it's available to anyone, uh, new and original. That's basically the ultimate goal, is that it gives you some level of protection to ensure that you have market penetration before the uh the rest of the people can use this product. Now, after 20 years, if you don't have market penetration, you've done something wrong. Now it's it's obvious, right? So you want to like tire chains for snow, this is obvious, but tire chains printed by a 3D printer, not so obvious. So that patent would be an interesting thing. So that's why they're talking about making it the obvious rule. So you have to call out if you're going to be doing it for something specifically. Uh, patent trolls, these are folks that engage in legal action around patents attempting to gain cash. I have dealt with these people directly. They are right up there with the ambulance chasers that are trying to get cash from people getting in accidents. And again, I go back to this. There's there's real good reasons, I'm sure, that a patent troll should do what they do. And there's real good reasons that an ambulance chaser should do what they do. There are people that are hurt, they need to be protected. However, there's the pendulum goes from one extreme to the other, and at times it's on the other extreme, and they're just trying to sue to get money for patents, uh, just so that they can, that's how they make their living, is filing lawsuits. So it's a very interesting world. Trade secrets, these are critical to business operations, uh, such as, for example, the straw making business. If you have a new way to make a straw with the swirly little red ridges and they're all built into your straw, that would be a trade secret. Everybody knows how to make a straw. Straws are very simple, but if you make it in a different way, in a Gucci way, then it could be a trade secret. An example of this is my uncle has created the product called Flavor Burst. Now remember we were kids and he would show us some prototypes, and it puts a candy swirl in the ice cream, which is like my favorite, right? So he did that, and in the process of doing that, he had to file a file what he needed to do around trade secrets on how he officially did that. So this is an official process to file a trade secret. You don't file with anyone, but you must put preventative controls to protect it, and you must have all the documentation on what you did to provide this trade secret. Now, if for someone comes out and copies it, you then prove with date stamps of going, no, no, no, I did this. Again, you got to hire a bunch of lawyers, and then you can turn around and sue them on that. Now you can implement non-disclosure agreements with your people to protect the data. So if you have higher employees and they are working in this stuff, you may want to have an NDA in place. There's large software companies that focus on trade secrets specifically, and copyright only protects the data of the software, whereas the overall concept can be like I made a pencil machine, uh, engineered one out, and I didn't do as a trade secret, I actually gave it to somebody just because, hey, I thought this was pretty cool. Um, but realistically, I wish I would have kept it. It was a really cool pencil machine I made for schools, and it was my design. I had a prototype built. That would have been, it was my unique way it did that, and that would have been a trade secret. Licensing. This is reselling your technology or your idea. So, common types of this would be a contract agreement, such as with a software vendor or customer. You have pre-packaged agreements, which is where you acknowledge and accept by buying. So, what those means is that you go and you bought the thing, you click the yes, I accept what your terms are, I buy it. So those are pre-packaged agreements that are done. Your click-through agreements, this is ones where you accept the terms at your um on your website. You go to your website and you're saying by accepting these terms, you know that I can have your firstborn child with and all subsequent children afterwards. Oh, yeah, sure. Click, click, click, click. Um, that that is your click-through agreements. And then you have cloud service agreements, which is very similar to your click-through. Uh, this may bind an organization to more than you anticipated. And I will say this it's important that you do have legal counsel help you with any of your cloud service agreements. And the reason is because you could end up in a situation, especially with SaaS products. When you're dealing with Azure and uh Amazon, those products are pretty, they know they're disposable. They you spin them up, you spin them down. That's a given. The ones that have teeth that can end up causing you more trouble than they're potentially worth is dealing with a software as a service kind of expectation. A third party that has that. Uh, Google's another good example. If you sign up with Google and you do uh data storage, there can be some potential issues with that as well. So they just need to really truly understand. I know a situation that I don't know if it's this way now, but it used to be where if anything you uploaded to Google, uh, they had terms in their contract stating that you they own it. They own whatever you upload to Google, they own it. And I'm I'm sure they have taken some of that language out, but it's realistically, if at some point in time, that's was in their language. So anything you uploaded, your pictures of Aunt Gina, they would own pictures of Aunt Gina. And why they would want that, it's hard to say, but they wanted to own it. All right, import export controls. Export controls, these are high computing devices and products. This is such as computer hardware, encryption. We're seeing this play out today in the chips with the Chinese, uh, NVIDIA, all of these aspects are tied into export controls. The Department of Commerce and Bureau of Industry and Security will limit where you can send things, such as Cuba, Iran, North Korea, Sudan, Syria. Those are places that you cannot send things. And they will really get in trouble if you send things to, let's say, France, and then they in turn France sends it to Iran. Those that can get bad, and you can get sanctioned by the U.S. uh Department of Commerce. And then you are potentially, if you're in an international business, you could be shut down. So you've got to be played very careful role with it. I've seen this and I lived it. I've lived it through a situation where buying something in one country, how does it impact it affecting some of these countries that have been uh no no work with kind of countries? And it can be really challenging. Just you so I mean it. As a security professional, you are experienced so many things, uh, depending upon what the size of your organization is. Encryption, this is previously it was very hard to export at any level of encryption, and this includes what was in the actual hardware itself. Uh, I had to work with this in a specific situation with some products in China. I had to go through uh a very lengthy thing with the State Department to ensure that all this information that was being sent was not going to be used by the Chinese in any form or fashion. Uh again, this has been repealed, uh reviewed by a commerce department, and has a 30-day review process. You can you can deal with this whole process. It's changed a lot, though. I would say some of the, when I first started, the encryption capabilities that could be sent to foreign countries was very limited. Uh now it's not so much. And I think a lot of it really stems of the fact that they're trying they understand quantum and where quantum is going. They're not so concerned about crypto that uh it won't be, they figure it's gonna be broken at some point. So they're not quite as draconian on it. The technology changes, again, interesting to see how new technologies will be addressed. And then we talked about quantum computing is a big factor. But it will be very interesting to see how this plays out in the future. Transborder data flows. Okay, this is uh defined as an electronic movement of data between countries. If you have not dealt with this, if you're an international company or not an international company, this probably is like, oh, yawn, don't worry about it. But uh, at some point in time, I'm pretty sure most country companies have dealt with some sort of international uh capability. And you're dealing with any sort of electronic data flow between countries. So data leaving from France to the United States, how is it handled? Data leaving from Iran to the United States, how is that handled? Very different, but at the same time, that fo same concept focuses on both. Now, there's a growing international awareness of data between countries, and we've become much more seamless as it relates to transform transporting data. Uh it it kind of just goes, people think, oh yeah, it's no big deal. But there are laws around this and you need to be cognizant of them. Even if you don't really want to say, okay, I'm not really worried about that, that is totally fine. That's totally on you. But you need to make sure your legal teams understand this. Because here's the part that they don't get. It depends. Big companies get it, small companies don't because they don't really deal with it. But you need to talk to your lawyers and make sure they understand that if you're transferring data between one country to our country or vice versa, what are the rules around it? And if they don't know, tell them to get smart on it because it is an important factor. Not to say that they're not going to find you and they probably will never ever deal with you on this, but if something bad does happen, that's one of the aspects they're going to ask is, okay, how are you protecting this data? Tell me a little bit more about this data. And quickly, this will unravel and turn into an absolute nightmare for you, and you'll be going, what the heck just happened? So again, you need to understand it. I can't express this enough. It will bite you. Uh, there's various regulatory requirements requiring knowledge, such as Chinese cyber law, EU directives, and thus therefore. I dealt with both of those, Chinese and the European Union on this. Uh and there's bureaucrats that are sitting in various places in both countries going, you did not do this correctly. I think I'm a little bit passionate about it because yeah, it caused me to lose about a month of my life. Uh, it affects various types of data. This includes personal data, business data, and governmental data. You need to know where your data resides. You need to know where it's transporting. You gotta know it. It's really important that you understand where your data is at. It's not just air quotes in the cloud. Hey, where's your data? It's in a cloud. What cloud? I don't know, but it's in a cloud. Where's your cloud at? I don't know, but it's just in a cloud. So it's like it's like air, right? It just floats. Yeah, you need to know more than that. Uh, United States privacy, this is the Fourth Amendment of the U.S. Constitution. It's again, this is where you're dealing with privacy in the aspects of unreasonable search and seizure, and they must have a probable cause. Protections have increased to other to other invasions of privacy as well. Now, if you're not in the United States, you'll be going, well, I don't have any privacy in my country. That's very could be very true. Um, but this is how it's taken in the United States. I would say unreasonable search and seizure, define unreasonable, right? That's where the lawyers and the judges come in, because what's reasonable to you and unreasonable to you are two different things to what is to the government. The privacy bandwagon, there's other countries that are requesting privacy protections for their citizens and countries not known to be proponents of privacy, such as China, Vietnam, et cetera. Uh, they're looking for air quotes privacy. But realistically, they're sh they're putting a veil of privacy uh to use it in a way to to um how do you say it, to protect their citizens? Yeah, that's it. It's protecting them. Uh there's the way we understand privacy in the United States and these other countries per understand privacy are very different. Now I say that it's becoming very Orwellian in the fact that uh when I was in China, you have cameras everywhere and they watch everything you do. I mean, you can't even fart without them knowing about it. But when the United States is the same concept, so I'm seeing cameras everywhere as well. So we're becoming much more like the Chinese in that government big brother government looking at you kind of thing. The difference is the United States, we typically don't put up with it. Um I say that. And whereas in those countries they they've just been cowed into, they will follow that. Uh and they have a big strong arm against them if they don't. So again, it's very different cultures, very different world. You need to understand the culture that you're working with. If you have business in Vietnam, understand some of the challenges that they're they're working through because that will make you a much better cybersecurity professional and it also makes you a good human. Privacy regulations. This is where Privacy Act 1974, this limits federal government agencies. There's the Electronic Communications Privacy Act of 1986, where you have illegal interception of electronic communications. And then you have the communications assistance for law enforcement, which was in 1994, which allows wire carriers to wiretap law enforcement for law enforcement, not wiretap them, they get to wiretap you. And then the Economic Espionage Act of 96, where data uh theft is falls under their industrial or corporate espionage. So privacy, you can see, is a big factor here in the United States. Lots of acts and laws that were put in place to help mitigate some of the privacy challenges they were running into. Or in the case of wiretap, that that's they want law enforcement to be able to tap you if they want to be able to do it. And how are they protected in doing so? Other parts of that are tied, have privacy regulations baked into them in some ways, is the Health Insurance Portability Accountability Act. Yeah, it's a mouthful of 96, otherwise known as HIPAA. Yeah, that defines rights of individuals. That thing has all kinds of teeth in it, and it's just it's nasty. Uh, you have high tech, which I'm not going to go through that again because that's again another alphabet suit, but it's basically health information technology for economic and clinical health. 2009. Uh, data breach notification requirements are put in there for any sort of issue that you may have. You have COPA, which you should be very aware of, and this is the Children's Online Privacy Protection Act of 98. That one will bite you hard, and you better make Sure, you are protecting it. And this is again designed to protect information on sites catering to children. Now, if the site doesn't necessarily cater to children, uh, like I'll say CISP cyber training, do children go to my site? Yeah, I'm sure they do. Um, is it good for them? I highly recommend it, it'll help make them smarter. Uh, but is it catering to the children? No, it's not. So, therefore, I don't fall under COPA because of the fact that I'm not catering to my five-year-old granddaughter. Uh, but if I had Blue E on my site and I was trying to get kids to bring their parents to my site with using Blue E as an example, then I would be catering to children. So, therefore, I would fall under COPA. Uh, and COPA is very um, it's good. I mean, it's good for the kids, it's good to protect them, but you better have a good plan when you're dealing with sites that are tied catering specifically to children. The Graham Leach Bliley Act of 1999. This you'll see, especially in the financial industry, I deal with this a lot. And this provides written privacy policies to customers. Uh, they have to have that. And there's many, many others, but these are some of the big ones that you might deal with as it relates to the CISSP. European Union Privacy Law. This was enabled in 95. It's very strict requirements around processing personal data, and it was a lead-on to GDPR. Uh, and it just comes down to is how do you manage people's data? Do you have the right to be anonymous? Do you have the right to be forgotten? All of those pieces will fall into, which is it falls into GDPR, but all of those stemmed from the European Union Privacy Law of 1995. Uh, and again, you must provide consent to use any of their data. The EU general data privacy regulation, this was enacted in 2018. This applies to organizations or companies not in the EU. So these are the people that are collecting data on EU citizens but are not EU people or not EU organizations. If you have a data breach within 24 hours, you must let them know. If it deals with the privacy of EU citizens, uh, this is serious. They will fine you and it will be bad. So you need to let them know. Now, you need to define as an organization what is a data breach, air quotes. Um, you may have lots of incidents and may have lots of events, but you don't have necessarily a data breach. Once you label the data breach concept, boom, baby, your clock is ticking, so you better get going. Uh access to their own data, you have the ability to be forgotten, data removed, all of those pieces, right? I want to be forgotten and not my data is not used by you. That is all part of this general data privacy regulation of 2018. Data protection personnel within each of you of the member states. So again, it's it's synonymous, kind of like our states. You have in the United States, you have data protection if you go from California to Maryland. Now each state has its own privacy laws that are in place. Some may be a little more loosey-goosey, some may be more draconian. If you go to Maryland and you go to California, those are typically a little more draconian. You come to Kansas, they're probably a little more loosey-goosey. So it just depends. However, you if data goes from Kansas to Maryland, I fall under the Maryland privacy laws. So it's best just to focus on doing the most draconian and make sure you meet those. Data protection personnel within each of the members, you talked about that, and then there's lots of other details that are tied to it. But at the end of all of that, you need to access access to their own data, ability to be forgotten, data can be removed upon their request. That is key when you're dealing with the data privacy regulation of 2018. The China personal information protection law, Pipel, yeah, dealed with this one a lot. Uh, this protects the rights of interests of individuals. Wink, wink, uh, yeah, that's the individuals, all right. Uh regulate the personal information processing activities and resembles very closely the GDPR. Now, it's anonymized information is not for personal information. So if you have it out there, you anonymize it and it's not available for personal gain. Uh, it's any this is dealing with processing of data outside of China. So any Chinese citizens that you're using outside of China and you're processing the data, you have to follow the PIPL law. And you must have a dedicated office or representative in country to process data. Very similar to GDPR. They have data processors, um, but it's very similar to that. Now, I say that the the thing is when it comes to, I try to use the concept of the EU is about protecting the citizen. They are, they're theirs are designed to protect the citizen. China is designed to protect the state, not the citizen. It may come across as they're trying to protect the citizen, but they're not. It's the state. And the United States is in the middle, right? We are we're not all about protecting this the person, but we're also all not about protecting the state. And because all the different states in the United States have different rules, it gets a little bit more convoluted and confusing. But they're dealing with the people law, you do not want to mess that up. You want to make sure that you are handling it in the most correct manner, especially a business in China, because they can come in and the Chinese government, and it's say, for example, and we had like a$1.5 billion facility that made that per year, and it's making gobs of money, right? Well, if you'd screw this up, they can come in and go, uh, you can shut that down now. Thank you very much. And then you shut it down and now you just lost$1.5 billion a year. Yeah, that will hurt the pocketbooks. You aren't getting a bonus this year, whether you like it or not. Uh so yes, that's an important part. Pipple law is something you want to make sure that you are following. On the vein of privacy, we have state privacy laws. You need to be aware of all the laws passed by the states, the provinces, and other jurisdictions. Uh the CCPA, this is the California Consumer Privacy Act. Uh, you need to be aware of that as well. This was passed in 2018, modeling after EU GDPR. The provisions went into effect in 2020, and some key points you need to know is really what is the information business that business is collecting, that you have the right to be forgotten, you have the ability right to be opt out of a sale of personal information, or the right to exercise privacy without persecution. And all this falls under CCPA. So it looks very close to GDPR, but it's just for California. I mean, like California's economy is like in the top five of the globe, somewhere right around there. Uh so you know, they had this aspect that they wanted to be able to do. Now, if you notice that if you work with any businesses in California, they will have this checkbox. You can be forgotten. You can uncheck that and say, no, I don't want you to collect my information. Actually, on CISSP, you can opt out of marketing emails if you sign up. All of that stuff is designed to help protect you as a consumer. Uh, but it's also when you do that, you limit what you can actually get and what kind of information you may be able to get. So you got to weigh that determining what is most important and what is most valuable to you. So you're dealing with data breaches. So there's various data breach notification requirements out there, and these are incorporated into various privacy laws. We talked about high-tech, right? You have a federal law that you have to deal with of individuals. You have GDPR. Uh so high-tech, I think it's 72 hours. GDPR is 72 hours. Um, they're they all have different ranges, and they're anywhere from 24 to 72 hours of a data breach. You must let them know. Now, it's it became at first, it was like, oh my gosh, this is crazy. This is foolishness. And it is, in some respects, because you, as we all know, you you're not gonna know anything in 24 hours, you're not gonna know anything in 72 hours. So you have to be very clear on what is a data breach. You have to be very clear and you need to find what you consider a data breach. Now, it's up to you to consider what that is. They have guidance out there on what a data breach is, and if you say, um, I'm only gonna call a data breach, that if the IP address along with the person's information, plus their date of birth, plus their child's name, plus uh their dog's name is leaked, then I will call it a data breach. If if those things are not met, I will not call it a data breach. Okay, if you go with that thought process, which you could, I wouldn't recommend it, but you could, um, then people will come back and look at you and say, no, that's a foul. And they will, you'll have all kinds of legal issues. On the flip side, if you say, hey, if I have a log come in that says this computer is acting just funny, I'm gonna call it a data breach. That is really bad. That's the wrong side of the pendulum as well. So you're gonna have to figure out what's in between the pendulum. What is in there that you consider going, you know what, I feel pretty confident that this something bad has just happened. Let's go ahead and alert the let the hounds know, release the hounds. Um, you have the ability to do that. So, but you need to define that with working with your COO, your CIO, and your CEO. That's a lot of C's. But yes, you need to work with all of those folks to define what is a data breach. And and your lawyers too, make sure your lawyers are in there. Uh, because then it will come up. And if you don't figure that out now, when it does come up, you'll be lots of people pointing fingers and head scratching going on. So very important for you to figure that out. I spent a little bit of time on that because I wanted you to be aware this isn't something you can take lightly, but you cannot pass it off and just think, oh, I will worry about that later. No, it's a thing you need to worry about today. Uh the California SB 1386, this is the first U.S. state to require data breach notification. Uh again, this deals with any personally identifiable information, which is an old term that's not really used, but if it's if it identifies back to you. Social Security number, driver's license, all those kinds of things, and they vary from state to state. Again, most require a documented process process to address any sort of breach. Okay, that's all I have for you today. That was a lot. There's a ton of stuff there. Go to CISSP Cyber Training and go check it out. All of this is available to you at CISSP Cyber Training. The videos are there, the all the content is there. These are broken into actual, I've got training that's broken into actual segments. I've got a blueprint, you're gonna have questions. All of that is available to you at CISSP Cyber Training in part of my paid products. My free products, I've got a lot of content to include this, was is available to you uh on my blog, will be available probably in the next couple weeks. Uh, so all my free content will help you get going, get started on the CISSP. If you really want to finish up strong and you want that concierge type activity, go to CISSP Cyber Training and pay get the paid products. They will, you will not regret it. If you're focused on trying to make extra money and try to get the CISSP done, I mean, seriously, let's look at it this way. You're gonna invest however much in a test,$700 to$1,100 on a test, and you're not gonna invest a little bit of money in trying to get the training that you need. I'm sure you're cutting your nose off to spite your face. Can you do it? Sure. Did I do it? Sure. But I also failed the first time. And we don't want you to fail the first time. We want you to pass the first time. You can go on my, go on to the any podcast where you're listening to this and see some of the testimonials. The training is there. It's for you. It's good. It will help you pass the exam. It'll help you get this done. And then the best part is it'll give you some real world experience to kind of start you off right and get you going down the right path. All right. Hope you guys enjoyed this. Have a great day, and we will catch you all on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes because I would greatly appreciate your feedback. Also, check out my videos that are on YouTube and just head to my channel at CISSP Skyber Training, and you will find a letter for a contacted of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Sniper Training and sign up for 363 CISSP questions to help you in your CISSP journey. Thanks again for listening.