Hello Guys,
I recently started my CISSP studies, and after reading through the first domain (Security and Risk Management), I have to ask: How much is the CISSP influenced by US laws, rules and regulations. I am using Eric Conrads study guide, and the chapter covering the first domain is full of information on the US system. Fourth Amendment, Rule1001, Evidence and court procedures, HIIPA, SOX, Patriot Act, to name just a few. Is this something that is a trend throughout the exam, or is it mostly for examples and broader picture stuff? Do I need to be familiar with all these US rules, regulations, common practices, etc to be able to pass the exam, even though they are completely irrelevant to a Scandinavian like me?
Thanks
Hi,
I understand your concern. however please note that the Security concepts in general origin from the US and especially - mostly from the US military. Most of the basic security concepts are derived from there and even though - right now they might seem a bit transformed - the core is still there - all comes from the USA. CISSP is a holistic course and aims to educate you not only about the principles themselves but also provides a bit of knowledge on "where the whole thing starts" which in my opinion - gives a good awareness of the security realm in general. Exam-wise - I would not say you need to know all the US law/military stuff - however be aware that the security principles you would learn throughout the course are closely related to them as this is where they origin from. All the info you can get about security - no matter from where.... would help you for this exam.
I'd think that you might get less questions specifically on the US laws and standards than you might think, or maybe more but it's very subjective.Now for some rambling thoughts...
I sat it after lapsing earlier in the year, and wasn't perturbed by any of the US Qs, and as a British person, I can tell you our main concerns these day are being sniffy about Europe while complaining about how poor we are all of a sudden... so I think everyone has enough head space.
In addition a lot of the US Sectoral regulations are specifically because of threats, events etc that along and had to be dealt with - SOX for example came out of(or at least was triggered by) from the Enron debacle. Why did the Patriot Act happen, and what does it mean for Privacy? Etc, etc. Most of the Qs are not so deep and as long as you know the domain covered and what something means at a high level you can normally infer the answer.
There's more enough ISO27001 and ITIL etc to keep everyone busy. TCSEC, ITSEC to the Common Criteria(ISO/IEC15408 for you trainspotters) it all blurs in to one thing in the end. Just wait till the requirement for the Chinese Cyber Security law is added. and if you felt that the CBK could do with more emphasis say on ISO 22313:2012, or even the e-Privacy directive then you could easily lobby for it. Much easier to assimilate it and you'll almost certainly use the knowledge at some stage.
Lastly a lot of these these are not just laws, standards and such but really important histories of out profession. For example, why was Phil Z 'dobbed-in' for alleged ITAR violation over RSA, by RSA? What was Peter Gutmann also questioned and just was was the 'Gutmann Method' for? What was the late, great Hal Finney doing working on Crypto when he should have been making videos games? Some of these things are just plain cool/interesting to know.
It's been a while (13 years) since I took the exam; for questions about the exam, I will defer to someone with more recent experience. In terms of figuring out relevance of certain laws, let's take a specific U.S. example, the New York cybersecurity rules for financial institutions. It may just be a state law, but it covers financial institutions and insurers licensed to do business in NY. Given, NY's linchpin status in the global market, it has the effect of being not just a U.S. law but also an international one.
Something to be aware of is that in the U.S., our 50 state legislatures tend to act quicker than Congress. So when it comes to navigating legal compliance in the U.S., when you factor in the individual states, there are probably a good 85 different laws which deal significantly with information security. If we pile on top of that any number of international laws - most significant of which is probably GDPR right now - I think you encounter an uncertainty principle: By the time you achieve mastery of these regulations, they have already changed or expanded. It is also quite difficult to filter which laws are relevant because in this day and age, it is hard to categorically say we don't or never will do business with - fill in the blank. This doesn't even broach the subject of how do you address having to comply with multiple laws that might conflict with each other.
I think the point that really needs to be emphasized is that legal compliance is at best very difficult to guarantee. It instead needs to be factored into a broader risk management program - likely seeking to insure against a fine (again that is where GDPR is sounding alarms) more than seeking 100 percent compliance at all times.
I used to contribute to Test Development for CISSP and other credentials.
1. You're using study material that's not developed by (ISC)2 and the author has no insight into the exam content outline if they are including US specific content in their study material. My recommendation is first of all to download the exam content outline
https://cert.isc2.org/cissp-exam-outline-form/
You won't get any question on the exam that isn't directly related to a specification on the outline i.e. you won't find anything on the outline that mention a particular jurisdiction, industry, product/vendor, etc. Understand the outline - be comfortable that you have good knowledge of all of the sub-domains.
2. The exam outline follows the CBK (the common body of knowledge). The two key words are underlined here. The knowledge has to be common i.e. it has to be general to security professions regardless of geography, industry, or security role within an organisation (as long as the candidate is operating in a professional capacity).
The test is not about whether the candidate has retained what they've learnt in a weeks training that's being tested, but rather the knowledge that they possess that allows them to function at a high level (with at least five years experience) as a security professional within their organisation.
Best of luck with the exam