Domain 1 of 8 · Chapter 4 of 12

Legal & Compliance

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • Legal systems and intellectual property
  • Privacy, transborder flow, and export controls
  • Exam-pattern recognition

The four intellectual-property protections at a glance

AspectPatentTrademarkCopyrightTrade secret
ProtectsNovel, useful inventionsBrand identifiers (name, logo)Original works of authorship (expression)Confidential business information
Term~20 years from filingIndefinite (10-yr renewals)Author's life + 70 yearsIndefinite while kept secret
RegistrationRequired, public disclosureRegistration strengthens itAutomatic on fixationNone: secrecy only
WeaknessExpires, then publicMust be defended/usedProtects expression, not the ideaNo protection vs. independent discovery / reverse engineering

Decision tree

Brand identifier(name, logo)?YesTrademarkNoOriginal work of authorship(software, writing)?YesCopyrightNo (invention / secret)Can you acceptpublic disclosure?YesPatent~20 yrs from filing, then publicNoTrade secretindefinite, but no defense vs. reverse engineeringAlways: classify the asset by what it is and whether secrecyor disclosure protects its value before choosing.

Cheat sheet

  • Compliance is a floor, not proof of security
  • Criminal law is the state's case proved beyond a reasonable doubt
  • Civil law settles private disputes on a preponderance of the evidence
  • Administrative law is a regulator's rules enforced over its sector
  • Patent protects an invention for ~20 years in exchange for disclosure
  • Trademark protects a brand identifier and renews indefinitely
  • Copyright protects expression, not the idea, for life plus 70 years
  • Trade secret lasts forever while secret but dies on lawful discovery
  • Patent versus trade secret turns on whether you accept disclosure
  • GDPR reaches you by the data subject's location, not your address
  • GDPR gives data subjects enforceable rights over their data
  • The controller decides why and how; the processor just follows instructions
  • GDPR breach: 72 hours to the regulator, high-risk triggers subject notice
  • GDPR top-tier fines reach 20 million euros or 4% of global turnover
  • A DPO is mandatory for public bodies and large-scale monitoring
  • CCPA/CPRA gives Californians opt-out rights and created the CPPA
  • PIPL and POPIA follow the GDPR model with local edges
  • Cross-border personal data needs a lawful transfer mechanism first
  • Data residency can force regulated data to stay in-country
  • PCI DSS is a binding contract, not a law
  • Classify each obligation by its source: statute, regulation, or contract
  • Export controls split by what is controlled: EAR, ITAR, Wassenaar
  • A deemed export is releasing controlled tech to a foreign national at home

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in