Domain 1 – Section A Review: Governance and Legal

This section integrates:

• Professional Ethics and Security Concepts
• Security Governance Principles
• Compliance Frameworks and Legal Requirements
• Investigation Types and Evidence Handling
• Security Policy, Standards, Procedures, and Guidelines

CISSP evaluates whether you can think across these topics simultaneously — applying the right governance principle, legal framework, or policy mechanism to a given scenario.

1. Ethics and Governance Set the Foundation

The (ISC)² Code of Ethics is not just a formality. When a scenario presents a conflict between employer interests and public safety, the code resolves it:

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

This canon takes priority over all others. Governance structures — alignment with business objectives, due care, due diligence — build on this ethical foundation.

When unsure:

• Public safety overrides employer loyalty
• Legal compliance overrides business convenience
• Governance alignment precedes technical implementation

2. Legal Frameworks Determine Your Obligations

Jurisdiction, data type, and obligation source define what you must do:

• EU residents trigger GDPR — regardless of your company's location
• Patient health records in the US trigger HIPAA
• Criminal activity requires law enforcement involvement
• Contractual obligations (PCI DSS, SLAs) are not laws but carry real consequences

CISSP expects you to match scenarios to frameworks quickly, not recite statutes from memory.

3. Policy Hierarchy Determines Enforceability

The hierarchy governs what you can enforce and what you can only recommend:

• Policies — mandatory, set by management, define what
• Standards — mandatory, define to what level
• Procedures — mandatory, define how (step by step)
• Baselines — mandatory, define minimum configuration
• Guidelines — recommended, not enforceable

If you cannot discipline someone for ignoring it, it is a guideline. If it lacks management approval, it lacks authority. If exceptions are undocumented, governance is broken.

Section A Decision Pattern

When unsure in Domain 1 Section A:

1. Check the ethical obligation first — does public safety apply?
2. Identify the legal framework — which jurisdiction and which law?
3. Classify the investigation type — who leads and what burden of proof?
4. Verify the governance document — is it a policy, standard, or guideline?
5. Confirm the lifecycle stage — was it approved, communicated, and enforced?

Section A – Practice Questions

Question 1

A CISSP discovers that their employer is knowingly storing unencrypted customer health records in violation of HIPAA. Management instructs the CISSP to remain silent to avoid regulatory attention.

What should the CISSP do?

A. Follow management instructions to preserve the employment relationship
B. Encrypt the records quietly without informing management
C. Report the violation through appropriate channels, prioritizing public trust and legal compliance
D. Resign immediately to avoid personal liability

Question 2

A multinational company headquartered in the US processes payroll data for employees in Germany, Brazil, and Japan. Each country has different data protection laws.

What is the BEST approach to compliance?

A. Apply US data protection standards globally since the company is US-based
B. Implement the strictest applicable regulation across all jurisdictions
C. Identify each jurisdiction's requirements and implement controls that satisfy all applicable regulations
D. Outsource payroll processing to avoid direct regulatory obligations

Question 3

During a routine access review, the security team discovers that a system administrator has been accessing financial records outside their job responsibilities for three months.

What type of investigation should be initiated FIRST?

A. Criminal investigation with immediate law enforcement contact
B. Administrative investigation to determine the scope and intent of the access
C. Civil investigation to calculate financial damages
D. Regulatory investigation reported to the SEC

Question 4

A security manager creates a document that states: "All mobile devices should use full-disk encryption and a minimum 6-digit PIN." The document is published on the intranet.

An employee's unencrypted phone is stolen, exposing customer data. Can the organization hold the employee accountable?

A. Yes, the document was published and accessible to all employees
B. Yes, because full-disk encryption is an industry standard practice
C. No, the word "should" makes this a guideline, which is not enforceable
D. No, because mobile device policies require board approval

Question 5

An organization's incident response team captures RAM from a compromised server, creates a disk image with verified hash values, and documents every transfer in a chain-of-custody log. However, the team did not use write blockers when imaging the disk.

What is the PRIMARY risk?

A. The RAM capture may be incomplete
B. The disk image may have been altered during acquisition, compromising its admissibility
C. The chain-of-custody documentation is invalid without write blockers
D. Hash values are unreliable for verifying digital evidence

Question 6

A company's CISO presents a security strategy to the board that aligns with business objectives, references industry frameworks, and includes measurable risk metrics. The board approves the strategy but does not formally approve the supporting security policies.

What governance gap exists?

A. The strategy should not reference industry frameworks
B. Risk metrics are not appropriate for board-level reporting
C. Policies lack formal authority without explicit management or board approval
D. The CISO should not present directly to the board

Question 7

A forensic analyst is called to testify about log analysis they performed on a compromised database server. The analyst did not personally observe the attack — they reconstructed events from server logs after the fact.

What type of evidence is the analyst providing?

A. Real evidence
B. Testimonial evidence as an expert witness
C. Demonstrative evidence
D. Direct testimonial evidence as a lay witness

Question 8

An organization discovers that a third-party vendor storing customer data has suffered a breach. The vendor contract includes a right-to-audit clause but no specific breach notification requirements.

What is the organization's MOST important first action?

A. Terminate the vendor contract immediately
B. Assess the organization's own notification obligations to affected customers under applicable privacy laws
C. Wait for the vendor to provide a full incident report before taking action
D. File a civil lawsuit against the vendor for negligence

Question 9

A security team discovers that 40% of active policy exceptions were approved more than two years ago with no documented review since approval. Several reference systems that have been decommissioned.

What governance control has failed?

A. Change management
B. Periodic review and expiration of policy exceptions
C. Data classification
D. Incident response procedures

Question 10

A company operating in the EU wants to transfer employee data to a subsidiary in a country that the EU Commission has not recognized as providing adequate data protection.

Which mechanism would BEST enable lawful transfer?

A. Obtaining individual consent from each employee for the transfer
B. Implementing Binding Corporate Rules approved by the relevant supervisory authority
C. Encrypting the data before transfer to ensure confidentiality
D. Establishing a Data Processing Agreement without additional safeguards