Скачать книгу

you do requires you to understand the needs of your employers or clients. You listen, observe, gather data, and ask questions; you think about what you've learned, and you come to conclusions. You make recommendations, offer advice, or take action within the scope of your job and responsibilities. Sometimes you take action outside of that scope, going above and beyond the call of those duties. You do this because you are a professional. You would not even think of making those conclusions or taking those actions if they violently conflicted with what known technical standards or recognized best technical practice said was required. You would not knowingly recommend or act to violate the law. Your professional ethics are no different. They are a set of standards that are both constraints and freedoms that you use to inform, shape, and then test your conclusions and decisions with before you act.

      (ISC)2 Code of Ethics

      (ISC)2 provides a Code of Ethics, and to be an SSCP, you agree to abide by it. It is short and simple. It starts with a preamble, which is quoted here in its entirety:

      The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.

      Therefore, strict adherence to this Code is a condition of certification.

      Let's operationalize that preamble—take it apart, step-by-step, and see what it really asks of us.

       Safety and welfare of society: Allowing information systems to come to harm because of the failure of their security systems or controls can lead to damage to property or injury or death of people who were depending upon those systems operating correctly.

       The common good: All of us benefit when our critical infrastructures, providing common services that we all depend upon, work correctly and reliably.

       Duty to our principals: Our duties to those we regard as leaders, rulers, or our supervisors in any capacity.

       Our duty to each other: To our fellow SSCPs, others in our profession, and to others in our neighborhood and society at large.

       Adhere and be seen to adhere to: Behave correctly and set the example for others to follow. Be visible in performing your job ethically (in adherence with this code) so that others can have confidence in us as a profession and learn from our example.

      The code is equally short, containing just four canons or principles to abide by.

      Protect society, the common good, necessary public trust and confidence, and the infrastructure.

      Act honorably, honestly, justly, responsibly, and legally.

      Provide diligent and competent service to principals.

      Advance and protect the profession.

      The canons do more than just restate the preamble's two points. They show you how to adhere to the preamble. You must take action to protect what you value; that action should be done with honor, honesty, and with justice as your guide. Due care and due diligence are what you owe to those you work for (including the customers of the businesses that employ us!).

      In ancient history, there were only three professions—those of medicine, the military, and the clergy. Each had in its own way the power of life and death of individuals or societies in its hands. Each as a result had a significant burden to be the best at fulfilling the duties of that profession. Individuals felt the calling to fulfill a sense of duty and service, to something larger than themselves, and responded to that calling by becoming a member of a profession.

      This, too, is part of being an SSCP. Visit https://www.isc2.org for more information.

      Organizational Code of Ethics

      Most businesses and nonprofit or other types of organizations have a code of ethics that they use to shape their policies and guide them in making decisions, setting goals, and taking actions. They also use these codes of ethics to guide the efforts of their employees, team members, and associates; in many cases, these codes can be the basis of decisions to admonish, discipline, or terminate their relationship with an employee. In most cases, organizational codes of ethics are also extended to the partners, customers, or clients that the organization chooses to do business with. Sometimes expressed as values or statements of principles, these codes of ethics may be in written form, established as policy directives upon all who work there; sometimes, they are implicitly or tacitly understood as part of the organizational culture or shaped and driven by key personalities in the organization. But just because they aren't written down doesn't mean that an ethical code or framework for that organization doesn't exist.

      Fundamentally, these codes of ethics have the capacity to balance the conflicting needs of law and regulation with the bottom-line pressure to survive and flourish as an organization. This is the real purpose of an organizational ethical code. Unfortunately, many organizations let the balance go too far toward the bottom-line set of values and take shortcuts; they compromise their ethics, often end up compromising their legal or regulatory responsibilities, and end up applying their codes of ethics loosely if at all. As a case in point, consider that risk management must include the dilemma that sometimes there are more laws and regulations than any business can possibly afford to comply with and they all conflict with each other in some way, shape, or form. What's a chief executive or a board of directors to do in such a circumstance?

      As the on-scene information security professional, you'll be the one who most likely has the first clear opportunity to look at an IT security posture, policy, control, or action, and challenge any aspects of it that you think might conflict with the organization's code of ethics, the (ISC)2 Code of Ethics, or your own personal and professional ethics.

      What does it mean to “keep information secure?” What is a good or adequate “security posture?” Let's take questions like these and operationalize them by looking for characteristics

Скачать книгу