Educause Security Discussion mailing list archives
Re: CISSP Ethics Education
From: Keith Hartranft <kkh288 () LEHIGH EDU>
Date: Tue, 10 Mar 2015 14:35:04 -0400
Ed, The idea of understanding the Code of Ethics for the ISC CISSP is understanding the posting above and how it relates to a CISSP's actions. An inclusive program in studying for the CISSP usually gives some examples of do's and don't's that fit the Code ....... but it's really only tailored for the ISC2 Codes of Ethics and the Exam really. In classes I teach I take students down a greater sampling of Ethics "codes" if you will ................. The Computer Ethics Institute (CEI) - Ten Commandments of Computer Ethics: http://computerethicsinstitute.org/publications/tencommandments.html The Internet Architecture Board (IAB) and RFC1087: https://tools.ietf.org/html/rfc1087 The ISACA Code of Ethics: http://www.isaca.org/Certification/Code-of-Professional-Ethics/Pages/default.aspx The ISSA: (They have a rather nice PPT) http://www.issa.org/?page=codeofethics SANS: https://www.sans.org/security-resources/ethics.php Others? ........... WIPO has a bunch as well and as a PCI ISA or QSA you sign an "Agreement" to act in specific matters ......... they are all published on the PCI-DSS website. All (or most) of these are covered in CISSP training materials (like Shon Harris) in the Legal, Regulations, Investigations and Compliance Domain. Additionally, I'd also say it's great for self-study or training to include a Law & Ethics dedicated focused course. I've used Sari Greene's text "Security Program and Policies Principles and Practices" and revisit the idea of Ethical behaviors as we progress through Laws and Regulations and Industry Guidance and the building of Information Security Policies. In both classes ........... I run an activity where I ask the students to write down adjectives that would describe "ethical" and "unethical" behavior. After we've assembled and "approved" our own words I ask them to write down activities as an IT or Security professional that would violate those terms ............. our own created "ethics". I've found it to be a most powerful tool in "training" to many of these codes and making it somewhat more personal perhaps. I am also fond of the Kroll interview from a Hackers video where he states the difference between a hacker (ok attacker) and a good security practitioner is someone with their moral compass stuck on GOOD! I don't know if that's perfect but we look at statements from groups and corporations like that to reinforce the words we've chosen like this: *We are a multicultural team of leading experts from the fields of investigations, intelligence, risk analysis, cyber security, data breach response, and e-discovery. We are committed to conducting business ethically and serving clients with independence and integrity.* Which is from: http://www.kroll.com/who-we-are Not sure if this is what you are looking for exactly but would be happy to discuss. Keith On Tue, Mar 10, 2015 at 1:15 PM, Hudson, Edward <ehudson () calstate edu> wrote:
Thanks Bradley, found this piece but was hoping for something more specific. I am not a CISSP so I have only the high level knowledge. Ed Hudson Director, Information Security 401 Golden Shore Long Beach, CA 90802 562-951-8431 ehudson () calstate edu From: <Bradley>, Stephen <bradlesw () MIAMIOH EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv < SECURITY () LISTSERV EDUCAUSE EDU> Date: Tuesday, March 10, 2015 at 9:54 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] CISSP Ethics Education Like their website? Legally should cover it. Code All information security professionals who are certified by (ISC)² recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all (ISC)² members are required to commit to fully support this Code of Ethics (the "Code"). (ISC)² members who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification. (ISC)² members are obligated to follow the ethics complaint procedure upon observing any action by an (ISC)² member that breach the Code. Failure to do so may be considered a breach of the Code pursuant to Canon IV. There are only four mandatory canons in the Code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional. Code of Ethics Preamble: - The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. - Therefore, strict adherence to this Code is a condition of certification. Code of Ethics Canons: - Protect society, the common good, necessary public trust and confidence, and the infrastructure. - Act honorably, honestly, justly, responsibly, and legally. - Provide diligent and competent service to principals. - Advance and protect the profession. On Tue, Mar 10, 2015 at 12:41 PM, Hudson, Edward <ehudson () calstate edu> wrote:All, Is there a specific section of training for the CISSP regarding ethics? Specifically, does it state the obvious somewhere that its not ok to compromise/hack or encourage others to hack organizational systems. I am trying to determine what training/education a CISSP holder would have had in this area as part of an internal investigation. Feel free to DM me. TIA Ed Hudson Director, Information Security 401 Golden Shore Long Beach, CA 90802 562-951-8431 ehudson () calstate edu-- Stephen W. Bradley CISSP GCFA GCIH GWAPT SSCP Senior Security Engineer Miami University IT Services bradlesw () miamioh edu 513-529-1809
-- *Keith K Hartranft, CISSP, PCI-DSS ISA & PCIP* *Lehigh University* *Information Security & Policy Officer610-758-3994*
Current thread:
- CISSP Ethics Education Hudson, Edward (Mar 10)
- Re: CISSP Ethics Education Bradley, Stephen (Mar 10)
- Re: CISSP Ethics Education Hudson, Edward (Mar 10)
- Re: CISSP Ethics Education Keith Hartranft (Mar 10)
- Message not available
- Re: CISSP Ethics Education Felecia Vlahos (Mar 10)
- Re: CISSP Ethics Education Hudson, Edward (Mar 10)
- Re: CISSP Ethics Education Bradley, Stephen (Mar 10)
- <Possible follow-ups>
- Re: CISSP Ethics Education Brad Judy (Mar 10)