Re: CISSP Ethics Education

[Keith Hartranft <kkh288 () LEHIGH EDU>]

Ed,

The idea of understanding the Code of Ethics for the ISC CISSP is
understanding the posting above and how it relates to a CISSP's actions. An
inclusive program in studying for the CISSP usually gives some examples of
do's and don't's that fit the Code ....... but it's really only tailored
for the ISC2 Codes of Ethics and the Exam really.

In classes I teach I take students down a greater sampling of Ethics
"codes" if you will .................

The Computer Ethics Institute (CEI) - Ten Commandments of Computer Ethics:

http://computerethicsinstitute.org/publications/tencommandments.html

The Internet Architecture Board (IAB) and RFC1087:

https://tools.ietf.org/html/rfc1087

The ISACA Code of Ethics:

http://www.isaca.org/Certification/Code-of-Professional-Ethics/Pages/default.aspx

The ISSA: (They have a rather nice PPT)

http://www.issa.org/?page=codeofethics

SANS:

https://www.sans.org/security-resources/ethics.php

Others? ........... WIPO has a bunch as well and as a PCI ISA or QSA you
sign an "Agreement" to act in specific matters ......... they are all
published on the PCI-DSS website.

All (or most) of these are covered in CISSP training materials (like Shon
Harris) in the Legal, Regulations, Investigations and Compliance Domain.

Additionally, I'd also say it's great for self-study or training to include
a Law & Ethics dedicated focused course. I've used Sari Greene's text
"Security Program and Policies Principles and Practices" and revisit the
idea of Ethical behaviors as we progress through Laws and Regulations and
Industry Guidance and the building of Information Security Policies.

In both classes ........... I run an activity where I ask the students to
write down adjectives that would describe "ethical" and "unethical"
behavior. After we've assembled and "approved" our own words I ask them to
write down activities as an IT or Security professional that would violate
those terms ............. our own created "ethics".

I've found it to be a most powerful tool in "training" to many of these
codes and making it somewhat more personal perhaps.

I am also fond of the Kroll interview from a Hackers video where he states
the difference between a hacker (ok attacker) and a good security
practitioner is someone with their moral compass stuck on GOOD! I don't
know if that's perfect but we look at statements from groups and
corporations like that to reinforce the words we've chosen like this:

*We are a multicultural team of leading experts from the fields of
investigations, intelligence, risk analysis, cyber security, data breach
response, and e-discovery. We are committed to conducting business
ethically and serving clients with independence and integrity.*

Which is from: http://www.kroll.com/who-we-are

Not sure if this is what you are looking for exactly but would be happy to
discuss.

Keith

On Tue, Mar 10, 2015 at 1:15 PM, Hudson, Edward <ehudson () calstate edu>
wrote:

>   Thanks Bradley, found this piece but was hoping for something more
> specific. I am not a CISSP so I have only the high level knowledge.
>  Ed Hudson
> Director, Information Security
>  401 Golden Shore
> Long Beach, CA 90802
> 562-951-8431
> ehudson () calstate edu
>
>   From: <Bradley>, Stephen <bradlesw () MIAMIOH EDU>
> Reply-To: The EDUCAUSE Security Constituent Group Listserv <
> SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Tuesday, March 10, 2015 at 9:54 AM
> To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] CISSP Ethics Education
>
>   Like their website?  Legally should cover it.
>
>   Code
>
> All information security professionals who are certified by (ISC)²
> recognize that such certification is a privilege that must be both earned
> and maintained. In support of this principle, all (ISC)² members are
> required to commit to fully support this Code of Ethics (the "Code").
> (ISC)² members who intentionally or knowingly violate any provision of the
> Code will be subject to action by a peer review panel, which may result in
> the revocation of certification. (ISC)² members are obligated to follow the
> ethics complaint procedure upon observing any action by an (ISC)² member
> that breach the Code. Failure to do so may be considered a breach of the
> Code pursuant to Canon IV.
>
> There are only four mandatory canons in the Code. By necessity, such
> high-level guidance is not intended to be a substitute for the ethical
> judgment of the professional.
>  Code of Ethics Preamble:
>
>    - The safety and welfare of society and the common good, duty to our
>    principals, and to each other, requires that we adhere, and be seen to
>    adhere, to the highest ethical standards of behavior.
>    - Therefore, strict adherence to this Code is a condition of
>    certification.
>
>  Code of Ethics Canons:
>
>    - Protect society, the common good, necessary public trust and
>    confidence, and the infrastructure.
>    - Act honorably, honestly, justly, responsibly, and legally.
>    - Provide diligent and competent service to principals.
>    - Advance and protect the profession.
>
>
>
>
> On Tue, Mar 10, 2015 at 12:41 PM, Hudson, Edward <ehudson () calstate edu>
> wrote:
>
> >  All,
> > Is there a specific section of training for the CISSP regarding ethics?
> > Specifically, does it state the obvious somewhere that its not ok to
> > compromise/hack or encourage others to hack organizational systems.
> > I am trying to determine what training/education a CISSP holder would
> > have had in this area as part of an internal investigation.
> > Feel free to DM me.
> > TIA
> >
> >
> >  Ed Hudson
> > Director, Information Security
> >  401 Golden Shore
> > Long Beach, CA 90802
> > 562-951-8431
> > ehudson () calstate edu
>
>
>
>  --
> Stephen W. Bradley CISSP GCFA GCIH GWAPT SSCP
> Senior Security Engineer
> Miami University
> IT Services
> bradlesw () miamioh edu
> 513-529-1809



-- 

*Keith K Hartranft, CISSP, PCI-DSS ISA & PCIP*

*Lehigh University*

*Information Security & Policy Officer610-758-3994*