The Official (ISC)2 SSCP CBK Reference. Mike Wills
Чтение книги онлайн.
Читать онлайн книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills страница 18
COMPLY WITH CODES OF ETHICS
Your day-to-day journey along the roadmap of security operations and administration must keep one central ideal clearly in focus. Every day that you serve as an information security professional, you make or influence decisions. Every one of those decision moments is an opportunity or a vulnerability; it is a moment in which you can choose to do the technically and ethically correct thing or the expedient thing. Each of those decision moments is a test for you.
Those decisions must be ethically sound; yes, they must be technically correct, cost-effective, and compliant with legal and regulatory requirements, but at their heart they must be ethical. Failure to do so puts your professional and personal integrity at risk, as much as it puts your employer's or your clients' reputation and integrity at risk.
Being a security professional requires you to work, act, and think in ways that comply with and support the codes of ethics that are fundamental parts of your workplace, your profession, and your society and culture at large. Those codes of ethics should harmonize with if not be the fundamental ethical values and principles you live your life by—if they do not, that internal conflict in values may make it difficult if not impossible to achieve a sense of personal and professional integrity! Professional and personal integrity should be wonderfully, mutually self-reinforcing.
Let's first focus on what ethical decision-making means. This provides a context for how you, as an SSCP, comply with and support the (ISC)2 Code of Ethics in your daily work and life. We'll see that this is critical to being able to live up to and fulfill the “three dues” of your responsibilities: due care, due diligence, and due process.
Understand, Adhere to, and Promote Professional Ethics
Let's start with what it means to be a professional: It means that society has placed great trust and confidence in you, because you have been willing to take on the responsibility to get things done right. Society trusts in you to know your practice, know its practical limits, and work to make sure that the services you perform meet or exceed the best practices of the profession. This is a legal and an ethical responsibility.
Everything you do requires you to understand the needs of your employers or clients. You listen, observe, gather data, and ask questions; you think about what you've learned, and you come to conclusions. You make recommendations, offer advice, or take action within the scope of your job and responsibilities. Sometimes you take action outside of that scope, going above and beyond the call of those duties. You do this because you are a professional. You would not even think of making those conclusions or taking those actions if they violently conflicted with what known technical standards or recognized best technical practice said was required. You would not knowingly recommend or act to violate the law. Your professional ethics are no different. They are a set of standards that are both constraints and freedoms that you use to inform, shape, and then test your conclusions and decisions with before you act.
As a professional—in any profession—you learned what that profession requires of you through education, training, and on-the-job experience. You learned from teachers, mentors, trainers, and the people working alongside of you. They shared their hard-earned insight and knowledge with you, as their part of promoting the profession you had in common. In doing so they strengthened the practice of the ethics of the profession, as well as the practice of its technical disciplines.
(ISC)2 Code of Ethics
(ISC)2 provides a Code of Ethics, and to be an SSCP, you agree to abide by it. It is short and simple. It starts with a preamble, which is quoted here in its entirety:
The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.
Let's operationalize that preamble—take it apart, step-by-step, and see what it really asks of us.
Safety and welfare of society: Allowing information systems to come to harm because of the failure of their security systems or controls can lead to damage to property or injury or death of people who were depending upon those systems operating correctly.
The common good: All of us benefit when our critical infrastructures, providing common services that we all depend upon, work correctly and reliably.
Duty to our principals: Our duties to those we regard as leaders, rulers, or our supervisors in any capacity.
Our duty to each other: To our fellow SSCPs, others in our profession, and to others in our neighborhood and society at large.
Adhere and be seen to adhere to: Behave correctly and set the example for others to follow. Be visible in performing your job ethically (in adherence with this code) so that others can have confidence in us as a profession and learn from our example.
The code is equally short, containing just four canons or principles to abide by.
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
The canons do more than just restate the preamble's two points. They show you how to adhere to the preamble. You must take action to protect what you value; that action should be done with honor, honesty, and with justice as your guide. Due care and due diligence are what you owe to those you work for (including the customers of the businesses that employ us!).
The final canon talks to your continued responsibility to grow as a professional. You are on a never-ending journey of learning and discovery; each day brings an opportunity to make the profession of information security stronger and more effective. You as an SSCP are a member of a worldwide community of practice—the informal grouping of people concerned with the safety, security, and reliability of information systems and the information infrastructures of the modern world.
In ancient history, there were only three professions—those of medicine, the military, and the clergy. Each had in its own way the power of life and death of individuals or societies in its hands. Each as a result had a significant burden to be the best at fulfilling the duties of that profession. Individuals felt the calling to fulfill a sense of duty and service, to something larger than themselves, and responded to that calling by becoming a member of a profession.
This, too, is part of being an SSCP. Visit https://www.isc2.org
for more information.
Organizational Code of Ethics
Most businesses and nonprofit or other types of organizations have a code of ethics that they use to shape their policies and guide them in making decisions, setting goals, and