Ethics

Ethics is a critical component of the Certified Information Systems Security Professional (CISSP) exam. In fact, the (ISC)² Code of Ethics is a key part of the CISSP certification and professional conduct for certified individuals. Understanding ethical behavior is not only essential for passing the CISSP exam but also for maintaining the certification and ensuring that information security professionals act responsibly in their roles.

(ISC)² Code of Ethics Overview

The (ISC)² Code of Ethics provides the foundation for ethical behavior expected of all CISSP professionals. It is composed of two primary parts:

  1. (ISC)² Code of Ethics Preamble
  2. (ISC)² Code of Ethics Canons

1. (ISC)² Code of Ethics Preamble

The preamble of the (ISC)² Code of Ethics states that security professionals must exhibit a high level of ethical behavior and make decisions that benefit society, the common good, and the protection of the infrastructure and information systems.

Ethical behavior is critical because CISSP professionals have access to sensitive data, security configurations, and systems that are essential to an organization’s operations and security. A failure to behave ethically can lead to catastrophic breaches, exploitation of vulnerabilities, and a loss of public trust.

2. (ISC)² Code of Ethics Canons

The four canons of the (ISC)² Code of Ethics guide the ethical behavior of all CISSP professionals. They provide the framework for ensuring that CISSP holders prioritize ethical decision-making in their daily work. These canons are:

The Four Canons of the (ISC)² Code of Ethics:

1. Protect society, the common good, necessary public trust, and confidence in the infrastructure.

  • Explanation: This canon emphasizes that information security professionals should act in ways that benefit society at large. This includes ensuring the protection of public trust in critical infrastructure and preventing harm to society.
  • Example: A security professional should not exploit vulnerabilities in public systems for personal gain. They should also ensure that critical infrastructure systems (like power grids, water systems, and healthcare systems) are protected from cyberattacks.

2. Act honorably, honestly, justly, responsibly, and legally.

  • Explanation: This canon focuses on personal integrity. CISSP holders must be truthful in their actions, follow legal and regulatory requirements, and act with honor in all professional activities.
  • Example: If a security professional discovers a breach or data loss, they should report it honestly and transparently to the proper authorities and follow legal obligations for breach notifications, even if doing so may reflect poorly on their organization.

3. Provide diligent and competent service to principals.

  • Explanation: “Principals” in this context refers to the organizations or clients that employ or contract the security professional. This canon emphasizes providing the highest level of service to these entities, acting with diligence, competence, and professionalism.
  • Example: A security consultant should deliver accurate risk assessments and realistic recommendations for improving security, even if the client prefers a less expensive or simpler solution that would compromise security.

4. Advance and protect the profession.

  • Explanation: CISSP professionals are expected to contribute to the advancement of the information security profession. This includes mentoring others, promoting ethical behavior, and fostering a culture of continuous learning.
  • Example: An experienced CISSP professional might mentor junior colleagues, contribute to industry publications, or provide guidance on ethical dilemmas, promoting a higher standard of ethics in the profession.

Practical Applications of Ethics in the CISSP Exam

In the CISSP exam, ethics can be tested in various ways, such as in scenario-based questions where you are required to identify the best course of action in an ethical dilemma. These questions will often be based on the four canons of the (ISC)² Code of Ethics.

Ethical Dilemmas in Exam Scenarios

  1. Scenario-based Questions: A common exam scenario may describe a situation where a security professional finds a vulnerability in their company’s system. You may be asked what the professional should do next, with options ranging from notifying the employer to exploiting the vulnerability. The ethical response, aligned with the (ISC)² Code of Ethics, would be to report the vulnerability responsibly to prevent harm to the organization and the public.
  2. Conflicts of Interest: CISSP exam questions may also present situations where a conflict of interest arises. For example, if you are consulting for a company that asks you to overlook a certain security vulnerability due to cost constraints, the ethical choice would be to insist on fixing the issue or escalating it, following the second canon (act honorably, honestly, justly, responsibly, and legally).
  3. Legal Compliance vs. Moral Responsibility: Some exam questions may focus on legal compliance. However, legal compliance alone may not always satisfy ethical responsibilities. You may be asked to balance legal obligations with a broader sense of public trust and societal responsibility, as per the first canon (protect society and the common good).

Ethics in Information Security

  • Privacy vs. Security: Information security professionals often face ethical dilemmas around privacy. Balancing the need for robust security measures with individuals’ right to privacy can create conflicts. Ethical CISSP holders must ensure that security measures are proportional and respect privacy laws (e.g., GDPR, HIPAA).
  • Handling of Sensitive Data: CISSP professionals often have access to sensitive data. Ethical handling of this data involves ensuring it is stored securely, accessed only by authorized individuals, and never used for personal gain.

Professional Conduct and Certification Maintenance

CISSP Code of Ethics Enforcement

Once certified, CISSP professionals are expected to adhere to the (ISC)² Code of Ethics. Violations of these ethical standards can lead to disciplinary actions, including revocation of the CISSP certification. The (ISC)² has established an Ethics Complaint and Resolution Process, which investigates complaints of unethical behavior.

CPE Requirements and Professional Development

To maintain the CISSP certification, professionals must earn Continuing Professional Education (CPE) credits and adhere to ethical standards throughout their career. Engaging in unethical behavior or failing to meet professional development requirements can jeopardize certification.

Summary

Ethics is an integral part of the CISSP exam and the practice of information security. By adhering to the four canons of the (ISC)² Code of Ethics, CISSP professionals help protect society, act responsibly, and advance the profession. As you prepare for the CISSP exam, make sure to not only study technical knowledge but also understand how to approach security challenges from an ethical perspective.