CISSP Established Standards of Ethical Conduct – Bk1D1T5St2

Established Standards of Ethical Conduct
Statements of ethical conduct have been developed by a wide number of international organizations, industries, and regulatory bodies. While these standards generally cover the appropriate collection and protection of sensitive information, they nevertheless represent unique industry viewpoints. The following is a sampling of some of these different standards.

International Standards
A number of organizations have struggled with establishing ethical standards, with varying degrees of success and influence. New technologies have required organizations to reevaluate the meaning of ethical conduct.

Internet Activities Board
The Internet Architecture Board is an Internet Engineering Task Force (IETF) committee charged with providing technical oversight to the RFC process and managing the protocol registries. In 1989, this organization, then known as the Internet Activities Board (IAB), published RFC 1087, “Ethics and the Internet” (https://www.ietf.org/rfc/rfc1087.txt). While the IAB’s ethics statement reflects that the Internet was then substantially a research tool funded by the U.S. government, the ethical expectations have continued to shape the development of ethical computing practice. Among other things, the IAB’s “Ethics and the Internet” states the following:

The IAB strongly endorses the view of the Division Advisory Panel of the National Science Foundation Division of Network, Communications Research and Infrastructure which, in paraphrase, characterized as unethical and unacceptable any activity which purposely:
(a) seeks to gain unauthorized access to the resources of the Internet,
(b) disrupts the intended use of the Internet,
(c) wastes resources (people, capacity, computer) through such actions,
(d) destroys the integrity of computer-based information, and/or
(e) compromises the privacy of users.

Subsequent RFCs addressed the ethical standards and security practices in detail. For example, RFC 1359, “Connecting to the Internet,” was one of the first to reference the development of an acceptable use policy, leveraging previous work by the National Science Foundation.

Related Product : Certified Ethical Hacker Online Training – EC-Council

Computer Ethics Institute
The Computer Ethics Institute discussion framework for ethical computing practice has been widely used in the development of acceptable use policies and in the education of users about the appropriate use of computing resources. The Computer Ethics Institute’s “The Ten Commandments of Computer Ethics” states the following:

  1. Thou shalt not use a computer to harm other people.
  2. Thou shalt not interfere with other people’s computer work.
  3. Thou shalt not snoop around in other people’s computer files.
  4. Thou shalt not use a computer to steal.
  5. Thou shalt not use a computer to bear false witness.
  6. Thou shalt not copy or use proprietary software for which you have not paid.
  7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
  8. Thou shalt not appropriate other people’s intellectual output.
  9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
  10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

National Laws and Ethical Behavior

any countries place specific, legally enforceable expectations on certain industries to codify their ethical practices. In many cases, these industry expectations have significant implications for the information security professional to protect PII, protected health information (PHI), or financial information.

U.S Sarbanes-Oxley Act (SOX)
Following several high-profile corporate and accounting scandals, the Sarbanes–Oxley Act of 2002 (Public Law 107–204) required companies to implement a wide range of controls intended to minimize conflicts of interest, provide investors with appropriate risk information, place civil and criminal penalties on executives for providing false financial disclosures, and provide protections for whistleblowers who report inappropriate actions to regulators. The subsequent rules also require companies to disclose their internal Code of Ethics and put controls in place to ensure the organization acts according to those ethical principles.

U.S. Health Information Portability and Accountability Act
In developing HIPAA, regulators incorporated the longstanding ethical practice of doctor-patient confidentiality. The Privacy Rule provides specific guidance on the handling of sensitive patient information, breach and notification responsibilities, and the organization’s responsibility to ensure the information is accurate. Further, in such areas as biomedical research, it provides specific expectations for patient notification, handling of information, and putting protocols in place to ensure the ethical conduct of the research.

China Cyber Security Law
In 2017, China enacted legislation that will compel companies doing business in China to maintain the information they have on individuals in such a way that it is both accessible on demand by the Chinese government and physically located in China. As a direct result of this law, Apple has begun to eliminate security capabilities from its products, like virtual private networks and other applications that allow individuals to communicate anonymously, while continuing to provide those same capabilities in other countries. In 2010, Google pulled out of China rather than accede to demands to censor content and capabilities, while Tim Cook, Apple’s CEO, “believe[s] in engaging with governments even when we disagree.”

Industry Efforts
Many industry organizations recognize the ethical challenges that face the information security industry. To address ethical decision-making by their members, the various organizations  provide a set of ethical guidelines applicable to their particular industry organizations.

The IEEE Computer Society
The Institute of Electrical and Electronics Engineers Computer Society (IEEE-CS) is one of a number of professional societies that constitute the IEEE. Central to its mission is to support the education and professional development of its members. In conjunction with the Association for Computing Machinery (ACM), it has developed a detailed, comprehensive ethical standard for software engineering. Recognizing the professional’s “commitment
to the health, safety and welfare of the public,” the IEEE-CS/ACM expects that “ software  engineers shall commit themselves to making the analysis, specification, design, development, testing, and maintenance of software a beneficial and respected profession.”

American Health Information Management Association (AHIMA)
Founded in 1928 to improve health record quality, AHIMA continues to play a leadership role in the effective management of health information to support the delivery of quality healthcare to the public. Active in advancing informatics, data analytics, and information governance for healthcare, the AHIMA Code of Ethics addresses in detail the privacy and security responsibilities that AHIMA’s members must address in their professional roles.
Their Code of Ethics consists of 11 principles, including support for privacy, confidentiality, a commitment to service before self-interest, efforts to protect health information, and ethical requirements. Like other codes, it also seeks to advance the profession and to ensure that practitioners represent the profession well throughout their work. The full text of the AHIMA Code of Ethics can be found at http://bok.ahima.org/doc?oid=105098.

Cyber Security Credentials Collaborative
The mission of the Cyber Security Credentials Collaborative (C3) to provide awareness of, and advocacy for, vendor-neutral credentials in information security, privacy, and related IT disciplines. Members, including (ISC)2
, the Information Systems Audit and Control Association (ISACA) CompTIA, the EC-Council, and others, have put forth a set of security principles that encourage their members to monitor and enforce ethical practices. “A Unified Principles of Professional Ethics in Cyber Security” recognizes four high-level objectives in the ethics framework, but each participating organization in the C3 has integrated these principles into their unique ethical expectations for their members. The four principles are as follows:

  • Integrity, including the duty to perform duties in line with existing law, ethical, and moral structures, in the interest of stakeholders. This also includes avoiding conflicts of interest and reporting any ethical violations or conflicts to an appropriate oversight body.
  • Objectivity, which requires practitioners to remain unbiased and fair in the exercise of their profession. This includes noting opinions as opinions when they are provided, rather than allowing them to be seen as fact.
  • Confidentiality, including due care and safeguarding of confidential and proprietary information that practitioners may encounter in the course of their work. The confidentiality principle specifically carves out an exclusion for disclosure of information-related criminal acts, setting the expectation that practitioners will disclose such information appropriately.
  • Professional competence, which requires practitioners to do their jobs well, to perform only the tasks they are qualified and competent for, and to otherwise behave in a professional manner. This includes continued development, recognizing the work of others, and avoiding misconduct.

Cultural Differences in Ethical Practice
Individuals learn their personal ethical standards from their religion, their family, and  their personal study. These are also powerful influences on how a person makes decisions. One of the reasons organizations conduct background investigations is to determine how individuals have made decisions in the past, because they are likely to react in predictable ways to similar challenges.
It is well documented that different societies set different ethical standards. For example, it is generally accepted that accessing computer systems without the owner’s permission is unethical. However, when governmental organizations secretly access another nation’s information assets in support of national security objectives, the same ethical standard may not apply.
Similarly, intellectual property is treated differently depending on cultural and social expectations and norms. In the People’s Republic of China, shanzhai—the imitation and piracy of name brands—is a well-respected business model. Not only is it legally tolerated, it is often encouraged to support the development of local industry and technical capability. Consequently, the information security practitioner must be cognizant of the aws of the jurisdiction, the corporate or organizational ethics standards, and the cultural expectations for ethical behavior.

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/