CISSP Professional Ethics – Bk2D1T10

In this topic explain Professional Ethics of (ISC2) for the organization to develop secure code.

Module Objectives
  1. Explain the ethical standards to which a professional security practitioner will be expected to uphold, as well as the standards of behavior and performance expected of (ISC)2 members.

The (ISC)2 Code of Ethics

After you pass the exam and are certified, you will be expected to behave professionally and personally in accordance with the high standards set by (ISC)2. These are set in the Code of Ethics, which can be found on the (ISC)2 Ethics website: https://www.(ISC)2.org/ Ethics. They are included here as the material they contain is testable and may be included as exam questions.

First, the Preamble:
  • The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this Code is a condition of certification.

For our clientele, and the public at large, to see the value in (ISC)2 certifications, they must be able to trust our members; this trust must come from a belief that (ISC)2 members act in a manner that is correct and professional and offer benefit.

Then, the Code:

The (ISC)2 member is expected to do the following:
  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principles.
  • Advance and protect the profession.

We provide security; to offer security services, we need to be perceived as worthy of trust. A person tending to unethical behavior denotes the possibility that this person will not secure the client and the client’s assets but will instead act out of short-term self-interest and add risk instead of benefit to the client.

There is a formal process (ISC)2 uses to determine whether a member is failing to act in accordance with the Code. This process can begin with a complaint made to (ISC)2 (the complaint process and form are included on the same web page as the Code) and includes a finding of facts, the opportunity for the accused member to offer rebuttal,  and a review by the (ISC)2 Ethics Committee. The Ethics Committee will also allow the accused member to review any findings and recommendations before the Ethics Committee presents them to the (ISC)2 board for final disposition; the accused member can also make comments and responses on the findings and recommendations for the board to consider. The board will then make a ruling as to whether the member acted in a manner consistent with the Code and whether the accused should have membership revoked.

Related Product : EC-Council Certified Chief Information Security Officer | CCISO

Organizational Code of Ethics

In addition to industry codes for guilds of professionals (such as (ISC)2, individual organizations can create their own codes of ethics and require their personnel to comply. This is done at the policy level with senior management dictating modes of acceptable behavior and is often combined with the overall organizational personnel policies.

For instance, the organization may require that personnel not engage in discriminatory and unproductive behavior, such as racial, religious, or sexual harassment. The organization may also disallow activity that constitutes unfair trade practices, such as nepotism, bribery, and awarding contracts based on favors (cash or otherwise).

These practices that distort the market and create hostility in the workplace are also often proscribed by law, as well, and the organization is best served by enacting and enforcing codes and policies that ensure compliance.

Consider a situation where questionable behavior has ethical implications:

You are the organization’s security manager. A network administrator comes to you with a report about an employee; the administrator has noticed the employee using the organization’s resources, during work hours, to browse the internet. The employee’s activity is not illegal, but it is against the organization’s policy.

When you ask the administrator how the administrator came to learn this information about the employee’s behavior, the administrator will not reply. Your office conducts an initial investigation about the situation, and you determine that the administrator and the employee in question have had a personal conflict that was recognized by other personnel in the organization.

You are also able to determine that the administrator did have sufficient permissions within the IT environment to monitor the employee’s behavior but was not given explicit authorization or tasking to do so.

Your conclusions:

  • Is the administrator’s report acceptable and valid?
  • What should you recommend be done to the employee?
  • Would you recommend the administrator be rewarded or punished?

Case: The End of Enron and the Development of SOX

In the late 1990s and early 2000s, a series of accounting scandals involving large, publicly traded corporations including WorldCom, Adelphia, and Enron led to their bankruptcies and investigations into business practices in use throughout the audit and consulting industries.

The Enron debacle, in particular, garnered a lot of attention from regulators and the public due to its scope and scale and the egregious nature of some of the activities that transpired. Enron’s external auditor body at the time was a firm called Arthur Andersen, one of the largest auditing companies then in existence. In the investigation that ensured Enron’s demise, several practices were uncovered that were cause for questioning Arthur Andersen’s commitment to ethical behavior and industry standards in general:

  • Arthur Andersen was providing Enron with both business consulting and audit This is usually perceived as an inherent conflict of interest because the roles are adversarial (business consulting looks to maximize profit for the customer, while auditors ensure compliance and proper reporting). Arthur Andersen avowed that the two lines of operation (consulting and audit) were compartmentalized by policy and management, so the two services could not share information or influence each other.
  • When Enron officially ended its contract with Arthur Andersen and in the midst of an investigation by regulators, Arthur Andersen executives ordered Arthur Andersen employees to shred thousands of pages of documents and delete volumes of electronic data detailing its audit services to When questioned by regulators, Arthur Andersen executives explained that Arthur Andersen internal policy was to destroy all customer data at the end of an engagement to protect the customer’s privacy.
  • The hubris of Enron’s executives in their financial conspiracies was rampant and readily apparent: they named subsidiary companies such things as “JEDI” and “CHEWCO,” using those other companies to hide investment losses of the parent corporation; Arthur Andersen dutifully performed audits on those entities as well.

Arthur Andersen, as a company, was prosecuted under federal charges of obstruction of justice and convicted. This conviction was eventually overturned on appeal to the Supreme Court on the grounds that jury instructions in the initial trial were inappropriate. However, negative public attention and the company’s surrender of its certified public accounting (CPA) licenses ended Arthur Andersen’s viability as a business, and it ceased auditing operations. The business consulting practice of Arthur Andersen has since rebranded as Accenture and is still functioning.

Eventually, it was determined that what Arthur Andersen did in the wake of the Enron scandal (namely, the destruction of information) was not illegal at the time; there was no legal requirement for Arthur Andersen to retain the data in its care, and Arthur Andersen’s data destruction policy did, in fact, require the firm to conduct sanitization procedures.

In response to this and other similar activity, Congress created the Sarbanes–Oxley Act (SOX) and amended the Federal Rules of Evidence—the laws governing how and which data can be presented to a court for consideration. SOX requires a greater level of transparency in financial reporting by publicly traded corporations. The modification to the Rules of Evidence was just as important and influential: it is now federal law in the United States that any data owner cannot delete or destroy any information (physical or electronic) once the data owner receives notice of a pending legal action or investigation. This law specifically takes precedence over any other state law, federal law, or internal policy (many privacy laws and policies involve retention durations and requirements for destruction).

SOX requires a great deal of transparency in financial reporting and codifies accounting practices for publicly traded corporations. In response to SOX, the AICPA replaced its old audit standard, the SAS 70, with the current standard, SSAE 16. While the majority of SOX and the SSAE standard does not relate to security, SOX does include a requirement for corporations to report on how they manage internal controls and control structures that are usually under the purview of the security department/officer. The SSAE standard also spawned the SOC (System and Organization Controls) reporting method used ubiquitously throughout the United States audit industry.

Links:

SOX, the law:

https://www.gpo.gov/fdsys/pkg/PLAW-107publ204/html/PLAW- 107publ204.htm

The Federal Rules of Evidence (U.S.):

https://www.law.cornell.edu/rules/fre

The AICPA’s description of SOC reports: http://www.aicpa.org/InterestAreas/FRC/AssuranceAdvisoryServices/ Pages/SORHome.aspx

A summation of the Enron/Arthur Andersen scandal:

https://www.hg.org/article.asp?id=31277

A magazine article about the Enron/Arthur Andersen scandal that came out while it was unfolding, prior to Congress enacting SOX: https://www.forbes.com/2002/01/18/0118topnews.html

A journal article about the eventual outcome of the situation:

http://www.aabri.com/manuscripts/11899.pdf

Kurt Eichenwald’s comprehensive book on the Enron debacle: https://www.amazon.com/Conspiracy-Fools-Story-Kurt-Eichenwald- ebook/dp/B000FCK1SO

Domain Summary

Many of the concepts introduced in this domain will serve as the foundation for discussion throughout the rest of this guide; be sure you have an understanding of the ideas so you can grasp the rest of the material.

Follow Us
https://www.facebook.com/INF0SAVVY
https://www.linkedin.com/company/14639279/admin/