ISC2 developed a code of professional ethics that guides how cybersecurity professional shoud behave in various situations — especially when facing decisions that affect others. It is a simple code with the following four canons:
1- Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2- Act honorably, honestly, justly, responsibly, and legally.
3- Provide diligent and competent service to principals.
4- Advance and protect the profession.
Let’s walk through the following situations and see how should you act and based on which canon.
Situation 1:
You discovered that your organization unknowingly hosts a child exploitation website on one of its servers.
In this situation, you should adhere to canon 1 where you should prioritize protecting your society even this might lead to negative publicity for your organization.
And the correct action here is reporting this to the law enforcement agencies.
Situation 2:
You’re a security consultant working with two competing companies. One of them offers you extra money under the table to share confidential security practices or findings from the other client.
In this situation, you should adhere to canon 2 where you should act honorably, honestly, justly, responsibly, and legally.
To act honorably, you should refuse the offer.
Situation 3:
You are responsible for maintaining the security of your organization’s network. One day, you notice strange outbound traffic that could be a sign of data exfiltration. And it’s outside regular hours and you’re not on-call.
In this situation, you should adhere to canon 3 where you should act diligently.
To act honorably, you should stay to investigate the issue thoroughly and begin containment steps to limit the potential breach.
Situation 4:
You notice a junior team member misconfiguring firewall rules, which could expose the network.
In this situation, you should adhere to canon 4 where you should help develop others’ skills, improving the profession rather than criticizing or reporting them immediately.
To act accordingly, take time to junior engineer and explain the correct configuration.
Violation:
There is an important question, if I encounter a violation of one of the canons by an ISC2 member, how should I react. The general answer is bringing an ethics complaint to ISC2 for investigation. But actually, it depends on the canon violated as summarized below.
Canon 1: Anyone encountering violation of canon 1 by an ISC2 member could file a complaint.
Canon 2: Anyone encountering violation of canon 2 by an ISC2 member could file a complaint.
Canon 3: Only an employer or someone with a contracting relationship with an ISC2 member encountering violation of canon 3 by this member could file a complaint.
Canon 4: Only ISC2 member encountering violation of canon 4 by an ISC2 member could file a complaint.