ISC² Code of Ethics Flashcards
Code of Ethics Preamble:
The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this code is a condition of certification.
Code of Ethics Canons:
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principles.
Advance and protect the profession.
Ten Commandments of Computer Ethics:
Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people’s computer work.
Thou shalt not snoop around in other people’s computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you have not paid.
Thou shalt not use other people’s’ computer resources without authorization or proper compensation.
Thou shalt not appropriate other people’s’ intellectual output.
Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
Security governance principles.
- Values:
* What are our values? Ethics, Principles, Beliefs. - Vision:
* What do we aspire to be? Hope and Ambition. - Mission:
* Who do we do it for? Motivation and Purpose. - Strategic Objectives:
* How are we going to progress? Plans, goals, and sequencing.
Policies – Mandatory.
High level, non-specific.
They can contain “Patches, updates, strong encryption”
They will not be specific to “OS, encryption type, vendor Technology”
Standards – Mandatory.
Describes a specific use of technology (All laptops are W10, 64bit, 8gig memory, etc.)
Guidelines – non-Mandatory.
Recommendations, discretionary – Suggestions on how you would to do it.
Procedures – Mandatory
Low level step-by-step guides, specific.
They will contain “OS, encryption type, vendor Technology”
Baselines (Benchmarks) - Mandatory.
Benchmarks for server hardening, apps, network. Minimum requirement, we can implement stronger if needed.
Awareness
Change user behavior - this is what we want, we want them to change their behavior.
Training
Provides users with a skillset - this is nice, but if they ignore the knowledge, it does nothing.
Hiring Practices
We do background checks where we check: References, degrees, employment, criminal, credit history (less common, more costly). We have new staff sign a NDA (Non-Disclosure Agreement).
Employee Termination Practices
We want to coach and train employees before firing them. They get warnings.
When terminating employees, we coordinate with HR to shut off access at the right time.
Vendors, Consultants and Contractor Security.
When we use outside people in our environments, we need to ensure they are trained on how to handle data. Their systems need to be secure enough for our policies and standards.
Outsourcing and Offshoring
Having someone else do part of your (IT in our case) work.
This can lower cost, but a thorough and accurate Risk Analysis must be performed. Offshoring can also pose problems with them not having to comply with the same data protection standards.
