Codes of Ethics

Most, if not all, professional associations have a Code of Ethics. They are all about the same in that one must do what is right and report what is wrong. As an ISSO professional, you must behave in a professional manner at all times and therefore, comply with the professional code of ethics.

It is quite possible that members of associations with a code of ethics have actually never read the code of ethics, even though as an ISSO professional and member of one or more security-related associations, you are required to comply with the associations' codes of ethics. In fact, it can even be considered unethical not to have ever read the codes of ethics for the various associations to which you as an ISSO professional belong.

What does that say about you and your professionalism? One may counter by saying that he or she always acts in an ethical manner and doesn't have to read any codes of ethics. This "know-it-all" attitude is a symptom of possibly a more serious matter: the idea that one has no more to learn about an InfoSec-related topic. That is not only impossible but will end up costing the corporation in terms of effectiveness and efficiency. How? Because the ISSO who is not continuously learning and applying new and better techniques does not take advantage of new (and possibly better and cheaper) ways of protecting assets.

Now is a good time to take the opportunity to read some codes of ethics from security-related professional associations. Please take the time to read, understand, and apply the codes of ethics that follow.

American Society for Industrial Security ^[5]

• Aware that the quality of professional security activity ultimately depends upon the willingness of practitioners to observe special standards of conduct and to manifest good faith in professional relationships, the American Society for Industrial Security adopts the following Code of Ethics and mandates its conscientious observance as a binding condition of membership in or affiliation with the Society:

Code of Ethics

1. A member shall perform professional duties in accordance with the law and the highest moral principles.

2. A member shall observe the precepts of truthfulness, honesty, and integrity.

3. A member shall be faithful and diligent in discharging professional responsibilities.

4. A member shall be competent in discharging professional responsibilities.

5. A member shall safeguard confidential information and exercise due care to prevent its improper disclosure.

6. A member shall not maliciously injure the professional reputation or practice of colleagues, clients, or employers.

Article I

A member shall perform professional duties in accordance with the law and the highest moral principles.

Ethical Considerations

I-1 A member shall abide by the law of the land in which the services are rendered and perform all duties in an honorable manner.

I-2 A member shall not knowingly become associated in responsibility for work with colleagues who do not conform to the law and these ethical standards.

I-3 A member shall be just and respect the rights of others in performing professional responsibilities.

Article II

A member shall observe the precepts of truthfulness, honesty, and integrity.

Ethical Considerations

II-1 A member shall disclose all relevant information to those having the right to know.

II-2 A right to know is a legally enforceable claim or demand by a person for disclosure of information by a member. Such a right does not depend upon prior knowledge by the person of the existence of the information to be disclosed.

II-3 A member shall not knowingly release misleading information nor encourage or otherwise participate in the release of such information.

Article III

A member shall be faithful and diligent in discharging professional responsibilities.

Ethical Considerations

III-1 A member is faithful when fair and steadfast in adherence to promises and commitments.

III-2 A member is diligent when employing best efforts in an assignment.

III-3 A member shall not act in matters involving conflicts of interest without appropriate disclosure and approval.

III-4 A member shall represent services or products fairly and truthfully.

Article IV

A member shall be competent in discharging professional responsibilities.

Ethical Considerations

IV-1 A member is competent who possesses and applies the skills and knowledge required for the task.

IV-2 A member shall not accept a task beyond the member's competence nor shall competence be claimed when not possessed.

Article V

A member shall safeguard confidential information and exercise due care to prevent its improper disclosure.

Ethical Considerations

V-1 Confidential information is nonpublic information, the disclosure of which is restricted.

V-2 Due care requires that the professional must not knowingly reveal confidential information, or use a confidence to the disadvantage of the principal or to the advantage of the member or a third person, unless the principal consents after full disclosure of all the facts. This confidentiality continues after the business relationship between the member and his principal has terminated.

V-3 A member who receives information and has not agreed to be bound by confidentiality is not bound from disclosing it. A member is not bound by confidential disclosures made of acts or omissions which constitute a violation of the law.

V-4 Confidential disclosures made by a principal to a member are not recognized by law as privileged in a legal proceeding. The member may be required to testify in a legal proceeding to the information received in confidence from his principal over the objection of his principal's counsel.

V-5 A member shall not disclose confidential information for personal gain without appropriate authorization.

Article VI

A member shall not maliciously injure the professional reputation or practice of colleagues, clients, or employers.

Ethical Considerations

VI-1 A member shall not comment falsely and with malice concerning a colleague's competence, performance, or professional capabilities.

VI-2 A member who knows, or has reasonable grounds to believe, that another member has failed to conform to the Society's Code of Ethics shall present such information to the Ethical Standards Committee in accordance with Article VIII of the Society's bylaws.

Information Systems Security Association^[6]

The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote management practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct and technical competence. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite and continuation of membership and affiliation with the Association.

As an applicant for membership and as a member of ISSA, I have in the past and will in the future:

• Perform all professional activities and duties in accordance with the law and the highest ethical principles;

• Promote good information security concepts and practices;

• Maintain the confidentiality of all proprietary or otherwise sensitive information encountered in the course of professional activities;

• Discharge professional responsibilities with diligence and honesty;

• Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association; and

• Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers.

High Technology Crime Investigation Association^[7]

I will support the objectives and purposes of the HTCIA, as stated in Article II of the Association Bylaws. I agree to respect the confidential nature of any sensitive information, procedures, or techniques that I become aware of because of my involvement with the HTCIA. I will not disclose such confidential material to anyone who is not a member in good standing of the HTCIA without the written permission from the HTCIA Board of Directors.

Association of Certified Fraud Examiners^[8]

All Certified Fraud Examiners must meet the rigorous criteria for admission to the Association of Certified Fraud Examiners. Thereafter, they must exemplify the highest moral and ethical standards and must agree to abide by the bylaws of the Association and the Certified Fraud Examiner Code of Professional Ethics. . . .

• A Certified Fraud Examiner shall, at all times, demonstrate a commitment to professionalism and diligence in the performance of his or her duties.

• A Certified Fraud Examiner shall not engage in any illegal or unethical conduct, or any activity which would constitute a conflict of interest.

• A Certified Fraud Examiner shall, at all times, exhibit the highest level of integrity in the performance of all professional assignments and will accept only assignments for which there is reasonable expectation that the assignment will be completed with professional competence.

• A Certified Fraud Examiner will comply with lawful orders of the courts and will testify to matters truthfully and without bias or prejudice.

• A Certified Fraud Examiner, in conducting examinations, will obtain evidence or other documentation to establish a reasonable basis for any opinion rendered. No opinion shall be expressed regarding the guilt or innocence of any person or party.

• A Certified Fraud Examiner shall not reveal any confidential information obtained during a professional engagement without proper authorization.

• A Certified Fraud Examiner will reveal all material matters discovered during the course of an examination which, if omitted, could cause a distortion of the facts.

• A Certified Fraud Examiner shall continually strive to increase the competence and effectiveness of professional services performed under his or her direction.

^[5]See http://www.asisonline.org/codeofethics.html

^[6]See http://www.issa-intl.org/codefethics.html

^[7]See http://www.htcia.org/searchframeset.htm

^[8]See http://www.cfenet.com/about/codeethics.asp