Ethics
This section reviews some of the ethical standards and codes that a CISSP should be aware of. Ethics are a set of principles of right conduct. Ethical standards are sometimes different than legal standards: Laws define what we must do, whereas ethics define what we should do. CISSPs should uphold high ethical standards and promote these ethical standards in others. Some of the ways CISSPs can help promote proper ethical behavior include making sure that organizations have guides to computer ethics, ensuring that ethical issues are included in employee handbooks, promoting computer ethics training, and helping to develop ethical policies on issues such as email and other privacy-related topics. With that being said, you must also remember that not everyone will always act ethically.
Some of the reasons you might hear include the following common ethical fallacies:
- Computer game If they don't protect it, it's fair game to attack.
- Law-abiding citizen It's not physical theft, so it's not illegal.
- Shatterproof If I don't do damage or it can be repaired, what's the problem?
- Candy-from-a-baby If it is that easy, how could it be wrong?
- Hackers If I learn from this, it will benefit society and me.
- Free information All information should be free.
ISC2 Code of Ethics
It's a requirement for CISSP candidates to subscribe to and support the ISC2 Code of Ethics, which states that a CISSP should
- Protect society, the commonwealth, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principals
- Advance and protect the profession
 |
Exam candidates must read the full Code of Ethics because the exam always includes one or two questions related to the code. It is located at www.isc2.org/cgi/content.cgi?category=12. |
Computer Ethics Institute
The Computer Ethics Institute is a group that focuses specifically on ethics in the technology industry. Its website, www.cosr.org, lists the following Ten Commandments of Computer Ethics:
- Thou shalt not use a computer to harm other people.
- Thou shalt not interfere with other people's computer work.
- Thou shalt not snoop around in other people's computer files.
- Thou shalt not use a computer to steal.
- Thou shalt not use a computer to bear false witness.
- Thou shalt not copy or use proprietary software for which you have not paid.
- Thou shalt not use other people's computer resources without authorization or proper compensation.
- Thou shalt not appropriate other people's intellectual output.
- Thou shalt think about the social consequences of the program you are writing or the system you are designing.
- Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
|
Exam candidates are advised to read the Ten Commandments of Computer Ethics and be able to differentiate it from the ISC2 Code of Ethics. |
Internet Activities Board
RFC 1087 was published by the Internet Activities Board (IAB) in January 1987. Its goal is to characterize unethical and unacceptable behavior. It states that the following activities are unethical:
- Seeking to gain unauthorized access to the resources of the Internet
- Disrupting the intended use of the Internet
- Wasting resources (people, capacity, computer) through such actions
- Destroying the integrity of computer-based information
- Compromising the privacy of users
|
Print and review RFC 1087 before you attempt the CISSP exam. It is available at www.faqs.org/rfcs/rfc1087.html. |
The CISSP Cram Sheet
- PHYSICAL SECURITY
- SECURITY-MANAGEMENT PRACTICES
- ACCESS-CONTROL SYSTEMS AND METHODOLOGY
- SECURITY MODELS AND ARCHITECTURES
- TELECOMMUNICATIONS AND NETWORK SECURITY
- APPLICATION AND SYSTEMS-DEVELOPMENT SECURITY
- OPERATIONS SECURITY
- BUSINESS CONTINUITY PLANNING
- LAW, INVESTIGATIONS, AND ETHICS
- CRYPTOGRAPHY
A Note from Series Editor Ed Tittel
About the Author
Acknowledgments
We Want to Hear from You!
Introduction
- Introduction
- How to Prepare for the Exam
- Taking a Certification Exam
- Tracking Your CISSP Status
- About This Book
Self-Assessment
- Self-Assessment
- CISSPs in the Real World
- The Ideal CISSP Candidate
- Put Yourself to the Test
- After the Exam
The CISSP Certification Exam
- The CISSP Certification Exam
- Assessing Exam Readiness
- Taking the Exam
- Multiple-Choice Question Format
- Exam Strategy
- Question-Handling Strategies
- Mastering the Inner Game
Physical Security
- Physical Security
- Physical Security Risks
- Requirements for New Site Locations
- Building Defense in Depth
- Environmental Controls
- Electrical Power
- Equipment Life Cycle
- Fire Prevention, Detection, and Suppression
- Exam Prep Questions
- Answers to Exam Prep Questions
Security-Management Practices
- Security-Management Practices
- The Risk of Poor Security Management
- The Role of CIA
- Risk Assessment
- Policies, Procedures, Standards, Baselines, and Guidelines
- Implementation
- Training and Education
- Auditing Your Security Infrastructure
- Exam Prep Questions
- Answers to Exam Prep Questions
Access-Control Systems and Methodology
- Access-Control Systems and Methodology
- Threats Against Access Control
- Access-Control Types
- Identification, Authentication, and Authorization
- Single Sign-On
- Data Access Controls
- Intrusion-Detection Systems (IDS)
- Penetration Testing
- Honeypots
- Exam Prep Questions
- Answers to Exam Prep Questions
System Architecture and Models
- System Architecture and Models
- Common Flaws in the Security Architecture
- Computer System Architecture
- Security Mechanisms
- Security Models of Control
- Documents and Guidelines
- System Validation
- Exam Prep Questions
- Answers to Exam Prep Questions
Telecommunications and Network Security
- Telecommunications and Network Security
- Threats to Network Security
- LANs and Their Components
- WANS and Their Components
- Network Models and Standards
- Network Equipment
- Access Methods and Remote Connectivity
- Message Privacy
- Network Access Controls
- Exam Prep Questions
- Answers to Exam Prep Questions
Applications and Systems-Development Security
- Applications and Systems-Development Security
- Malicious Code
- Failure States
- The System Development Life Cycle
- Software-Development Methods
- Change Management
- Programming Languages
- Database Management
- Exam Prep Questions
- Answers to Exam Prep Questions
Operations Security
- Operations Security
- Hack Attacks
- Operational Security
- Auditing and Monitoring
- Categories of Control
- Fax Control
- Ethical Hacking
- Contingency Planning, Backup, and Recovery
- Exam Prep Questions
- Answers to Exam Prep Questions
Business Continuity Planning
- Business Continuity Planning
- The Risks of Poor Business Planning
- Business Continuity Management
- Business Continuity Plan (BCP)
- Disaster Recovery Planning (DRP)
- Exam Prep Questions
- Answers to Exam Prep Questions
Law, Investigations, and Ethics
- Law, Investigations, and Ethics
- Computer Crimes
- Common Attacks
- Ethics
- International Property Laws
- Parameters of Investigation
- Forensics
- Major Legal Systems
- Exam Prep Questions
- Answers to Exam Prep Questions
Cryptography
- Cryptography
- Cryptographic Basics
- History of Encryption
- Symmetric Encryption
- Asymmetric Encryption
- Integrity and Authentication
- Steganography
- Public Key Infrastructure (PKI)
- Cryptographic Services
- Cryptographic Attacks
- Exam Prep Questions
- Answers to Exam Prep Questions
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2
