information security books
isecbooks.com
 

codes of ethics

ISACA(ISC)²GIAC

(ISC)² Code of Ethics

Code

All information systems security professionals who are certified by (ISC)² recognize that such certification is a privilege that must be both earned and maintained. In support of this principle, all (ISC)² members are required to commit to fully support this Code of Ethics (the "Code"). (ISC)² members who intentionally or knowingly violate any provision of the Code will be subject to action by a peer review panel, which may result in the revocation of certification.

There are only four mandatory canons in the code. By necessity, such high-level guidance is not intended to be a substitute for the ethical judgment of the professional.

Additional guidance is provided for each of the canons. While this guidance may be considered by the board of directors in judging behavior, it is advisory rather than mandatory. It is intended to help professionals identify and resolve the inevitable ethical dilemmas that they will confront during the course of their information security career.

Code of Ethics Preamble:

  • Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:

  • Protect society, the commonwealth, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession.

The following additional guidance is given regarding pursuit of these goals.

Objectives for Guidance

In arriving at the following guidance, the committee is mindful of its responsibility to:

• Give guidance for resolving good versus good and bad versus bad dilemmas.

• To encourage right behavior such as:

  • Research
  • Teaching
  • Identifying, mentoring, and sponsoring candidates for the profession
  • Valuing the certificate

• To discourage such behavior as:

  • Raising unnecessary alarm, fear, uncertainty, or doubt
  • Giving unwarranted comfort or reassurance
  • Consenting to bad practice
  • Attaching weak systems to the public network
  • Professional association with non-professionals
  • Professional recognition of or association with amateurs
  • Associating or appearing to associate with criminals or criminal behavior

These objectives are provided for information only; the professional is not required or expected to agree with them.

In resolving the choices that confront him or her, the professional should keep in mind that the following guidance is advisory only. Compliance with the guidance is neither necessary nor sufficient for ethical conduct.

Compliance with the preamble and canons is mandatory. Conflicts between the canons should be resolved in the order of the canons. The canons are not equal and conflicts between them are not intended to create ethical binds.

Protect society, the commonwealth, and the infrastructure

  • Promote and preserve public trust and confidence in information and systems.
  • Promote the understanding and acceptance of prudent information security measures.
  • Preserve and strengthen the integrity of the public infrastructure.
  • Discourage unsafe practice.

Act honorably, honestly, justly, responsibly, and legally

  • Tell the truth; make all stakeholders aware of your actions on a timely basis.
  • Observe all contracts and agreements, express or implied.
  • Treat all members fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order.
  • Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.
  • When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service.

Provide diligent and competent service to principals

  • Preserve the value of their systems, applications, and information.
  • Respect their trust and the privileges that they grant you.
  • Avoid conflicts of interest or the appearance thereof.
  • Render only those services for which you are fully competent and qualified.

Advance and protect the profession

  • Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession.
  • Take care not to injure the reputation of other professionals through malice or indifference.
  • Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others.

top

ISACA Code of Professional Ethics

ISACA®, Inc. (ISACA) sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the association and/or its certification holders.

Members and ISACA certification holders shall:

1. Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.
3. Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
4. Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
6. Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
7. Support the professional education of stakeholders in enhancing their understanding of information systems security and control.

Failure to comply with this Code of Professional Ethics can result in an investigation into a member's, and/or certification holder's conduct and, ultimately, in disciplinary measures.

top

GIAC Code of Ethics

The scope and responsibilities of an information security professional are diverse. The services provided by an information security professional are critical to the success of an organization and to the overall security posture of the information technology community. Such responsibilities place a significant expectation on certified professionals to uphold a standard of ethics to guide the application and practice of the information security discipline.

A professional certified by GIAC acknowledges that such a certification is a privilege that must be earned and upheld. GIAC certified professionals pledge to advocate, adhere to, and support the Code of Ethics.

GIAC certified professionals who willfully violate any principle of the Code may be subject to disciplinary action by GIAC.

Respect for the Public

I will accept responsibility in making decisions with consideration for the security and welfare of the community.

I will not engage in or be a party to unethical or unlawful acts that negatively affect the community, my professional reputation, or the information security discipline.

Respect for the Certification

I will not share, disseminate, or otherwise distribute confidential or proprietary information pertaining to the GIAC certification process.

I will not use my certification, or objects or information associated with my certification (such as certificates or logos) to represent any individual or entity other than myself as being certified by GIAC.

Respect for my Employer

I will deliver capable service that is consistent with the expectations of my certification and position.

I will protect confidential and proprietary information with which I come into contact.

I will minimize risks to the confidentiality, integrity, or availability of an information technology solution, consistent with risk management practice.

Respect for Myself

I will avoid conflicts of interest.

I will not misuse any information or privileges I am afforded as part of my responsibilities.

I will not misrepresent my abilities or my work to the community, my employer, or my peers.

top

 
 Copyright © 2004-2006 Peter H. Gregory. All rights reserved.  |  Terms of Use
 Notice: Images, royalties, rights, copyrights, and trademarks displayed on this site are the property of their respective owners.  		Hosting by Yahoo!