Code of Ethics. Any (ISC)2 member who knowingly violates the (ISC)2 Code of Ethics will be subject to peer review and potential penalties, which may include revocation of the member's (ISC)2 certification(s).
(ISC)2 Code of Professional Ethics
The (ISC)2 Code of Ethics Preamble is as follows:
The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code of Ethics is a condition of certification.
In short, the Code of Ethics Preamble states that it is required that every CISSP certified member not only follows the Code of Ethics but must be visibly seen as following the Code of Ethics. Even the perception of impropriety or ethical deviation may bring into question a member's standing. As such, CISSP certified members must serve as visible ethical leaders within their organizations and industry, at all times.
The (ISC)2 Code of Ethics includes four canons that are intended to serve as high-level guidelines to augment, not replace, members' professional judgment. The (ISC)2 Code of Ethics Canons are as follows:
Canon I: Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Canon II: Act honorably, honestly, justly, responsibly, and legally.
Canon III: Provide diligent and competent service to principals.
Canon IV: Advance and protect the profession.
Adhering to and promoting the (ISC)2 Code of Ethics not only includes being mindful of your own professional behaviors, but also being aware of your peers' behaviors. (ISC)2 requires that any member who observes another member breaching the Code of Ethics follow the published ethics complaint procedure. Failure to do so may be considered breach of Canon IV. Additional information on the (ISC)2 Code of Ethics and the ethics complaint procedures can be found at www.isc2.org/Ethics.
Organizational Code of Ethics
In addition to the (ISC)2 Code of Ethics, as an information security professional, you must be aware of any code of ethics that you are required to uphold by your employer or industry. Similar to the (ISC)2 Code of Ethics, these other organizational codes of ethics should not be considered replacements for sound judgment and moral behavior. As a CISSP, you are a leader within your organization. As such, you should lead by example in adhering to your organization's Code of Ethics.
In January 1989, right around the dawn of the internet, the Internet Activities Board (IAB) released a memo titled “Ethics and the Internet” (RFC 1087) as a statement of policy concerning ethical use of the internet. Although the memo is ancient by technology standards, the principles within it are still relevant today; as a CISSP, you should understand and adhere to these principles.
RFC 1087 characterizes as unethical and unacceptable any activity that purposely
“seeks to gain unauthorized access to the resources of the Internet”
“disrupts the intended use of the Internet”
“wastes resources (people, capacity, computer) through such actions
“destroys the integrity of computer-based information
“compromises the privacy of users”
Interestingly enough, this memo that debuted in the very early days of the internet — even before there was structured thought around information security — aligns directly with the CIA Triad and privacy principles that guide information security professionals in the 21st century.
UNDERSTAND AND APPLY SECURITY CONCEPTS
Information security refers to the processes and methodologies involved in safeguarding information and underlying systems from inappropriate access, use, modification, or disturbance. This is most often described by three critical security concepts: confidentiality, integrity, and availability. Together, these three principles form the pillars of information security known as the CIA Triad (see Figure 1.1).
FIGURE 1.1 CIA Triad
Although different types of systems and data may prioritize one principle over the others, all three security concepts work together and depend on each other to successfully maintain information security. Confidentiality, integrity, and availability are the most critical characteristics that information security provides, and understanding each of these principles is a basic requirement for all information security professionals. As such, a common understanding of the meaning of each of the elements in the CIA Triad allows security professionals to communicate effectively.
Confidentiality
The first principle of the CIA Triad is confidentiality. Confidentiality is the concept of limiting access to data to authorized users and systems and restricting access from unauthorized parties. In other words, confidentiality guarantees that only intended people are able to access information and resources. In short, the goal of confidentiality is to prevent unauthorized access to data, as it pertains to viewing, copying, or moving the data. Organizations that fail to protect data confidentiality run the risk of violating contractual and regulatory obligations around data protection. In addition, companies with known breaches of confidentiality commonly experience reputational damage that benefits their competitors and potentially impacts their bottom line.
The concept of confidentiality is closely related to the security best practice of least privilege, which asserts that access to information should be granted only on a need-to-know basis. Under least privilege, users are only given enough access to do their jobs — no more and no less.
Privacy is a field that is closely related to security and is focused on the confidentiality of personal data specifically. Information that can be used to uniquely identify a person, such as names, birthdates, and Social Security numbers, are considered personally identifiable information (PII), which is usually required by law to be kept highly confidential. Privacy requirements are introduced later in this chapter, in the section “Determine Compliance and Other Requirements.”
Numerous malicious acts target data confidentiality, including phishing and other forms of social engineering, credential (e.g., password) theft, network sniffing, and others. In addition to malicious acts, confidentiality may be compromised by human error, oversight, or mere negligence. Such examples include failure to encrypt sensitive data, misrouted emails, or displaying sensitive information on your computer monitor while unauthorized viewers are in the vicinity.
Confidentiality is often the security concept that data owners care about the most, and there are many security controls available to assist with this. Encryption, multifactor authentication, and role-based access controls are a few measures that can help ensure data confidentiality. Extensive personnel training is a hugely important measure for reducing risk associated with human error and negligence. We address data confidentiality and discuss relevant controls throughout the remainder of this book.
Integrity
The second