Security Musings

Security Musings

Musings: Ethics

Collected musings on ethics, in information security as well as in general.

Other Related Articles in Musings: Ethics


Ethics in Information Security


By Stephen Northcutt

This is a response to an article by David Mortman that was posted on Search Security. Before, I go any further, I want to state that I agree with David more than I disagree with him, however, Seach Security needs to do more fact checking. I felt his earlier article also suffered from opinion over fact and contacted him to try to share information. Normally, I will comment directly at a blog, but did not see a comment function; however, I run NoScript to protect my browser from the Internet so I may have missed it. The article is quoted in italics, my comments are not. Everything written herein is personal opinion and probably not the position of any organization listed in the rebuttal.

Second, I learned that (ISC)2, GIAC, ISACA and ASIS decided--after a panel discussion about ethics at last year's RSA Conference--that a uniform code of ethics for all the organizations was a really good idea.

Actually, the five organizations that had senior members on the ethics panel also included ISSA. Of the five, three, (ISC)2, ISSA and GIAC have ratified the common Framework to date. The URL of the Ethics Working Group is here and you can see the Framework here.

So they formed a cross-organizational committee to create exactly that. This certainly addresses my concerns last year about significant inconsistencies between the organizations' policies. I was also informed by a member of the committee that although the different groups would separately handle ethics violations, there was an effort to standardize their processes so they would be as similar as possible.

This is evolving. Dorsey Morrow, legal council for (ISC)2 once put it this way. He is on the bar of more than one state. Should he ever have an ethics issue, he might be publically reprimanded in one state and privately in another. Even though the legal profession has a basic general code, they have to allow for differences in the different states, because each state has its own court system that might pass laws that affect the ethics code slightly.

While this is a nice step forward, more than a year later nothing has been published publicly about it other than a website, which was still under construction as of this summer.

Thank you very much for saying this is a nice step forward, and the web site is up and running:

http://ethics-wg.org/

If one jumps the gun and announces early, it makes all the organizations angry (ask me how I know). However, there are links that mention this, here and also here, though the first one was written after your article. Also, there is an article on ethics and professionalism mentioning the Framework from The Academy here (it was also posted after your article). I am sure that (ISC)2 and ISSA also have links. In addition, I am told the Storage Networking Industry Alliance is, at least provisionally, considering the Framework.

It also was quite disappointing to hear that the new ethics policies and procedures would not be available for comment by members of the organizations prior to their adoption by the various boards. This disregard for the members' thoughts and opinions on such a contentious topic is offensive.

This is an unfair statement. The ethics procedures are not changing, it remains the same for each organization. For instance, GIAC has and still does use an ethics council and follows their procedures. What is changing is that three leading organizations in security are adopting the same general philosophy or core values.

It's standard practice in most organizations to at least solicit feedback, if not hold a full member vote, before implementing changes of this magnitude. The working group also declined my repeated offers of feedback on their efforts.

I cannot comment on this, you haven't contacted me that I know of. As before, I am willing to share information with you as I know it, though it can't always be for immediate publication; all of the parties that ratify the Framework should be involved in information about the Framework that is released. The current focus is procedural. Now that we have a "what" defined, we need to work on "how".

All in all, the insular attitude about this project continues to reinforce my belief that the certification groups don't really care about their constituencies, but rather are still acting to protect their reputations. It makes their motivations behind creating the working group questionable.

You are welcome to your beliefs, but you have a responsibility as a journalist to check your facts.

Really what we have is lipstick on a pig.

Somehow I seem to be visualizing a soccer mom more than a pig! (That was my link on the lipstick on a pig quote)

e.php?term=lipstick%20on%20a%20pig">lipstick on a pig quote)

We have a situation where nothing has changed, and a group of organizations that purports to speak for the industry but refuses to engage with its members. When dealing with ethics, transparency is key, and it is a bad sign when our representatives won't give us details on their plans for dealing with such an important issue. As I said in my last column on this issue, if we want to be viewed as trusted professionals, we need to demonstrate that we are worthy of trust, and a true ethics program is one of the ways we can do so. Color me disappointed and disillusioned.

To say "nothing has changed" is incorrect. That said, I agree with you more than I disagree. In terms of transparency, I am trying to get the word out, hopefully the article on ethics and professionalism posted on The Academy will be read by someone. That said, I wish more had been done to date. I certainly agree that we want to be viewed as trusted professionals. If you, or anyone else, wants to advance the cause of professionalism (and ethics is one piece of that), in the IT/ITSEC/Audit community, please drop me a note, stephen@sans.edu.