A Little More about Ethics in Information Security
Ethics in information security is such an important topic that I feel the need to cover just a little more about it. As I said in my last blog entry, different professional organizations have different ethics standards. Consider, for example, the Information Systems Audit and Control Association (ISACA)’s code of ethics. Some of the provisions include:
- Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards and best practices.
- Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
- Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
- Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
- Inform appropriate parties of the results of work performed; revealing all significant facts known to them.
- Support the professional education of stakeholders in enhancing their understanding of information systems security and control.
These provisions are only part of the complete set of ISACA’s code of ethics, but anyone who reads these provisions and seriously thinks about what each actually entails will almost certainly feel a bit overwhelmed. Consider, for example, the fourth provision above. An information security professional or auditor must agree to undertake only those activities which one can reasonably expect to complete with professional competence. Does this mean that if an information security professional is undertaking an activity for the first time without suitable training or guidance from another professional, the person should seriously consider not undertaking the activity? I worry that possibly this provision does not seem to make allowances for the “learning curve” in professional work The next provision requires that appropriate parties be informed of the results of work performed, revealing all significant facts known to them. Does this provision require someone who has, for instance, had an external penetration test conducted inform users within an organization of the testing outcomes and recommendations? Users on-line security might, after all, be adversely affected if vulnerabilities found as the result of the penetration test were exploited by an external attacker.
The point that I am trying to make is that I suspect that those of us (myself very much included) who must abide by certain ethical standards to be certified by various professional organizations almost without exception take the time to read these standards, but we probably do not adequately think about what abiding by them genuinely entails. Acting in accordance with certain provisions is likely to be far more complicated than one would imagine, and in some cases I fear that on-the-job political considerations might dictate deliberately failing to comply. Distributing certain security-related information (such as performance metrics that reveal a number of deficiencies in the information security function) to a function within an organization that has a bona fide need to know, but that has proven itself adversarial to the information security function could, for example, be tantamount to political suicide.
Ethics should be one of the most important motivators of on-the-job behavior of information security professionals. It thus seems ironic that we spend so much time and resources teaching users that they should choose better passwords and system administrators that they should configure systems in accordance with certain security standards, but do so little to educate information security professionals concerning ethics. An appropriate start would be for certification-granting organizations such as ISACA and (ISC)2 to expend considerably more effort in helping security professionals learn much more about the meaning and implications of relevant ethical standards and to train these individuals in applying ethical provisions to real-life on-the-job situations.