Professional Ethics

Ethics (or moral values) help to describe what you should do in a given situation based on a set of principles or values. Ethical behavior is important to maintaining credibility as an information security professional and is a requirement for maintaining your CISSP certification. An organization often defines its core values (along with its mission statement) to help ensure that its employees understand what is acceptable and expected as they work to achieve the organization’s mission, goals, and objectives.

Ethics are not easily discerned, and a fine line often hovers between ethical and unethical activity. Unethical activity doesn’t necessarily equate to illegal activity. And what may be acceptable in some organizations, cultures, or societies may be unacceptable or even illegal in others.

Ethical standards can be based on a common or national interest, individual rights, laws, tradition, culture, or religion. One helpful distinction between laws and ethics is that laws define what we must do and ethics define what we should do.

Many common fallacies abound about computers and the Internet, which contribute to this gray area:

The Computer Game Fallacy: Any system or network that’s not properly protected is fair game.

The Law-Abiding Citizen Fallacy: If no physical theft is involved, an activity really isn’t stealing.

The Shatterproof Fallacy: Any damage done will have a limited effect.

The Candy-from-a-Baby Fallacy: It’s so easy, it can’t be wrong.

The Hacker’s Fallacy: Computers provide a valuable means of learning that will, in turn, benefit society.

The problem here lies in the distinction between hackers and crackers. Although both may have a genuine desire to learn, crackers do it at the expense of others.

The Free Information Fallacy: Any and all information should be free and thus can be obtained through any means.

Almost every recognized group of professionals defines a code of conduct or standards of ethical behavior by which its members must abide. For the CISSP, it is the (ISC)2 Code of Ethics. The CISSP candidate must be familiar with the (ISC)2 Code of Ethics and Request for Comments (RFC) 1087 “Ethics and the Internet” for professional guidance on ethics (and information that you need to know for the exam).

(ISC)2 Code of Ethics

As a requirement for (ISC)2 certification, all CISSP candidates must subscribe to and fully support the (ISC)2 Code of Ethics. Intentionally or knowingly violating any provision of the (ISC)2 Code of Ethics may subject you to a peer review panel and revocation of your hard-earned CISSP certification.

The (ISC)2 Code of Ethics consists of a mandatory preamble and four mandatory canons. The canons are listed in order of precedence, thus any conflicts should be resolved in the order presented below:

1. Protect society, the commonwealth, and the infrastructure.

2. Act honorably, honestly, justly, responsibly, and legally.

3. Provide diligent and competent service to principals.

4. Advance and protect the profession.

Additional prescriptive guidance is provided for each of the canons on the (ISC)2 website at www.isc2.org . You should carefully review the (ISC)2 Code of Ethics and the prescriptive guidance provided on the (ISC)2 website prior to taking the CISSP exam.

Internet Architecture Board (IAB) — Ethics and the Internet (RFC 1087)

Published by the Internet Architecture Board (IAB) (www.iab.org ) in January 1989, RFC 1087 characterizes as unethical and unacceptable any activity that purposely

“Seeks to gain unauthorized access to the resources of the Internet.”

“Disrupts the intended use of the Internet.”

“Wastes resources (people, capacity, computer) through such actions.”

“Destroys the integrity of computer-based information.”

“Compromises the privacy of users.”

Other important tenets of RFC 1087 include

“Access to and use of the Internet is a privilege and should be treated as such by all users of [the] system.”

“Many of the Internet resources are provided by the U.S. Government. Abuse of the system thus becomes a Federal matter above and beyond simple professional ethics.”

“Negligence in the conduct of Internet-wide experiments is both irresponsible and unacceptable.”

“In the final analysis, the health and well-being of the Internet is the responsibility of its users who must, uniformly, guard against abuses which disrupt the system and threaten its long-term viability.”

Computer Ethics Institute (CEI)

The Computer Ethics Institute (CEI; http://computerethicsinstitute.org ) is a nonprofit research, education, and public policy organization originally founded in 1985 by the Brookings Institution, IBM, the Washington Consulting Group, and the Washington Theological Consortium. CEI members include computer science and information technology professionals, corporate representatives, professional industry associations, public policy groups, and academia.

CEI’s mission is “to provide a moral compass for cyberspace.” It accomplishes this mission through computer-ethics educational activities that include publications, national conferences, membership and certificate programs, a case study repository, the Ask an Ethicist online forum, consultation, and (most famously) its “Ten Commandments of Computer Ethics,” which has been published in 23 languages (presented here in English):

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people’s computer work.

3. Thou shalt not snoop around in other people’s files.

4. Thou shalt not use a computer to steal.

5. Thou shalt not use a computer to bear false witness.

6. Thou shalt not use or copy software for which you have not paid.

7. Thou shalt not use other people’s computer resources without authorization.

8. Thou shalt not appropriate other people’s intellectual output.

9. Thou shalt think about the social consequences of the program you write.

10. Thou shalt use a computer in ways that show consideration and respect.

Prep Test

1 Penalties for conviction in a civil case can include

A Imprisonment

B Probation

C Fines

D Community service

2 Possible damages in a civil case are classified as all the following except

A Compensatory

B Punitive

C Statutory

D Financial

3 Computer attacks motivated by curiosity or excitement describe

A “Fun” attacks

B Grudge attacks

C Business attacks

D Financial attacks

4 Intellectual property includes all the following except

A Patents and trademarks

B Trade secrets

C Copyrights

D Computers

5 Under the Computer Fraud and Abuse Act of 1986 (as amended), which of the following is not considered a crime?

A Unauthorized access

B Altering, damaging, or destroying information

C Trafficking child pornography

D Trafficking computer passwords

6 Which of the following is not considered one of the four major categories of evidence?

A Circumstantial evidence

B Direct evidence

C Demonstrative evidence

D Real evidence

7 In order to be admissible in a court of law, evidence must be

A Conclusive

B Relevant

C Incontrovertible

D Immaterial

8 What term describes the evidence-gathering technique of luring an individual toward certain evidence after that individual has already committed a crime; is this considered legal or illegal?

A Enticement/Legal

B Coercion/Illegal

C Entrapment/Illegal

D Enticement/Illegal

9 In a civil case, the court may issue an order allowing a law enforcement official to seize specific evidence. This order is known as a(n)

A Subpoena

B Exigent circumstances doctrine

C Writ of Possession

D Search warrant

10 When should management be notified of a computer crime?

A After the investigation has been completed

B After the preliminary investigation

C Prior to detection

D As soon as it has been detected

Answers

1 C. Fines. Fines are the only penalty a jury can award in a civil case. The purpose of a fine is financial restitution to the victim. Review “Civil penalties.”

2 D. Financial. Although damages in a civil case are of a financial nature, they are classified as compensatory, punitive, and statutory. Review “Civil penalties.”

3 A. “Fun” attacks. Grudge attacks are motivated by revenge. Business attacks may be motivated by a number of factors, including competitive intelligence. Financial attacks are motivated by greed. Review “Major Categories of Computer Crime.”

4 D. Computers. Patents and trademarks, trade secrets, and copyrights are all considered intellectual property and are protected by intellectual property rights. Computers are considered physical property. Review “Intellectual property.”

5 C. Trafficking child pornography. The Child Pornography Prevention Act (CPPA) of 1996 addresses child pornography. Review “U.S. Child Pornography Prevention Act of 1996.”

6 A. Circumstantial evidence. Circumstantial evidence is a type of evidence, but it’s not considered one of the four main categories of evidence. In fact, circumstantial evidence may include circumstantial, direct, or demonstrative evidence. Review “Types of evidence.”

7 B. Relevant. The tests for admissibility of evidence include relevance, reliability, and legal permissibility. Review “Admissibility of evidence.”

8 A. Enticement/Legal. Entrapment is the act of encouraging someone to commit a crime that the individual may have had no intention of committing. Coercion involves forcing or intimidating someone to testify or confess. Enticement does raise certain ethical arguments but isn’t normally illegal. Review “Admissibility of evidence.”

9 C. Writ of Possession. A subpoena requires the owner to deliver evidence to the court. The exigent circumstances doctrine provides an exception to search-and-seizure rules for law enforcement officials in emergency or dangerous situations. A search warrant is issued in criminal cases. Review “Collection and identification.”

10 D. As soon as it has been detected. Management should be informed of a computer crime as soon as it has been detected. Management needs to be aware of , and support, investigations and other activities that follow the detection of the crime.