Security Ripcord

One of the sessions that I attended during the RSA conference covered ethics within the certification organizations. The session was titled “Professional Ethics in the Security Disciplines” and the participants were:

Howard Schmidt President & CEO, R & H Security Consulting LLC; Former White House Cyber Security Advisor	Stephen Northcutt President, SANS Technology Institute
Ed Zeitler Executive Director , (ISC)�	Jeff Spivey President, ASIS
Everett Johnson International President, ISACA

The questions from the audience were lively and seemed to focus around the maturity of ethics within these organizations. All the panel participants agreed that it has been a challenge to develop a ethics program that is specific yet addresses memberships that span the globe.

I asked a question about whether or not these organizations intended on sharing information between the organizations about persons who have been found in violation of their ethics policy. They all decided to refer the question to their lawyers. But an interesting question that came up later was whether the crowd felt that there should be a consolidated code of ethics across the organizations. The consensus was yes.

Another interesting situation occurred when somebody asked the question about responsible disclosure. Stephen Northcutt fielded this question and made the point of its necessity within our field. However, the moderator, Howard Schmidt, asked him “if you have a neighbor who does not lock their doors and they leave for vacation, do you disclose it to the public?” Although Stephen danced a little with his answer I think that Mr. Schmidt was really just after making a good point. I initially thought that this was a good question but now that I have had a chance to think about this a little bit it doesn’t necessarily fit the situation. He is asking a question about a situation that affects one person or family. Information disclosure relates to companies who have a larger community impact with their vulnerabilities.

Now that the conference is over and I have returned to having time to read my regular email I can tell you that these organizations have already started working together to achieve a common code of ethics. I believe that they are going to base it on the one published by IEEE. I have checked through their IEEE Standards documents and did not find anything specifically referring to an ethics standard but you can read the IEEE Code of Ethics which may be what the consolidated version will be modeled after. If it turns out to be different I will update this post.

If you have an opinion about this consolidation, for or against, please leave a comment with your reasoning.

Go forth and do good things,
Cutaway

Security Ripcord, Code of Ethics

Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.