Change ISC^2 Ballot Petition System
First of all I would like to say good luck to Seth Harding on his efforts to get on the ISC^2 ballot. If you feel like supporting Seth please go to http://sethforisc2board.org/
However, I don’t think that the current method of gathering information for ballots sufficiently protects the members of ISC^2. Therefore I have written into the ISC^2 site, using their “Contact Us” web form, with the following “Suggestion.”
Seth Hardy is currently on a campaign to be added to the ISC^2 election ballot. He is gathering signatures through his site at: http://sethforisc2board.org. Apparently, he is required to gather a significant amount of information from individuals signing his petition: “For it to count, you’ll need to be In Good Standing with (ISC)2, use your email address on record with (ISC)2, include your member number, and state that you’re signing my petition. ”
I would like to request that ISC^2 members not be forced to personally gather this information for use in an ISC^2 sponsored event. This website provides a perfectly good resource to authenticate certified members of ISC^2 and determine if they are authorized to sign Seth’s petition (“In Good Standing”). Conducting petition signing via this resource would limit the exposure of information associated with the members of this organization.
Please understand that I do not have a problem with Seth gathering signatures and I hope he reaches his goal. I only want to help ensure that we are protecting the information associated with the membership and also providing the persons with the interest of getting on the ballot a fair means of doing so.
Thank you,
Don C. Weber
There are just a few threats associated with the information obtained through this petition.
- Password Reset – all you need is the primary email address which will merely send a confirmation email.
- Social Engineering Activities – call into ISC^2 site or impersonate a Information Security Professional to another organization.
- Ethics Violations – associated with Social Engineering, but imaging the time and number of people involved that it will take to get this straightened out
I know that these are minor threats, but I really do not feel like jeopardizing my CISSP certification when it could be better protected with just a little bit of effort and foresight on the behalf of ISC^2 and their web developers.
If you have similar concerns, please consider using the ISC^2 website to contact them and submit a similar “Suggestion” or “Complaint” email. I thought about doing this after Seth’s petition was complete. However, by then the topic will have passed and nobody will really be interested. So, I’m driving on while also wishing Seth the best of luck.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Leave a Reply