cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
iluom
Contributor II

Ethical dilemma

 

Consider the scenario

 

If executive management choose to pay fines instead of bringing the organization into compliance with the laws and regulations because the fines cost them lesser than the actual implementation of the controls

 

What would be the stance of a security manager/professional? 2 & 3 are in conflict, though you want to follow 2 you can't  in this situation..what is the best possible solution?

 

Code of Ethics Canons

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

 

Cheers

Chandra Mouli, CISSP, CCSP, CSSLP
15 Replies
CISOScott
Community Champion


@iluom wrote:

 

Consider the scenario

 

If executive management choose to pay fines instead of bringing the organization into compliance with the laws and regulations because the fines cost them lesser than the actual implementation of the controls

 

What would be the stance of a security manager/professional? 2 & 3 are in conflict, though you want to follow 2 you can't  in this situation..what is the best possible solution?

 

Code of Ethics Canons

1. Protect society, the common good, necessary public trust and confidence, and the infrastructure.
2. Act honorably, honestly, justly, responsibly, and legally.
3. Provide diligent and competent service to principals.
4. Advance and protect the profession.

 

Cheers


At the end of the day it is management's decision if they want to accept the risk (paying fines) of not getting into compliance. You really didn't provide enough details to show how it is an ethical dilemma.

 

In number 3 you provide management with the risk of not getting into compliance (paying fines) and the cost of getting into compliance. It is up to them to do what they think is best for the business. You are not violating number 2 (the legally part) by not being in compliance. The law/regulations clearly states that if you are not in compliance, you will be fined. They are complying with the part of the law that says they will be fined for not being in compliance.

 

Remember what being a CISSP is all about. You would not fight really hard to convince management to spend a million dollars to protect a thousand dollar asset. It is your job as a CISSP/InfoSec professional to point out the costs of compliance, the costs of not meeting compliance, what not protecting the assets causes (risks, bad reputation, etc.), if there are any mitigating factors, other options, etc. so that MANAGEMENT can make the best decision as they see it.

ro83
Newcomer III

A brief and concise summary of risk management - https://www.youtube.com/watch?v=9IG3zqvUqJY 🙂

rslade
Influencer II

> iluom (Newcomer II) posted a new topic in Tech Talk on 01-10-2019 06:55 AM in

>     If executive management choose to pay fines instead
> of bringing the organization into compliance with the laws and regulations
> because the fines cost them lesser than the actual implementation of the
> controls   What would be the stance of a security manager/professional? 2 & 3
> are in conflict

Easy answer. Canon 1 says to protect society, and paying fines rather than fixing
the problem definitely doesn't.

> though you want to follow 2 you can't  in this situation..what
> is the best possible solution?

If you can't follow 1 and 2, then quitting is the best solution. (Yes, I know you're
going to say that's easy to say. I've actually had to do it ...)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I lost interest in `blade servers' when I found they didn't throw
knives at people who weren't supposed to be in your machine room.
- Anthony de Boer
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
dreastans
Newcomer III

There's two differing answers here, both with valid points.  Without enough information it's hard to say.  How does the lack of fixing things violate ethics?  It's enough to violate your own sensibility and what you hold to be true, so there's something to be said about that.  If it's enough to warrant, find a new job.


---
Andrea Stansbury- CISSP
SteveHardwick
Viewer II

If the management team believes that fines are the only financial exposure of noncompliance, I would suggest that you have an incomplete risk analysis. I would suggest listing the risks that have been accepted in this approach. For examle an loss of customer confidence leading to lost sales, civil litigation etc.. I would also suggest you have a record of the risks and the fact the management team has accepted them.

iluom
Contributor II

 

I believe it's definitely ethical dilemma.

 

if the professional code of conduct requires them to obey the law then security professionals may feel that they are in an ethical dilemma, that was the situation in this case.

 

ethics is something motivation based on ideas of right and wrong, The moral values and rules. The principles of right and wrong that are accepted by an individual or a social group.

 

If the organization is not following the rules and regulations, they are violating the law. The security manager is also the part of the organization and equally responsible for what his organization is doing.

 

If there is a law or regulation or an act , that is definitely for the benefit and welfare of the society, not to collect the fines. Most often, laws are based on ethics and are put in place to ensure that others act in an ethical way.

However, laws do not apply to everything,  that is when ethics should kick in. Some things may not be illegal, but that does not necessarily mean they are ethical

 

The fines are to enforce the law and order. Break the law and pay the fine is ethically incorrect, may be right from business point of view. Therefore it's a dilemma for the professionals who want to stick to code of ethics.

 

canon 2 precedes canon 3

 

canon 2 says:

Integrity is essential to the conduct of our duties. We cannot carry out our duties effectively if others within our organization, the security community, or the general public have doubts about the accuracy of the guidance we provide or the motives behind our actions.

 

Then it seems quitting is the best solution based on code of conduct in this situation

Chandra Mouli, CISSP, CCSP, CSSLP
Caute_cautim
Community Champion

There are organisations, who actively have a "slush" funds for such situations - they would rather have the penalty, and pay the fine, rather than do anything about it.   This is a decisions they have taken, especially when the size of the penalty is not sufficient enough for them to believe they have to take action.  They just weather it, by ensuring they have contingency put aside i.e. the "Slush" fund.   Often this happens within the Small to Medium Businesses or SMBs. 

 

Regards

 

Caute_cautim

CISOScott
Community Champion

Consider speeding laws. If you go 1 MPH or KPH over the posted speed limit should you immediately drive yourself to the police station to turn yourself in and demand that you be arrested because you broke the law? No, most people do not and in fact many people have a built in cushion of speed that they are OK with exceeding. In fact most police departments will not pursue the law breaker until they exceed a certain limit above the posted limit. Why? Because it is not worth their effort to track down and try to argue about whose equipment is more correct, the law breakers speedometer or their radar equipment. What is the penalty for exceeding the speed limit? Usually a fine, unless the speed was considerably over the limit. Most people are not going to hurt anyone by exceeding the speed limits a little. However, people who exceed the speed limit excessively do pose a risk to the other motorists (what the law was intended to protect) so the penalties should be stiffer.

 

Now there are other violations of driving laws, such as driving while intoxicated, that are much more dangerous. If your company was doing the exceeding the speed limit and pay the fines I would not be so worried; however if they were doing more of the driving while intoxicated type of law breaking, then I would be much more concerned. If their non-compliance with the laws would place the finger of blame on the security person, then I would clearly document (which required management's signature) that you had apprised them of the risks of non-compliance of continuing operations in the current manner. If they refuse to sign then document it through emailing them and ensure you keep backup copies of your emails for your records.

 

Of course if you are ever at a work place that is blatantly disregarding the laws and are asking you to violate your own morals and ethics, then yes, you prepare your exit plan and you leave.

 

Is it an ethical or moral dilemma because they "broke" the law? Remember it is not you that is breaking the law, it is them. Your duty is to inform them, provide competent advice backed up with documentation, and then they can make their business decision. If their business decision doesn't sit well with you, then you make your career decision based off of that.

 

I also look at 2 things: 1) The letter of the law vs 2) The intent of the law. With the speeding example above the intent of the law is to reduce deaths due to excessive speeding. The letter of the law says that the speed limit is X, so anything over X is a violation of the letter of the law. If you hold people to the letter of the law 100% of the time it can have undesired consequences. If the law is: Killing a person is illegal, and you hold everyone to the letter of the law then you eliminate self-defense, accidental deaths, justified shooting (i.e. police killing someone to prevent the person from killing others), etc. from being valid reasons why a person "broke" the law. This is the reason we have court systems to bridge the gap that is there between the intent of the law and the letter of the law.

 

So is the situation you are facing a clear intent to harm others or just the fact that the penalty is not stiff enough to warrant compliance? (If you rather not say I understand).

rslade
Influencer II

Since we are discussing ethics, I should mention that Patrick and I will be doing
"Ethics of Active Defence" next month (Feb 8, 2-4 pm PST) at the Vancouver
Chapter ( http://www.infosecbc.org/ ). The presentation will be live-streamed
(Internet permitting) and archived.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Originality is the fine art of remembering what you hear but
forgetting where you heard it. - Laurence J. Peter
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468