Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Influencer II

Ethical principals

Over on the CISSPforum, we are having a little discussion about codes of ethics.


Somebody noticed that:


> Yes, that's the writing on the site, but shouldn't it be "competent
> service to principals"?

And, good grief, he's absolutely right.

code of ethics oops.PNG

In a sense, the Website is correct: we should competently serve the moral principles of our profession.  (Even if it sometimes means we disappoint our principal employers, since the society and ethics canons come first  🙂


Other posts:

This message may or may not be governed by the terms of or
18 Replies
Community Champion

Excellent points, DAlexander. I think you're right about the study and development of Ethics or Moral Philosophy.


Our understanding of how to be in society, our laws (criminal, civil, administrative), our business interactions are all founded on ethical principles.


As I am reading this fascinating discussion, I am pleased that it is ironically in the Welcome section! Ethical behavior is fundamental to a well functioning society.


I am also reminded of the discussion Crito had with Socrates before his execution. Crito is concerned about what people will think of him if he lets his friend perish. Socrates is concerned only about the laws and the ethics of breaking out of jail and fleeing Athens. He has made his peace with himself and has chosen to accept his fate and not to offend or disrespect the Laws.


So you're also right when you talk about "complexifying" matters.


On the other hand, there have been clearly unjust laws in the past that have caused people to revolt, remember why the American Revolution started? It was, among other factors, caused by "No Taxation with Representation" and other issues that were enacted by the British Parliament against those who lived in the 13 colonies. So many taxes, so little representation.


These are great issues to ponder and to discuss and to apply to our lives as Information Security professionals.


They are at the base of maintaining the Integrity of the profession.

Advocate I

Its late on a Friday afternoon so forgive me.


Though I agree with the thrust of the post, I do have to ask if this is policy statement? Perhaps should consider this to be a working standard, possibly a procedure or simply guidance on behalf of the ISC(2)?


Please advise,


BEads (Brent)

Community Champion

A fascinating discussion, and an important one to be sure. Best.

Newcomer III

@rslade, a common tactic of Internet and media trolls is to selectively quote parts of a discussion and attempt to counter with seemingly prophetic one-liners that lack substance.  Rather than trying to be clever, could you enlighten us with your understanding of ethics?  I am also especially curious to know what you suggest would be a better system to replace nations of laws (or as you put it, tyrannies of the majority).


Finally, I recommend that you do a little background research on things before you cut and paste from your favorite book-o-quotes.  Besides the H.L Mencken gem you selected when responding to my post, he has others that I wonder if you agree with.  For example, he once wrote, "It is impossible to talk anything resembling discretion or judgement into a colored woman" when talking about his black maid.  He followed that with, "They are all essentially child-like, and even hard experience does not teach them anything."  There are several other examples of his racist and anti-Semitic writing as well but I trust you can google that as well as anyone.

Community Champion

In reading the comments regarding our responsibilities both toward principals and principles, I am reminded of the Organisation for Economic Co-operation and Development 's (OECD) 2002 document : OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security:


Guidelines 4) Ethics and 5) Democracy ring particularly important today, in view of the actions of adversaries who wish to subvert nations' commercial and political institutions.


Regarding Ethics (4), here is what OECD had to say:


Participants should respect the legitimate interests of others.

Given the pervasiveness of information systems and networks in our
societies, participants need to recognise that their action or inaction may
harm others. Ethical conduct is therefore crucial and participants should
strive to develop and adopt best practices and to promote conduct that
recognises security needs and respects the legitimate interests of others.


Regarding Democracy (5), here is the OECD guideline:


The security of information systems and networks should be compatible with
essential values of a democratic society.

Security should be implemented in a manner consistent with the values
recognised by democratic societies including the freedom to exchange
thoughts and ideas, the free flow of information, the confidentiality of
information and communication, the appropriate protection of personal
information, openness and transparency.


As information security professionals it may also be well to take into consideration some of these principles as well and to understand that not everyone has the same desire for harmony as we do.

Contributor I

I find it extremely ironic that you have effectively called Rob a troll for pointing out to you that you have seemingly conflated what is "Right" and what is "Legal" into being the same general idea, an idea that often has, and still does, lead to average people acting horribly towards others under the auspices of "it was legal". 


I fail to see how dropping a relevant, if pithy quote is trolling, as it quite effectively points out the issue with what you put forth, not to mention that, with a little research, brings one around to other writings of the author in question which clearly illustrate deeper issues with confusing RIGHT and LEGAL.


I think its especially ironic that your point regarding H.L Mencken's other writing ties back (tangentially at least) to a history (in the US) of LEGAL discrimination against various groups, which I'm fairly comfortable in saying was not RIGHT, tho it was certainly LEGAL. 



Newcomer III

     @Dain, I see no irony at all because he didn’t point anything out…that was the point of my message evidenced by the words “lack substance.” Since you’ve raised your concerns however, let’s examine the Code of Ethics Canons that this very discussion was initiated on and maybe we can clear up your confusion. I want to highlight the first two in particular:


  • Protect society, the common good, necessary public trust and confidence, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.

     I believe it is appropriate to expect one to know the difference between right and wrong when protecting the common good. I will concede that there are instances when the line between right and wrong is a little less defined however, societal norms should help to guide our decisions. Societal norms are essentially the agreed-upon sets of rules that members of that society live by. They are not set in stone and commonly change from generation to generation. Acting legally is not so nebulous. In most developed, functioning societies, laws are documented and specific enough to define a clear line not to cross. When that is not sufficient, laws can be challenged either in court or through another legislative process to actually change them to better meet the needs of the common good. I want to emphasize that I am in no way implying that there are not exceptions to this and that some nations’ legal systems are woefully corrupt and ineffective.


     I ask you to consider two terms, constraint and restraint. A constraint is something you cannot do such as commit bank fraud, steal from a retailer, slap your neighbor, conduct vigilante-style cyber attacks, etc. Laws are therefore, constraints. A restraint is something you must (or must not) do that is imposed upon you by either yourself, your boss, your God, or whoever you answer to. This is what I would categorize as ethics.  In the context of being an information security professional, constraints should take precedence over restraints.  We have responsibility to question and refuse to do anything that is illegal, period.


     You raise the notion that people often act horribly towards each other because they believe it is legal to do so. Believe me, I am well aware of terrible human rights issues that happen in many regions of the world. I have been to several of them and witnessed the aftermath first-hand. I wonder though, are these atrocities happening because the law prevents the members of that society from treating each other with dignity and respect…or is it the lack of laws or enforcement of the laws that is allowing this? I’d argue it is the latter and that particular society is acting neither ethically nor legally…and that is wrong.


     As for the quote, I am actually not surprised you’d be the one to defend it based on some of your previous posts ( No matter how clever something copied from the Internet may seem to some contributors, we should never glorify any individual that has a documented history of racism, sexism, or any other –ism.

Contributor I

I'm not really sure where the Risk discussion comes in, in terms of defending the quote (other than to say that yes, i firmly believe that thinking for oneself - regardless of what the law, religion, or society as a majority provides as moral guidelines is important - and that none of those things necessarily provides an objective measure of good/bad - not do I believe it is a binary analysis in most any but the simplest of intellectual exercises.


I thought the quote was remarkably apt, for a number of reasons, not least of which was the that it came from a closeted bigot, who lived in a time when such beliefs were accepted, if not outright encouraged, by society, and the laws of the US.  So to us he is some what abhorrent, and yet at the time he fit the guidelines of morality and legality (at least as far as the bigotry goes, some of his political views were pretty obnoxious anyway you look at it)


the point - I believe - was that allowing oneself to subscribe to such guidelines without carefully evaluating the baselines those constraints and restraints originated with (historical, religious, legal, racial, whatever) leaves one open to the belief that they are acting morally, ethically, honorably as measured against a very flawed stick.  Not to mention an easy way to defend immoral, unethical, and less than honorable behavior.


And yes, i had to look up the quote, and the author, and it made me think about what i think Rob was trying to say.  Would I have learned as much if I didn't have to look it up?  hard to say

Community Champion



Hi Derek,


As noted by other respondents ISC2 really doesn’t have such sharp business practices.


I can attest to this as my college and I signed up to attend congress this year. He couldn’t attend so tried to cancel, but had gone outside the cancelation timeframe for the conference. ISC2 did not have to refund his attendance fee but did, he is neither certified by nor an accossiate of ISC2 and no one interceded on his behalf.


Well done for passing the HCISSP exam, however ISC2 will have to verify your stated experience, if they can’t do that to satisfaction, then it’s not going to be possible to certify you.


My advice would be to delete your posts that are defamatory to ISC2 and surely counterproductive to your cause, calm down and then reach out to the folks you have already been talking to apologise and see how to move forward. 


ISC2 really doesn’t want your proprietary information, but it rests upon the candidate to meet the requiments for certification, they would try to help as much as is permissible, but you’ll either meet the experience requirement or not. It may be that accosiate of ISC2 is going to work out better until such time as you can reliably prove your experience.


Best regards,