cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mencik
Contributor III

Why does ISC2 insist on secrecy of its operations?

All,

If you read through the various parts of the Community, you will find posts where I have asked for things like:

  • How many votes did each candidate receive in the most recent Board election?
  • How many people voted in the most recent Board election?

I've been told that ISC2 has a policy not to release this information.

 

I've asked for a copy of the policy as it was adopted by the Board, to include the adoption date, and the staff has refused to provide me with that policy. Apparently, we are to take them at their word.

In the past, other members have asked for the Minutes of the Board meetings to be posted. To date they have not. According to past Board member Diana Contesti, during her term, the Board voted on a resolution and passed it, that required the posting of the minutes. Yet, they still remain unposted.

The By-Laws are posted at https://www.isc2.org/-/media/Files/2017-Amended-and-Restated-Bylaws.ashx, but I have not found a copy of the Articles of Organization of the Corporation.

There is a Policies and Procedures section of the ISC2 website, https://www.isc2.org/Policies-Procedures, but the policies referenced above are not posted. 

My question is why the Board of Directors and the Staff of ISC2 are so insistent upon secrecy of the operations of the Corporation that they will not even release copies of the policies that are referred to when declining to provide other information? This just does not make any sense to me, and I feel the Membership deserves better. 

Stephen M. Mencik
CISSP, ISSAP, ISSEP #10288

Note: Originally posted to Member Talk, but folks were having difficulty accessing it there.

30 Replies
dwinner
Newcomer I

This is a good test for this "Community". Does this Community mean anything? Is it genuinely intended to create effective dialog? If so, we will see a response to this simple and very reasonable request. If not, then we can regress to the petition (500 letters) process. 

rslade
Influencer II

> dwinner (Newcomer I) posted a new reply in Welcome on 12-15-2020 03:07 AM in the (ISC)² Community :

> This is a good test for this "Community". Does this Community mean anything?
> Is it genuinely intended to create effective dialog? If so, we will see a
> response to this simple and very reasonable request.

Hear, hear! Well said! Absolutely spot on!

(Nice to see you've finally gotten active.)

(Kuwait?)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
The only reason an organization has dead wood is that management
either hired dead wood or it hired live wood and killed it.
- Walter Deming
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
GJackson
Community Manager

Dear Steve,

 

I have shared all of your feedback internally, but wanted to provide an update on the additional steps the organization is taking.  

 

Regarding policies, including those related to the election, we are working on enhancing our FAQs, as well as looking to create additional content for our members to better understand how these activities are managed. We want to ensure that members who wish to learn more have this information available to them. 

 

On the question of organizational updates, we are looking at ways to better communication to the members, and hope that moving into 2021 you will see some additional content about the organization on a more frequent basis. While we are still trying to validate any motion regarding minutes, we think these more frequent updates will help lessen the concerns on organizational activities.

 

Finally, we already discussed why we cannot release the individual vote totals. However, to better gauge the interest of the membership, we are happy to provide some additional detail around our most recent election. The following link should take you to the Member Talk page where we have updated this communication with the vote totals. 

 

https://community.isc2.org/t5/Member-Talk/Why-does-ISC2-insist-on-secrecy-of-its-operations/m-p/4170...

 

We are happy to report that this year was one of our most successful years for voting, and based on similar organizations we are above the average for participation.  That is a testament to the interest of our members. 

 

Moving forward, we recognize your desire to see more communication from the organization on its activity. It is our hope that moving into 2021 we can improve our standing with you.  Thanks again for your time and feedback.

 

Kind regards,

 

Graham

mencik
Contributor III

 

Graham,

This is a good start, and I hope it continues. I will note that updating a FAQ, while a good thing, is not the same as publishing policies. If the ISC2 Staff or Board cite policy as the reason not to release some kind of information, then the person citing the policy better be able to produce a copy of that policy and show who adopted it and when. Failure to produce said policy is indictive of the fact that no such policy really exists. 

It is for that main reason that I want the Members only section of the ISC2.org website to have a spot for all such policies to be posted, along with the minutes of the Board and Membership meetings. The minutes should clearly indicate when a particular policy was voted on and adopted.

Thank-you for your help in this matter. I'm only replying to this post, and not the other two places where you posted the same message.

 

Steve Mencik
CISSP, ISSAP, ISSEP #10288

dwinner
Newcomer I

Good start Graham. Thanks for showing an interest in what at least a few members are interested to know. Engaging the members is a good idea. You have shown us that there is some value in contributing to this community.
mencik
Contributor III


@dwinner wrote:
You have shown us that there is some value in contributing to this community.

Too bad there was very little follow-up to this thread.

wimremes
Contributor III

Interestingly, a few months ago the organization announced that they would move the corporate HQ to the general DC area. This is also reflected on the website which now mentions the following address as its corporate HQ:

1650 King Street, Suite 200
Alexandria, VA 22314
United States

 

However, a PDF can be found on this link that states the following:

---

Identification Number: 043064434 I, GRAHAM JACKSON X Clerk Assistant Clerk , of INTERNATIONAL INFORMATION SYSTEM SECURITY CERTIFICATION CONSORTIUM, INC. having a principal office at: 311 PARK PLACE BLVD. SUITE 400 CLEARWATER , FL 33759 USA certify that pursuant to General Laws, Chapter 180, Section 10C, the directors of said corporation have changed the location of the principal office of the corporation to: No. and Street: 225 CEDAR HILL STREET #200 City or Town: MARLBOROUGH State: MA Zip: 01752 Country: USA SIGNED UNDER THE PENALTIES OF PERJURY, this 4 Day of March, 2022, GRAHAM JACKSON , Clerk / Assistant Clerk.

---

 

I've checked previous documents in order to rule out that it would be an administrative change but they have always used the Tampa address previous to the "address change". It should be logical that the address change is to the Virginia location. The Marlborough address is not listed anywhere on the ISC2 website ...



Sic semper tyrannis.
mencik
Contributor III


@dwinner wrote:

This is a good test for this "Community". Does this Community mean anything? Is it genuinely intended to create effective dialog? If so, we will see a response to this simple and very reasonable request. If not, then we can regress to the petition (500 letters) process. 


I must say, the "test" was a failure.

CISO-Italiano
Newcomer III

Is this thread getting any traction? Has anybody from the Board given explanations -which you could maybe share? Just to know 🙂

mencik
Contributor III


@CISO-Italiano wrote:

Is this thread getting any traction? Has anybody from the Board given explanations -which you could maybe share? Just to know 🙂


I sent you a Private Message rather than air my thoughts publicly here.