Law and Ethics

Ethics are the principles and values used by an individual to govern his or her actions and decisions.

In information security, ethics guide professionals to act responsibly and make decisions that protect individuals, organizations, and society.

Relationship Between Law and Ethics

There is an important relationship between laws and ethics, although they are not the same. Ethics are based on socially accepted moral values and principles, while laws are formal rules and regulations established by authorities.

In many cases, laws are derived from ethical standards and are designed to enforce acceptable behavior. However, ethics go beyond legal requirements and help guide behavior in situations where laws may not apply.

Differences Between Law and Ethics

The key differences between law and ethics include:

  • Ethics are moral values and principles adopted socially
  • Laws are rules and regulations set by authorities
  • Laws are often based on ethics
  • Not all unethical actions are illegal

This means that something can be legal but still unethical.

Many actions that are considered unethical are not prohibited by law. For example, lying or betraying the confidence of a friend may not be illegal, but they are clearly unethical.

This highlights the importance of personal integrity and ethical responsibility beyond just following the law.

Professional Ethics

Professional ethics refers to the standards of behavior expected from individuals within a profession. It includes both personal conduct and organizational expectations.

Upholding professional ethics means being committed to following established guidelines and best practices in all professional activities.

Key Principles of Professional Ethics

Professional ethics is built on several important principles:

  • Acting in accordance with professional guidelines and best practices
  • Prioritizing the greater good over personal interest
  • Maintaining integrity, trust, and accountability
  • Ensuring responsible and ethical decision-making

Codes of Conduct and Enforcement

Most professions establish internal codes of conduct that define acceptable behavior. These codes ensure consistency and professionalism across the field.

To maintain these standards, disciplinary mechanisms are used. These allow professional bodies to:

  • Define standards of conduct
  • Ensure members follow these standards
  • Take disciplinary action when necessary

This helps maintain the integrity and trustworthiness of the profession.

ISC2 Code of Ethics

CISSP candidates are required to subscribe to and support the ISC2 Code of Ethics.

This code defines the ethical responsibilities of information security professionals and ensures that they act with integrity, responsibility, and professionalism.

The code emphasizes that security professionals must adhere to the highest ethical standards in all their actions. This includes not only behaving ethically but also being seen to behave ethically, as trust and credibility are essential in the field of information security.

Adherence to this code is not optional; it is a mandatory condition for obtaining and maintaining CISSP certification.

Purpose of the Code of Ethics

The ISC2 Code of Ethics is designed to ensure that professionals:

  • Protect the safety and welfare of society
  • Maintain public trust and confidence
  • Act in alignment with professional principles
  • Support ethical behavior within the profession

The Four Mandatory Canons

The ISC2 Code of Ethics is based on four mandatory canons that all certified professionals must follow:

  • Protect society, the common good, public trust, and infrastructure
  • Act honorably, honestly, justly, responsibly, and legally
  • Provide diligent and competent service to principals
  • Advance and protect the profession

These canons form the foundation for ethical decision-making in the field of cybersecurity.

Ethical Obligations and Enforcement

ISC2 members are obligated to take action when they observe unethical behavior. This includes following the formal ethics complaint procedure if another member violates the code.

Failure to report such violations may itself be considered a breach of the code, particularly under the responsibility to advance and protect the profession.

Certification as a Privilege

All information security professionals certified by ISC2 must recognize that certification is a privilege, not a right. It must be earned through knowledge and maintained through continuous adherence to ethical standards.

Members are expected to fully commit to the Code of Ethics and uphold its principles throughout their professional careers.

Organizational Code of Ethics

An organizational code of ethics is a set of overarching principles and ideals that guide an organization’s decisions and actions during its operations and service delivery.

It provides a foundation for ethical behavior across all levels of the organization.

This code defines the moral and ethical responsibilities that must be followed by the governing body, employees, and even volunteers while representing the organization.

Purpose and Authority

An organizational code of ethics is typically a formal policy document that is approved and supported by senior management. This ensures that ethical standards are not optional but are enforced and integrated into the organization’s culture.

The code establishes clear expectations for behavior and helps ensure consistency in decision-making across the organization.

Defining Acceptable Behavior

A key function of the code of ethics is to clearly define acceptable and unacceptable behavior within the organization. It helps prevent misconduct by setting boundaries and expectations.

Examples of unacceptable behavior may include:

  • Racial discrimination
  • Religious discrimination
  • Sexual harassment
  • Any form of unethical or inappropriate conduct

By defining these clearly, organizations create a safer and more respectful working environment.

Ethical Organizational Culture

An ethical organizational culture is built when both leaders and employees consistently follow the code of ethics. Leadership plays a crucial role in setting the tone and demonstrating ethical behavior.

Organizations that invest in developing and enforcing ethical policies and procedures foster a positive and trustworthy workplace environment.

Benefits of a Code of Ethics

A well-defined code of ethics provides several important benefits:

  • Helps define clear standards of behavior in the workplace
  • Guides decision-making in difficult or controversial situations
  • Encourages ethical actions through structured policies and procedures
  • Builds a positive corporate culture
  • Increases consumer confidence and trust
  • Enhances customer loyalty through ethical practices

Conclusion

An organizational code of ethics is essential for maintaining integrity, accountability, and trust within an organization. By promoting ethical behavior and providing clear guidelines, it supports both internal culture and external reputation.