This article can also be found in the Premium Editorial Download "Information Security magazine: Lessons learned from good and bad NAC implementations."
Download it now to read this article plus other related content.
A little more than a year ago, I wrote a Perspectives column about the role of ethics in information security certifications offered by ISACA, GIAC, (ISC)2 and ASIS. My main point was that the ethics requirements in these certification programs were in place purely as a mechanism for protecting the certification's reputation and not out of any actual concerns about the daily behavior of its constituency.
The essence of this argument was that none of the certification organizations train their members about ethical issues or even bother to have certification holders review a code of ethics and reaffirm their adherence to the code. Additionally, I took issue with the fact that the various organizations have different systems for handing ethics violations with different levels of transparency.
My column last summer prompted several interesting responses that taught me two things. First, I learned that SANS--which provides training for GIAC certifications--does in fact have a class that specifically covers ethics (MGMT 418). It's good to hear SANS has a class on ethics so that people who are particularly concerned about ethics have available training. But this does not resolve my general concerns that the organizations don't have ethics as a pervasive part of the curriculum, nor do they make ethics in any way part of the certification maintenance
Second, I learned that (ISC)2, GIAC, ISACA and ASIS decided--after a panel discussion about ethics at last year's RSA Conference--that a uniform code of ethics for all the organizations was a really good idea. So they formed a cross-organizational committee to create exactly that. This certainly addresses my concerns last year about significant inconsistencies between the organizations' policies. I was also informed by a member of the committee that although the different groups would separately handle ethics violations, there was an effort to standardize their processes so they would be as similar as possible.
While this is a nice step forward, more than a year later nothing has been published publicly about it other than a website, which was still under construction as of this summer. It also was quite disappointing to hear that the new ethics policies and procedures would not be available for comment by members of the organizations prior to their adoption by the various boards. This disregard for the members' thoughts and opinions on such a contentious topic is offensive.
It's standard practice in most organizations to at least solicit feedback, if not hold a full member vote, before implementing changes of this magnitude. The working group also declined my repeated offers of feedback on their efforts.
All in all, the insular attitude about this project continues to reinforce my belief that the certification groups don't really care about their constituencies, but rather are still acting to protect their reputations. It makes their motivations behind creating the working group questionable.
Really what we have is lipstick on a pig. We have a situation where nothing has changed, and a group of organizations that purports to speak for the industry but refuses to engage with its members. When dealing with ethics, transparency is key, and it is a bad sign when our representatives won't give us details on their plans for dealing with such an important issue. As I said in my last column on this issue, if we want to be viewed as trusted professionals, we need to demonstrate that we are worthy of trust, and a true ethics program is one of the ways we can do so. Color me disappointed and disillusioned.
This was first published in September 2008