Tuesday, November 07, 2006

Who Needs CISSP for Ethics?

Last year I discussed the value of the CISSP with respect to its code of ethics. Today while renewing my ISSA membership, I was presented with the following:

The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association.

As an applicant for membership and as a member of ISSA, I have in the past and will in the future:

* Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles;
* Promote generally accepted information security current best practices and standards;
* Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
* Discharge professional responsibilities with diligence and honesty;
* Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association; and
* Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers.

Please check the box indicating you have read the above statement and agree to its principles:

It looks to me like ISSA has the ethics bases covered. If I agree to that statement, I get as much value as being a CISSP as far as ethics goes.

Unfortunately, misdirected efforts like DoD 8570.1 attach significance to the CISSP out of all proportion to its worth.


Tim B said...

The CISSP Code of Ethics has much greater depth and breadth. Not defending the cert, per se, just pointing out its Code of Ethics is still pretty good. But most people, who have CISSP creds probably aren't even aware of it.

As far as Certs go, they are a necessary evil in the business. Like you said earlier, it's just a way to get past the HR screening process.

Chris_B said...

Until this year I shared your lack of enthusiasm for certs in general. Now I have my CISSP. I started thinking about certs like this: most system specific certs are like a high school diploma, some things like ITIL service deliver foundation are like a trade school diploma, the CISSP is like a BS/BA. Of course this is very loosely mapped, of course you could think of certs in the same way that trade guilds had various rankings for their practitioners: apprentice, journeyman, craftsman, master craftsman, etc. The thing being is that it is up to us as practitioners of a trade to create these differentiations of skill levels in a way which is persuasive to those outside the trade.

Anonymous said...

If I weren't ethical, would I have any qualms about checking the box claiming to follow a certain set of ethical rules?

Code of ethics for professional bodies are good, but unless that body has some disciplinary authority beyond merely revoking membership, the ethics codes have about the same validity as the good old loyalty oaths of the 1950's.

Anonymous said...

I would have to remark that a code of ethics is not just what is described on paper. It is a mannerism and attitude that shines on those who endorse it. If someone mocks it ... well then maybe they have chosen the wrong career.

Anonymous said...

Having a CISSP did not give me ethics. The way I learned and was taught, military service, and 17 years in the information security field has given me ethics. What the CISSP and their code of ethics gives me is something others can see as an ethical professional who has been around for a while. It is a good point that a CISSP certification does not mean that you can write firewall rules and secure a network infrastructure. However to get an acceptable score on that exam you better have created a rule or two on a firewall, used PGP, or set up an IDS network. The test does not give you specific design questions but you have to have at least worked in the trenches a little to understand all of the concepts necessary to pass.

Anonymous said...

I'm sitting for the CISSP test at the end of November. I think of the certification as more of a single college course than a BA. When I do get the cert, I won't put it in my email signature. I don't list my SANS certs, or any of my college degrees, so it seems silly to list the cissp. However, I will be happy to have it on my resume to get through the screening process.

Raemius said...

I recently wrote and passed my CISSP examination. Unfortunately, I will have to agree with most of what you have written, it does not reflect a level of technical understanding of IT security. I do think however, that it does make a more technical person 'think outside the box' so to speak, and forces them to learn about things outside their domain. For example, I spent little time leaning about processes around disaster recovery and physical security, but while preparing for the exam, I read books, articles and papers specific to these subject. So while the CISSP cert may not be golden, what one is forced to learn while preparing for it can be invaluable. In my case, only a fraction of what I studied in preparation was actually covered during the test.

The issue I see is the 'CISSP Boot Camps' or 'examination review' classes. Two weeks before the exam, I called ISC^2 to confirm the location, and I was asked if I had taken their exam review courses. When I indicated I had not, the individual on the phone suggested I would have a much better chance of passing through the course rather than self study. I believe this contradicts the spirit of the certification as an 'experience based' cert.

If ISC^2 wants to maintain the credibility of the CISSP designation, boot camps and exam review classes have to go.