Who Needs CISSP for Ethics?

Last year I discussed the value of the CISSP with respect to its code of ethics. Today while renewing my ISSA membership, I was presented with the following:

The primary goal of the Information Systems Security Association, Inc. (ISSA) is to promote practices that will ensure the confidentiality, integrity, and availability of organizational information resources. To achieve this goal, members of the Association must reflect the highest standards of ethical conduct. Therefore, ISSA has established the following Code of Ethics and requires its observance as a prerequisite for continued membership and affiliation with the Association.

As an applicant for membership and as a member of ISSA, I have in the past and will in the future:

* Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles;
* Promote generally accepted information security current best practices and standards;
* Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
* Discharge professional responsibilities with diligence and honesty;
* Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Association; and
* Not intentionally injure or impugn the professional reputation of practice of colleagues, clients, or employers.

Please check the box indicating you have read the above statement and agree to its principles:

It looks to me like ISSA has the ethics bases covered. If I agree to that statement, I get as much value as being a CISSP as far as ethics goes.

Unfortunately, misdirected efforts like DoD 8570.1 attach significance to the CISSP out of all proportion to its worth.

Comments

Anonymous said…
The CISSP Code of Ethics has much greater depth and breadth. Not defending the cert, per se, just pointing out its Code of Ethics is still pretty good. But most people, who have CISSP creds probably aren't even aware of it.

As far as Certs go, they are a necessary evil in the business. Like you said earlier, it's just a way to get past the HR screening process.
4:43 PM
Anonymous said…
Until this year I shared your lack of enthusiasm for certs in general. Now I have my CISSP. I started thinking about certs like this: most system specific certs are like a high school diploma, some things like ITIL service deliver foundation are like a trade school diploma, the CISSP is like a BS/BA. Of course this is very loosely mapped, of course you could think of certs in the same way that trade guilds had various rankings for their practitioners: apprentice, journeyman, craftsman, master craftsman, etc. The thing being is that it is up to us as practitioners of a trade to create these differentiations of skill levels in a way which is persuasive to those outside the trade.
8:40 PM
Anonymous said…
If I weren't ethical, would I have any qualms about checking the box claiming to follow a certain set of ethical rules?

Code of ethics for professional bodies are good, but unless that body has some disciplinary authority beyond merely revoking membership, the ethics codes have about the same validity as the good old loyalty oaths of the 1950's.
3:59 PM
Anonymous said…
I would have to remark that a code of ethics is not just what is described on paper. It is a mannerism and attitude that shines on those who endorse it. If someone mocks it ... well then maybe they have chosen the wrong career.
10:41 AM
Anonymous said…
Having a CISSP did not give me ethics. The way I learned and was taught, military service, and 17 years in the information security field has given me ethics. What the CISSP and their code of ethics gives me is something others can see as an ethical professional who has been around for a while. It is a good point that a CISSP certification does not mean that you can write firewall rules and secure a network infrastructure. However to get an acceptable score on that exam you better have created a rule or two on a firewall, used PGP, or set up an IDS network. The test does not give you specific design questions but you have to have at least worked in the trenches a little to understand all of the concepts necessary to pass.
11:13 AM
Anonymous said…
I'm sitting for the CISSP test at the end of November. I think of the certification as more of a single college course than a BA. When I do get the cert, I won't put it in my email signature. I don't list my SANS certs, or any of my college degrees, so it seems silly to list the cissp. However, I will be happy to have it on my resume to get through the screening process.
5:05 PM
Raemius said…
I recently wrote and passed my CISSP examination. Unfortunately, I will have to agree with most of what you have written, it does not reflect a level of technical understanding of IT security. I do think however, that it does make a more technical person 'think outside the box' so to speak, and forces them to learn about things outside their domain. For example, I spent little time leaning about processes around disaster recovery and physical security, but while preparing for the exam, I read books, articles and papers specific to these subject. So while the CISSP cert may not be golden, what one is forced to learn while preparing for it can be invaluable. In my case, only a fraction of what I studied in preparation was actually covered during the test.

The issue I see is the 'CISSP Boot Camps' or 'examination review' classes. Two weeks before the exam, I called ISC^2 to confirm the location, and I was asked if I had taken their exam review courses. When I indicated I had not, the individual on the phone suggested I would have a much better chance of passing through the course rather than self study. I believe this contradicts the spirit of the certification as an 'experience based' cert.

If ISC^2 wants to maintain the credibility of the CISSP designation, boot camps and exam review classes have to go.
4:25 PM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more