Upload
doantruc
View
212
Download
0
Embed Size (px)
Citation preview
1
Introduction
• None of us agree easily on risks, issues, scale of the threat, seriousness of vulnerabilities, speed to market, need for connectivity (in the context of IoT), recommended solutions, implementation of standards, best / good practice, evidence of compliance for audit or legislative purposes
• We seem to spend a lot of time admiring the problem, collectively and yet in reality "we" are failing. Continually, more breaches are being reported - and experienced. So we cannot hold our heads up high and claim that we are succeeding.
• If we always do what we've always done, we'll always get what we've always got... We clearly need to consider working differently.
2
First came Emotional Intelligence
Emotional intelligence (EI) or emotional quotient (EQ)
is the capacity of individuals to recognize their own,
and other people's emotions, to discriminate between
different feelings and label them appropriately, and
to use emotional information to guide thinking and
behavior.
https://en.wikipedia.org/wiki/Emotional_intelligence
3
Then came Human Factors
• Human factors and ergonomics (HF&E), also known
as comfort design, functional design, and systems, is
the practice of designing products, systems, or
processes to take proper account of the interaction
between them and the people who use them.
• https://en.wikipedia.org/wiki/Human_factors_and_er
gonomics
• We’ve been seeking to address this for more than 16
years – from our “security” viewpoint
• We have insufficient evidence of success
4
Growing Pains
• But what about:
– Passion
– Drive
– Petulance - the quality of being childishly sulky or bad-
tempered
– Ego
– Histrionics - melodramatic behaviour designed to attract
attention
– Trust
– Belief
– Management Hubris
– Dumbing Down – read this – its spreading! http://www.sott.net/article/313177-The-cult-of-ignorance-in-the-United-States-Anti-intellectualism-
and-the-dumbing-down-of-America
• Find the time to learn rather than know
5
The Grant of Royal Charter
First Royal Charters were granted in the 13th Century –
to the Universities of Cambridge and Oxford
Thereafter, trade guilds, academic institutions and
charities
First chartered body – recognised as a traditional
profession – the Royal College of Physicians
(established in 1518)
Only 3 or 4 more in the next 300 years
19th Century – Industrial Revolution
Next 300 Royal Charters granted in just 80 years,
including solicitors, accountants, engineers, architects
and surveyors (and in 1890, even journalists)
6
Change is a constant
• Concerns now exist – suspicions remain
• From the outside in: Professions seek protectionism and
restraint of trade
• From the inside out: slow to change and obstruct
development of new and better ways of working and
collaborating
• Loss of public trust
• Tectonic shift in professions
• Professions perform a valuable role and are adaptable
• Change can be both inexorable and an existential threat
• Requires imagination, innovation and information to maintain
forward looking solutions
7
Characteristics of a Profession
• Control by a governing body which directs the behaviours of its
members, sets adequate standards of entry-level education and
continuing competence, and sets ethical rules and professional
standards
• Rules and standards are higher than those established by the general
law and are designed for the benefit of the public and not for private
advantage
• A membership which is independent in thought and outlook, but
subordinates its private interests in favour of support for the governing
body and observes its rules and standards
• Disciplinary action if rules and standards are not observed or in the event
of bad work
• Providing leadership:
– At an institutional level - an obligation to develop and disseminate a genuine body of knowledge
– At an individual level - the requirement to exercise judgement
Source: Lord (Henry) Benson, 1992 House of Lords debate in Morrell, P. (2016),
Professions pulled from their pedestal, Management Today, February, p.44
8
Features of Professions
• Forward-looking educational standards
• Benchmarking the expertise of members
• Transparent and enforced code of ethics
• Moving from a tendency to exclusivity (centred on
members’ interests) to one of inclusivity (centred on a
defined duty to serve the public interest)
• Development and dissemination of a relevant body of
knowledge
• Demonstration of leadership on some of the great issues
of the day
• Thus, represents a vocation
Source: Morrell, P. (2016), Professions pulled from their pedestal,
Management Today, February, p.46
10
ISC2 Code of Ethics
• All information systems security professionals who are certified by (ISC)² recognize
that such certification is a privilege that must be both earned and maintained. In
support of this principle, all (ISC)² members are required to commit to fully support
this Code of Ethics (the "Code"). (ISC)² members who intentionally or knowingly
violate any provision of the Code will be subject to action by a peer review panel,
which may result in the revocation of certification. (ISC)² members are obligated
to follow the ethics complaint procedure upon observing any action by an (ISC)2
member that breach the Code. Failure to do so may be considered a breach of
the Code pursuant to Canon IV.
Code of Ethics Preamble:
• Safety of the commonwealth, duty to our principals, and to each other requires
that we adhere, and be seen to adhere, to the highest ethical standards of
behavior. Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Canons:1. Protect society, the commonwealth, and the infrastructure
2. Act honorably, honestly, justly, responsibly, and legally
3. Provide diligent and competent service to principals
4. Advance and protect the profession
https://isc2chapter-phoenix.org/index.php/membership/isc-2-code-of-ethics
11
BCS Code of Conduct
• BCS, The Chartered Institute for IT champions the global IT profession and the
interests of individuals engaged in that profession for the benefit of all.
• Applies to all members, irrespective of their membership grade, the role they fulfil, or
the jurisdiction where they are employed or discharge their contractual obligations.
• Professional Competence and Integrity
You shall:a) only undertake to do work or provide a service that is within your professional competence.b) NOT claim any level of competence that you do not possess.c) develop your professional knowledge, skills and competence on a continuing basis,
maintaining awareness of technological developments, procedures, and standards that are relevant to your field.
d) ensure that you have the knowledge and understanding of Legislation* and that you comply with such Legislation, in carrying out your professional responsibilities.
e) respect and value alternative viewpoints and, seek, accept and offer honest criticisms of work.
f) avoid injuring others, their property, reputation, or employment by false or malicious or negligent action or inaction.
g) reject and will not make any offer of bribery or unethical inducement.
http://www.bcs.org/category/6030
12
ISSA Code of Ethics
• The primary goal of the Information Systems Security Association, Inc. (ISSA) is to
promote practices that will ensure the confidentiality, integrity, and availability of
organizational information resources. To achieve this goal, members of the
Association must reflect the highest standards of ethical conduct. Therefore, ISSA
has established the following Code of Ethics and requires its observance as a
prerequisite for continued membership and affiliation with the Association.
• As an ISSA member, guest and/or applicant for membership, I have in the past and
will in the future:• Perform all professional activities and duties in accordance with all applicable laws and the
highest ethical principles;• Promote generally accepted information security current best practices and standards;• Maintain appropriate confidentiality of proprietary or otherwise sensitive information
encountered in the course of professional activities;• Discharge professional responsibilities with diligence and honesty;• Refrain from any activities which might constitute a conflict of interest or otherwise damage
the reputation of or is detrimental to employers, the information security profession, or the Association; and
• Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers.
http://www.issa.org/?page=codeofethics
13
ISACA Code of Ethics
• ISACA sets forth this Code of Professional Ethics to guide the professional and personalconduct of members of the association and/or its certification holders. Members and ISACA
certification holders shall:
• Support the implementation of, and encourage compliance with, appropriate standards and procedures
for the effective governance and management of enterprise information systems and technology,
including: audit, control, security and risk management.
• Perform their duties with objectivity, due diligence and professional care, in accordance with professional
standards.
• Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and
character, and not discrediting their profession or the Association.
• Maintain the privacy and confidentiality of information obtained in the course of their activities unless
disclosure is required by legal authority. Such information shall not be used for personal benefit or released
to inappropriate parties.
• Maintain competency in their respective fields and agree to undertake only those activities they can
reasonably expect to complete with the necessary skills, knowledge and competence.
• Inform appropriate parties of the results of work performed including the disclosure of all significant facts
known to them that, if not disclosed, may distort the reporting of the results.
• Support the professional education of stakeholders in enhancing their understanding of the governance
and management of enterprise information systems and technology, including: audit, control, security
and risk management.
• Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or
certification holder's conduct and, ultimately, in disciplinary measures.
http://www.isaca.org/Certification/Code-of-Professional-Ethics/Pages/default.aspx
14
IISP Code of Ethics
• A profession is distinguished by certain characteristics, including:
• mastery of a particular intellectual skill, acquired by training , education and experience;
• adherence by its members to a common set of values and code of conduct; and
• acceptance of a duty to society as a whole.
Objectives
• This code of ethics recognises that the objectives of the information security profession are that its members should work to the highest standards of professionalism and that their work should fully satisfy the needs of all stakeholders and those of society as a whole. These objectives require that three basic needs are satisfied, namely:
• Trust - for employers, clients, regulators, other interested parties and for society as a whole there is a need for trust in information and information systems and in the practitioners working in those fields
• Quality - there is a need for assurance that all services obtained from an information security professional are carried out to the highest levels of performance
• Standards - users of the services of information security professionals should be confident that a framework of professional ethics and technical standards exists, which governs the provision of those services.
https://www.iisp.org/imis15/iisp/Member/IISP_Code_of_Ethics.aspx