Josh Hogan

Chapter 3- Legal, Ethical, and Professional Issues in Information Security


1)      What does CISSP stand for? Use the Internet to identify the ethical rules CISSP holders have agreed to follow.

-        CISSP or Certified Information Systems Security Professional is an independent security certification from the International Information Systems Security Certification Consortium. There are a few ethical rules that the holders of these certs have to follow. First, they have agreed to “protect society, the commonwealth, and the infrastructure." Meaning they must understand proper information security measures while also discouraging unsafe security practices and strengthen the integrity of the public infrastructure. Second, they also must “act honorably, honestly, justly, responsibly, and legally.” They have to be honest, tell the truth and honor commitments and arrangements. They must be objective and fair with those they deal with. The next ethical standard is to “provide diligent and competent service to principals.” Which means that they should avoid conflicts of interest while maintaining trust. And lastly, they must “advance and protect the profession.” Meaning they should keep their skills sharp and always be ahead of the trend.

2)      For what kind of information security jobs does the NSA recruit? Use the internet to visit its Web page and find out.

-        NSA security jobs environment is a focused heavily on computer science. They need workers who can analyze and dissect huge amounts of data at a fast speed. This computer science field is time consuming and that time is spent solving many problems and researching solutions. Working here, you will be able to maximize your knowledge, skills, initiative, and creatively learn. The list of jobs that are available at NSA are Computer Network Operations, Information Systems Security, Vulnerability Discovery, Information Assurance, Project Management, Database Management, Telecommunications, Information Resource Management, Object-oriented Programming, Graphics and Web Design.

Case Exercises

Discussion Questions

1)      Should Iris have approached Henry directly, or was the hotline the most effective way to take action? Why do you think so?

-        I think that the hotline was the most effective way that she could have taken this action. It was anonymous, which makes it a good idea so she could report any weird or suspicious activity or any breaks in policy at her organization. She won’t face any problems even though she did happen to identify herself.

2)      Should Gladys call the legal authorities? Which agency should she call?

-        Yes, in this case, I think that the authorities should be called. I think the Information security team should be notified first, then I think the appropriate agency to notify after this would be the FTC (Federal Trade Commission).

3)      Do you think this matter needs to be communicated elsewhere inside the company? Who should be informed and how? How about outside the company?

-        Inside the company, you should report this activity to any and all of your higher management. It is highly important that you run this up the chain of command as quickly as possible. You should also be notifying your Information security team so they know about this as well. Outside the company, you should notify the FTC,  but if this didn’t affect any outside networks or sources, nobody else should find out and should be kept as quiet as possible to avoid public scrutiny.  

Ethical Decision Making

It seems obvious that Henry is doing something wrong. Do you think Henry acted in an ethical manner? Did Iris act in an ethical manner by determining the owner of the flash drive? Assuming that this incident took place in the United States, what law or laws has Henry violated? Suppose Iris had placed the flash drive back at the coffee station and forgotten the whole thing. Explain why her action would have been ethical or unethical.

-        What Henry did was not ethical even in the slightest. He used the flash drive without permission from the company, he knew he shouldn’t have, but he did it anyway. It is acted in a complete ethical way. If Iris had left this in a coffee station and forgot about it, then it would have been unethical behavior because she knew about it but didn’t whistle blow. There are security laws that get violated in this issue which is why it is unethical and troublesome.