Integrity and intellectual property

On some of my mailing lists I have seen messages recently that suggest that persons are willing to send and receive copyright materials.

Exercise extreme caution when offering or accepting study materials that are not in their *original* form. If you transmit or receive electronic (or paper) copies of copyright materials such as study guides or study questions, there is a good chance that both the sender and receiver are breaking international copyright laws, which is both a crime as well as a violation of the ISACA Code of Ethics.

Sending or accepting such materials also compromises your personal and professional integrity. This will make you ineffective as IT audit professionals and leaders. See these two articles for more information:

Personal integrity: the keystone in an infosec career

A call for character and integrity

The road of higher integrity is not always the easy road. Taking the path of high integrity requires sacrifice and it is often difficult. You will, however, be a better person for it, both personally and professionally. And your conscience will allow you to sleep at night!

What security professionals can learn from Eliot Spitzer

Eliot Spitzer, the [soon-to-be-former] governor of New York State has resigned due to his being involved in a highly publicized sex scandal.

Corporate security professionals, time to sit up and take notice. I’m talking to CISSPs, CISAs, CISMs, and those in positions of ISO, ISSO, CISO, as well as Manager / Director / VP of IT Security.

As I have opined before, we are obliged to lead our organizations by example, in terms of prescribing and demonstrating desired behavior of employees on the protection of all corporate assets, including information. Leading by example means working transparently, of working every hour as though others are watching.

Eliot Spitzer gave in to his carnal desires and indulged in prostitution because he thought that he could keep it hidden. But behavior is like pouring water onto a sponge: for a time the sponge will soak up the water, keeping its presence hidden; eventually, however, the water – like the illicit behavior – will overflow and be impossible to hide. But like a frog in boiling water, Gov. Spitzer probably indulged in small ways at first, but proceeded slowly until he was no longer in control of his behavior / addiction.

Security professionals, there are steps that you can take to avoid falling into a trap of undesired behavior:

1. Be accountable. Pick two or more peers with whom you can meet every week to discuss your activities. These individuals must be trustworthy and themselves above reproach.

2. When you feel the tug of undesired behavior, confide in these accountability partners. Then, listen to their advice; if it is sound, heed it.

3. When you partake in undesired behavior, confess it to your accountability partners. Listen to their counsel; if they are loyal and have personal integrity, they will not chastise you for your behavior but instead help you to get back onto the right track.

4. Keep no secrets. Tell your accountability partners everything that you do. Keep nothing back. Share even the deep recesses of your “thought life” – which is the kernel of future behavior.

While it will be convenient to select accountability partners from the workplace, you should not choose your superiors or your staff. Instead I recommend that you choose individuals in your organization who you do not work with routinely or, better yet, choose individuals who do not work in your organization.

You can only be accountable to others when you allow yourself to be accountable to you.

Some principles of behavior:

A. If you were an outsider and would judge or criticize your own behavior, spend more time seriously considering what you are doing, and get yourself onto a path of change.

B. Do not be afraid to ask for help.

C. Learn to forgive yourself for your mistakes.

D. Do not give up.

There is an old saying: “There is no such thing as a complete failure; they can always be used as a bad example.” Gov. Spitzer may be a bad example today, but his example should help others to be introspective and re-examine their own behavior.

Remember the security professional codes of ethics:

(ISC)²
ISACA
ASIS
CTIN
ISSA
GIAC
InfraGard
SANS
NCISS

Other postings:

CIA Triad also the basis for our ethical behavior

A call for character and integrity

Principles that guide the Christian security professional

Personal integrity the keystone in an information security career

Integrity begins within: security pros lead by example (Computerworld)

CIA Triad also the basis for our ethical behavior

The CIA Triad forms the core principles of information security: confidentiality, integrity, and availability. These principles govern how information and systems should be designed and managed.

The CIA Triad also applies to our professional behavior as information security professionals.

Confidentiality

We are obligated to keep many secrets – corporate secrets, staff secrets, and personal secrets. We must keep this confidential information under wraps and earn the trust of employers, colleagues, and regulators every day.

Integrity

We must act with integrity. We must develop sound policies and uphold them without bias. We must point out errors and misdeeds, dispassionately and objectively, in order to uphold the common good. We must seek out and defend the truth in all situations we find ourselves in.

Availability

Even when we may feel too weary to do so, we should be available for consultation to our employers and our colleagues. There are too few data security professional, and our counsel is needed often, especially when the advice that is sought has high-value outcomes.

Being available means we must manage our time well, to ensure that we are working on the truly important tasks and not merely the urgent ones. Risk professionals are influencers, and we must be sure to influence outcomes in situations that really matter.