The CISSP exam (and any other (ISC)² exam) asks a few ethical questions. This question isn’t quite clear-cut enough for the test, I don’t think. But if you’re wondering what the test is like, this actually isn’t a bad thing to work through. My ethical questions on the test were more clear-cut than this, but the security questions weren’t.
I found myself in a situation lately that reminded me of a question that was on my test. I don’t remember the specifics, but it went something like this: Consider that you’re a consultant working for a firm, working on a project for a client. You see something in the recommendation you’re making that won’t work. You point it out to management, and management tells you not to fix it. What line of the (ISC)² code of ethics are you violating?
The answer I chose, and am 99.999% sure was correct, was, “Provide diligent and competent service to principals.” The idea being that you, as a CISSP, owe the client your diligence and your competence, not just the company that directly writes your paycheck.
I was recently assigned to write a business proposal. I was highly, highly qualified to write portions of it. One of the sections spoke to processes that I developed personally. Since nobody knows those processes better than me, of course it made sense for me to write it.
But there were some sections of the proposal that I have no background in. They spoke of management models, and applying management models to contractual requirements. All I knew about those particular management models was that they were industry-recognized management models. Did I understand the words I was stringing together? Actually, no. As far as I knew, I was writing set-ups for punch lines in Dilbert cartoons.
I wrote them. I wrote them under duress, but I wrote them.
The question is, did I do something unethical?
The two parts of the (ISC)² code of ethics that come to mind are “provide diligent and competent service to principals,” and “only take jobs you are qualified for.”
I’m in the gray area here, but I think I’m OK. Here’s why.
Regarding diligent and competent service to principals, it’s a business proposal. All I was doing was trying to sell a service. If my sales pitch revealed me as an incompetent manager, all I’ve done is make the company look bad. If what I wrote actually made sense and the sales pitch worked, that’s fine too–I was never going to be the manager in charge of the project. They probably wouldn’t have offered it to me, and I wouldn’t have taken it if they had.
So what about only taking jobs you’re qualified for?
Writing the proposal was a secondary responsibility, and not necessarily even official. I’m qualified for my day job and do it well. I took an assignment I wasn’t qualified for because the guy who was qualified to write those portions wouldn’t do it.
If someone dropped a ring down the drain in the bathroom, wouldn’t I unscrew the trap and see if I could retrieve it? I’m not a licensed plumber. But I would do it, as long as the company is willing to risk having to call in a real plumber to put it back together if I get in over my head.
Had the company won the contract and then offered me the management position, I would be obligated by my code of ethics to decline it. But we weren’t there yet.
So I think I’m OK here.
The project is in the gray area. There are times when a computer professional–CISSP or otherwise–has to go into the gray area. Sometimes there’s just no other way to learn. But if I’m going to go into a gray area, I want it to be my decision. And since it might be my certification on the line if I do something wrong, I want to be the one who decides under what conditions, and what precautions to take to make sure I don’t cross a line.
Now, like I said, I think the ethical questions you’ll see on the real exam will be much more clear-cut than this one. All of the ethical questions on my exam very clearly violated one tenet of either the (ISC)² code of ethics or the Internet Architecture Board RFC 1087. They probably were the easiest questions on the test.
The questions of more technical nature, though, tend not to be as straightforward. They’ll tend to be tangled and gray, like this question was. There’s a reason for that. The questions of compliance that I get on a day-to-day basis often are gray, not black and white. And, for that matter, the information I have to work with it isn’t always true, either. I have some stories I’m dying to tell, but I think it’ll be 2037 before I can.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.