Security and 3rd Parties
Service Provider Contractual Security
- Service Level Agreements (SLA) – Identifies key expectations that the vendor is contractually required to meet such as performance, security, an availability expectations
- Attestation – Larger providers look to attestation to assure customers that they have gone through 3rd party scrutiny and review. SAS70, ISO27001 and PCI-DSS uses PCI Qualified Security Assesor (QSA) for attestation. For PCI a report of compliance (ROC) and Attestation of Compliance (AOC) may be issued to the organization.
- Right to penetration test/right to audit – Written approval for an organization to perform their own penetration testing and have a trusted provider to perform the assessment on their behalf
- Procurement – The security department should be leveraged prior to the procuring a solution or service to make informed and risk based decisions.
- Vendor Governance or vendor management – Goal is to ensure that strategic partnerships between organizations continually provide the expected value
- Acquisitions – Due diligence requires thorough risk assessment of any acquired company’s information security program. It requires vulnerability assessment and penetration testing of the acquired company before any merger of networks.
- Divestiture (De-mergers and De-acquisitions) – Management of Risks in sensitive data that arises when separating common formerly unified companies. Ie passwords and accounts, credentials, etc.
ISC2 code of ethics – http://www.isc2.org/ethics/default.aspx
- The safety and welfare of society and the common good, duty to our principles, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior
- Therefore, strict adherence to this Code is a condition of certification.
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Security professionals are charged with the promoting of safe security practices and bettering the security of systems and infrastructure for the public good.
Act honorably, honestly, justly, responsibly, and legally.
- Due to varying laws in different jurisdictions, priority be given to the jurisdiction in which services are being provided.
- Provide prudent advice, and refrain from promoting unnecessary fear, uncertainty and doubt.
Provide diligent and competent service to principles.
- Provide competent service which maintains the value and confidentiality of information and associated systems
- Ensure there is no conflict of interest in providing quality services
Advance and protect the profession.
Maintain your skills and advance the skills and knowledge of others. Do not associate with those in a professional fashion who might harm the profession.
Computer Ethics Institute
Ten commandments of Computer Ethics
- Thou shalt not use a computer to harm other people
- Thou shalt not interfere with other people’s computer work
- Thou shalt not snoop around in the other people’s computer files.
- Thou shalt not use a computer to steal
- Thou shalt not use a computer to bear false witness.
- Thou shalt not copy or use proprietary software for which you have not paid.
- Thou shalt not use other people’s computer resources without authorization or proper compensation
- Thou shalt not appropriate other people’s intellectual output
- Thou shalt think about the social consequences of the program you are writing or the system you are designing
- Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans
IAB’s Ethics and the internet
RFC1087 Internet activities Board code of ethics. Below are unethical practices
- Seek to gain unauthorized access to the resources of the internet;
- Disrupts the intended user of the Internet;
- Wastes resources (people, capacity, computer) through such actions;
- Destroys the integrity of computer-based information;
- Compromises the privacy of users