CCT 029: Understanding and Adhering to Ethics (CISSP Domain 1)

CCT 029 - RCR 126 - Adhere to and Promote Professional Ethics (1-4) - CISSP Domain 1.1

[00:00:00] Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action packed informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge.

Alright, let's get started. Let's go. All right, so this is domain 1.1. We're gonna be talking about understanding and adhering to and promoting professional ethics. So these are some of the questions that you can expect to see in the CISSP exam. And so we're gonna kind of roll through all of these, uh, but I'm gonna probably chop 'em up into smaller bites that you'll have access to.

But, uh, we'll just go ahead and get started. So, question number one, what is the primary purpose of a professional code of ethics for information security profess? A, to outline legal requirements for information security professionals. B, to provide guidelines [00:01:00] for ethical decision making in information security.

C, to ensure job security for information security professionals, or D, establish industry standards for informers information security practices. So she noticed all these questions are very similar. Uh, the C stands out pretty quickly about job security. You can throw that one out, but from an ex explanation stand.

The primary purpose of a professional code of ethics for information security professionals is to provide guidelines for ethical decision making. It helps professionals navigate ethical dilemmas and make informed decisions on whereas consistent and ethical principles and values. So the explanation that's B, so the answer is B.

To provide guidelines for ethical decision making in information security so that the, again, legal requirements will change established industry standards. That's usually not under ethics. And C, it's pretty easy to throw out because it's job security. Let's move on to the next question.[00:02:00] 

An information security professional comes across a vulnerability in a system. There are. They are responsible for, However they decide not to disclose to their organization or their system owner, what ethical principle is being violated in this scenario? You can look at, I think it was Uber or one of those, like I had that situation kind of occur.

AA is confidentiality, B is integrity, C is availability, and D is accountability. Mm. Which one is it? So the information security professional comes across a vulnerability in a system where they're responsible for securing, however they decide not to disclose the organization or to the system owner. What ethical principle is being violated in this potential scenario?

A, confidentiality. B, integrity, C, availability, or D accountability. The explanation or answer is D. The ethical principle being violated in this scenario is accountability. Information security professionals [00:03:00] have their due responsibility to be transparent and accountable for their actions. This will bite you if you don't, including promptly disclosing vulnerabilities to the appropriate parties for resolution.

Again, that accountability is a key.

Okay. Question three. What is the role of an information security professional in promoting security awareness among employees? So what is the role of an information security professional in promoting security awareness among employees? A, to develop and implement security policies and procedure? B, to conduct security audits and risk assessments.

C. To provide training and education on a security best practices or D. Monitor and respond to security incidents. So let's answer this. Ask the question one more time. What is the role of information security professional in promoting security awareness among employees? So the role of the professional in promoting security awareness to develop and implement security [00:04:00] policies, to conduct security audits and risk assessments, to provide training and education on security best practices and to provide, respond to security.

So if you look at all three of those, all four of those questions, there's only one that ties into security awareness, and that answer is C. The role of an information security professional in promoting security awareness among employees includes providing training and education on security best practices.

Now I will tell you that doing that is a bit of a challenge at times. Sometimes you have to. Build it into your schedule because it can be very, very challenging. This helps employees understand the importance of security, their responsibilities, and safeguarding information, and how to identify and report security incidents.

All right. Let's move on to the next question.

Question four, which of the following actions by an information security professional would likely be considered a violation of professional? A conducting regular security audits and risk assessments, that [00:05:00] doesn't sound like something that would be ethical or that would be against ethics. B, disclosing the security vulnerability of an appropriate party.

C, sharing confidential information with unauthorized individuals. Mm-hmm. D, implementing security controls to protect sensitive data. So the question again, which of the following actions by an information security professional would likely be considered a violation of the professional? So if you listen to all three of those, conduct regular security audits, not it.

B, disclosing security vulnerability to the appropriate parties, not it. C. Sharing confidential information with unauthorized individuals Probably. And d, implementing security controls to protect sensitive data. That's not it. So the answer would be, C, sharing confidential information with unauthorized individuals would likely be considered a violation of professional ethics.

Hence, the young man in, uh, Massachusetts, who just shared secrets to the United States that will not go well for him. He was going to be going and breaking big rocks into little [00:06:00] rocks. Unfortunately, uh, information security professionals have a responsibility to protect confidential inform. And maintain the confidentiality, integrity, and availability.