CISSP: Domain 1 - Security and Risk Management - Module 2
Understand Professional Ethics

This course is the 2nd of four modules of Domain 1 of the CISSP, covering security and risk management. 

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • Professional Ethics
  • How to develop and implement documented security policies, standards, procedures, and guidelines and the differences between them
  • The fundamentals of business continuity requirements
  • How to contribute to personnel security policies

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Welcome back. Today's module is going to begin on slide 40, continuing on with the domain one CISSP Review Seminar, presented by Cloud Academy. We're going to start off today with understanding of professional ethics. 

So in this particular area we're going to discuss the topics of exercising the 2 Code of Professional Ethics and how we can, in our roles, support the Organization's Code of Ethics. So, what are we talking about when we talk about ethics? Well, here's what Merriam Websters has to say about ethics. First it defines it as the discipline dealing with what is good and bad and with moral duty and obligation. Pretty clear what it means there. Another definition is a set of moral principles or a theory or system of moral values, such as the present-day materialistic ethic, an old-fashioned work ethic, and we often find that the word ethic is used in its plural form, ethics, when it's actually employed in conversation or in writing. Another definition, the principles of conduct governing an individual or a group such as professional ethics or a guiding philosophy. What seems to be clear in all of these definitions is that this entire notion surrounding ethics, quote, unquote, relates to an interpretation of what is right and wrong and implied in that, of course, is the obligation to do what is perceived as being the right thing. 

So let's examine a situation. Something has happened in the work place and a network administrator is presenting some form of information to outline to management what has happened and make some conjecture about what sort of incident we have before us. So a question. Is there any evidence the network administrator presents that's acceptable or valid? In view of what they are presenting, one of the questions that we have to ask in addition to this is what is the evidence? Where does it come from? What is the authenticity of its source? Second question. What should be done to the employee who was reported on? And third, how should the network administrator be rewarded or disciplined? In such a case as this, questions have to be asked that support conclusions to these three. What is the network administrator's motivation? Is it simple reporting, simple duty execution? Or is there something else possibly more sinister at work here? Are they trying to set someone up to fail? Get someone in trouble. That may seem juvenile, but the fact is we have to ask those questions just to be sure that what we're dealing with is authentic information from authentic source objectively reflecting the action that's being presented. 

Depending upon the findings and the interpretation of the evidence, the question, what should be done to the employee who was reported on, will of course depend on what that evidence indicates. This obviously involves speaking to the employee who was implicated in whatever the evidence picture is painted. As for the third question, how should the network administrator be rewarded or disciplined? That's going to depend on what the outcomes from the previous questions are. If the network administrator is simply doing their job and reporting to management, hey guys, I found this. This looks irregular, this looks inappropriate. I need management direction on what to do next, certainly the idea of reward or discipline is something in management's purview, not the network administrator. But the question has to be answered, is what is being presented a fair representation? Is there something that the network administrator isn't aware of, doesn't understand some project perhaps that this employee was involved with that the network administrator may not know about. 

We should never presume that they have perfect knowledge about everything. In the end, the question has to be answered, is this truly an incident? Does it require further action? And has it been presented fairly and plainly from authentic source? Obviously if we can answer those all in the affirmative then it will simply depend on what the evidence is and what the action is that has been presented. When it comes to ethical standards, we have all different kinds of sources. We have global responsibilities, we have national, we have organizational, and then we have personal. All of these different levels of ethical standards would most likely be driven by what a person's ethics are. 

From that we would get an organizational mission statement, an organizational ethics policy. The national policy, of course, should reflect doing the right thing. What ever that might be in the given circumstances but not the sliding scale of what is right or what do you think is right, if that benefits you and what is wrong, by definition being, well what doesn't benefit someone else. These are meant to direct us towards doing right behavior. And the Code of Ethics that 2 currently has, which as a CISSP candidate you'll be expected to read, understand, and sign your name to, are these. 

The current Code of Ethics reads like this, that begins with a preamble. "Safety of the commonwealth, duty to our principals, "and to each other that we adhere "and be seen to adhere "to the highest ethical standards of behavior." So the code itself is to protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals and to advance and protect the profession. Now it's clear from the preamble that it's not enough just to hold these, we have to be seen to uphold them as well. Echoing that old statement, actions speak louder than words. 2, for your information, does that this Code of Ethics quite seriously and there is a committee that oversees the ethical behaviors of its members, its certificate holders, and there are cases, I have no idea how many, but there have been cases of people whose professional ethics have been brought to the attention of this committee and some of these have had their CISSPs revoked due to failures to uphold the ethical standards that you see now. So, be aware that 2 does indeed hold this to be very important and it is a requirement of getting your CISSP and continuing to hold it.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics