Code of Ethics and the CIA of Information Security

Let’s get this out of the way first, ISC2 wants you to know their code of ethics, which you’ll be required to adhere to as a CISSP, so here it is:

Protect society, the common good, necessary public trust and confidence, and the infrastructure.

Act honorably, honestly, justly, responsibly, and legally.

Provide diligent and competent service to principals.

Advance and protect the profession.

Notice the bolded letters above.  You can remember this by using the acronym “PAPA”: Protect, Act, Provide, and Advance.

You should read the full code of ethics on the ISC2 website.  We won’t paste it here because it may change from time to time, but if you read it once and become familiar with the four tenets, you’re probably good for the exam.

CIA of Information Security

Now let’s talk about the CIA triad.  There are five pillars of information security that include the CIA triad, and everything in the CBK can fall under these:

• Confidentiality means: only authorized entities have access.
• Integrity means: the data hasn’t changed.
• Availability means: making sure it’s available.
• Authenticity means: the information is authentic and trustworthy.
• Non-repudiation means: the inability to deny what you created, sent, modified, accessed, or touched… basically the inability to deny any actions performed by you.  Accountability plays a key part of enforcement (within non-repudiation), as does auditing of logs.

As an example, encryption provides confidentiality.  Mirror sites provide availability.  Digital signatures and hashes help provide integrity.  Identity assurances and data validation provide authenticity.  Digital signatures can provide non-repudiation (note there is a difference between providing something and enforcing something).