You are at the practice for your child's sports team. You strike up a conversation with the manager of the sports organization. He is complaining that his company's PCs are on the fritz: running slower and slower, some programs don't work anymore, one crashed altogether. You say that this may be due to a virus or malware, and that you can take a look. He refuses politely, saying his PCs are managed under a contract with a vendor; they are the only one who can do maintenance under the agreement. You push back, saying it might be a security problem, and mention that you are actually a certified IT security professional. His hands are tied, he replies.
There are two points that may obligate you, as a holder of a ISC2 certification, to insist and perhaps escalate the issue:
- Your own information is in the organization's computer systems, because your child is on one of the teams
- You have agreed to the ISC2 Code of Ethics
The four canons of the ISC2 Code of Ethics are:
- Protect society, the commonwealth, and the infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
There at least two canons this situation falls under. So how much do you push? How seriously do you take the Code of Ethics? If the organization's information was hijacked by malware (and yours along with it) how much guilt would you have for not doing more to prevent it? It's something to think about the next time you come across a similar situation.