Code of Professional Conduct
Codes of conduct support accountability by clearly outlining the ethical and professional standards expected of individuals within a profession. Codes set specific guidelines and principles that professionals must follow, which helps ensure that their actions align with the established norms of the field. By defining acceptable behavior and responsibilities, a code of conduct provides a benchmark against which professional actions can be measured.
The Professional Association of CISO’s Code of Professional Conduct is structured with Principles, and Fundamental Canons that define behavior consistent with and expected by these Principles. Fundamental Canons may be accompanied by practical Rules of Practice, which provide additional explanatory, educational, and advisory material on how the Fundamental Canons can be interpreted and applied.
Structure of the Code
Principles
The Code of Professional Conduct at its core is defined around six areas of basic, underlying rules and concepts that guide the actions and decisions of the cybersecurity professional:
- Professional Integrity
- Standards of Practice
- Confidentiality
- Communications
- Conflict of Interest
- Enforcement of the Code
At its core, members are expected to ensure professional behavior aligned with these principles.
Fundamental Canons
The Fundamental Canons (“Canons”) of the Code define the professional and ethical standards that support the Code’s Principles. Compliance with these Canons will help the Member to fulfill their responsibility to the public and maintain the core Principles of the Cybersecurity Profession.
Rules of Practice
Rules of Practice are annotations to the Fundamental Canons intended to provide additional explanatory, educational, and advisory material on how the Fundamental Canons are to be interpreted and applied. Not all Canons have been refined with Rules of Practice; these Canons may not need additional explanation or guidance. Rules of Practice may be added over time to provide guidance on the reasonable interpretation of the Canons as required.
By following the Rules of Practice, a member is provided with additional guidance in how to comply with the Code, including demonstrating reasonableness of behavior. That is, the Rules of Practice offer valuable insights and examples that can support a member’s understanding and reasoning behind their actions.
Application of the Code
This Code of Professional Conduct should be applied in a context-sensitive manner, considering both specific organizational settings and circumstances and the potential of adverse consequences.
Note that a member’s employer (including clients) may have policies that are intended to protect their business. While it is not reasonable for the PAC to expect a member to violate an employer’s policies in support of this Code, a member may use this Code to provide guidance for those situations that are not covered by those policies.
Laws may also impose obligations upon a Member. Where requirements of Law conflict with the Code, the requirements of Law shall take precedence.
In the event of an alleged violation of the Code of Professional Conduct, a member might refer to rules of practice to demonstrate their intent to comply with the spirit of the Code and to show that their actions were consistent with the guidance provided. This can provide a clearer picture of the decision-making process and potentially mitigate perceptions of misconduct by illustrating a logical and informed approach to applying the Code’s principles in complex or ambiguous situations.
Governance of the Code
Following the publication of the initial Code of Professional Conduct v1.01, the Code is now subject to governance by the Committee on Professional Conduct. Future revisions and updates to the Code will be based on experience in the application of the Code.
As required, and at least every two years (or as instructed by the PAC Bylaws), the Committee on Professional Conduct will create a sub-committee with an explicit charter to review feedback and recommend clarifications to the Code as necessary. The sub-committee will publish a timeline for review, feedback, comment and approval prior to the commencement of any review activities.
Proposed changes will be based on general feedback from the community as well as the findings from disciplinary and counseling proceedings resulting from the enforcement of the Code and other input as necessary. Clarifications may be made to the Code itself or may be provided through additional use cases that provide a scenario-based understanding of the application of the Code in practice.
Development of the Code of Professional Conduct
The initial release of the Professional Association of CISOs Code of Professional Conduct (the “Code”) was the result of extensive research, drafting, and feedback and comments from members and friends of the cybersecurity community.
During development of the code, multiple codes of conduct, ethical conduct, professional conduct and profession and association specific codes were consulted, including:
- CISSP Code of Ethics (note invalid certificate, proceed with caution)
- ISC2 Code of Ethics
- (ISACA) Code of Professional Ethics | IS/IT Certifications | ISACA
- EthicsfIRST: Ethics for Incident Response and Security Teams
- ABA Professional Certifications’ Code of Ethics
- ACM Code of Ethics
- AMA Code of Medical Ethics
- AMA Principles of Medical Ethics
- IEEE Code of Ethics
- National Society of Professional Engineers Code of Ethics
- Society of Actuaries Code of Professional Conduct
For reference, we have leaned most heavily on the CISSP Code of Ethics and the Society of Actuaries Code of Professional Conduct, combing the best of each into a Code of Professional Conduct that is intended to address the needs of cybersecurity professionals including cybersecurity leaders and CISOs.
Contributors to the Code
The initial Code of Professional Conduct was drafted, reviewed, and approved by the Core Members of the PAC’s Committee on Professional Conduct, including
Contributors | Area of Expertise |
Charles Blauner | Chair of the Committee on Professional Conduct Former CISO / Advisor |
Heather Hinton | Former CISO / Advisor |
Tyson Kopczynski | Former CISO / Advisor |
Steve Zalewski | Former CISO / Advisor |
Gadi Evron | Former CISO In Residence, Founder |
Valmiki Mukherjee | Professional Association of CISOs, President – Board of Directors Security Professional, Consultant |
Many individuals, including members of the Cyber Future Foundation, the broader cybersecurity community and individuals who support the overall cybersecurity profession, provided additional feedback and improvements to the Code, including (in alphabetical order):
Reviewer | Area of Expertise |
Amit Ashkenazi | Legal Counsel |
John Averill | Cyber Insurance Partner |
Bob Blakely | Security Expert, Analyst, Founder |
Tim Brown | CISO |
Charisse Castignoli | Former CISO, Corporate Counsel |
David B. Cross | CISO, Advisor |
Steve Crocker | Internet Pioneer |
Kevin Dorse | Cyber Insurance Partner |
Gerhard Eschelbeck | Former CISO / Advisor |
Janice Fischer | Expert, Council Countering Hybrid Warfare |
Daniel B. Garrie | Legal / Expert Witness |
Renee Guttman | Former CISO / Advisor |
Bil Harmer | Operating Partner & CISO |
Fernando Maymi | CISO |
Kevin Moos | Data Privacy Expert |
Michael Piacente | Security Specialist, Executive Recruiter |
Corey Scott | Former CISO / Advisor |
Susanne Senoff | CISO |
Doron Shikmoni | Security & Network Architect; Founder |
Melonie Story | Cyber Insurance Partner |
Paul Vogel | Legal Counsel |
Yabing Wang | CISO |
Jason Woloz | CISO |
Sounil Yu | Former CISO / Founder |