Because counterattacks are generally disapproved of or illegal, the security realm has created frameworks and controls—such as the confidentiality, integrity, and availability (CIA) triad and others discussed earlier in the program—to address issues of confidentiality, privacy protections, and laws.
To better understand the relationship between these issues and the ethical obligations of cybersecurity professionals, review the following key concepts as they relate to using ethics to protect organizations and the people they serve.
Confidentiality means that only authorized users can access specific assets or data. Confidentiality as it relates to professional ethics means that there needs to be a high level of respect for privacy to safeguard private assets and data.
Privacy protection means safeguarding personal information from unauthorized use.
- [[Personally identifiable information]] (PII)
- [[Sensitive personally identifiable information]] (SPII) are types of personal data that can cause people harm if they are stolen.
PII data is any information used to infer an individual’s identity, like their name and phone number.
SPII data is a specific type of PII that falls under stricter handling guidelines, including social security numbers and credit card numbers.
To effectively safeguard PII and SPII data, security professionals hold an ethical obligation to secure private information, identify security vulnerabilities, manage organizational risks, and align security with business goals.
Laws are rules that are recognized by a community and enforced by a governing entity. As a security professional, you will have an ethical obligation to protect your organization, its internal infrastructure, and the people involved with the organization.
To do this:
-
You must remain unbiased and conduct your work honestly, responsibly, and with the highest respect for the law.
-
Be transparent and just, and rely on evidence.
-
Ensure that you are consistently invested in the work you are doing, so you can appropriately and ethically address issues that arise.
-
Stay informed and strive to advance your skills, so you can contribute to the betterment of the cyber landscape.
As an example, consider the [[Health Insurance Portability and Accountability Act]] (HIPAA), which is a U.S. federal law established to protect patients’ health information, also known as PHI, or protected health information.
This law prohibits patient information from being shared without their consent. So, as a security professional, you might help ensure that the organization you work for adheres to both its legal and ethical obligation to inform patients of a breach if their health care data is exposed.