A Certified Information Systems Security Professional (CISSP) with identity and access management (IAM) responsibilities is asked by the Chief Information Security Officer (CISO) to4 perform a vulnerability assessment on a web application to pass a Payment Card Industry (PCI) audit. The CISSP has never performed this before. According to the (ISC)? Code of Professional Ethics, which of the following should the CISSP do?
Correct Answer: C
According to the (ISC)2 Code of Professional Ethics, the CISSP should inform the CISO that they are unable to perform the task because they should render only those services for which they are fully competent and qualified. The (ISC)2 Code of Professional Ethics is a set of principles and rules that guide the professional and ethical conduct of the (ISC)2 members and certificate holders, such as the CISSP. The (ISC)2 Code of Professional Ethics consists of four canons, which are:
* Protect society, the common good, necessary public trust and confidence, and the infrastructure.
* Act honorably, honestly, justly, responsibly, and legally.
* Provide diligent and competent service to principals.
* Advance and protect the profession. One of the rules under the second canon states that the (ISC)2 members and certificate holders shall not provide any professional services or advice unless they are competent and qualified in those areas. This means that the CISSP should not perform a vulnerability assessment on a web application if they have never done it before, and if they do not have the necessary knowledge, skills, and experience to do it properly and effectively. Performing a vulnerability assessment without the proper competence and qualification could result in inaccurate, incomplete, or misleading results, and could cause harm or damage to the web application, the organization, or the customers. Therefore, the CISSP should inform the CISO that they are unable to perform the task, and should seek the assistance or guidance of someone who is competent and qualified in performing a vulnerability assessment. The other options are not what the CISSP should do according to the (ISC)2 Code of Professional Ethics, as they either do not comply with the rule of rendering only those services for which they are fully competent and qualified, or do not address the issue of performing a vulnerability assessment. References: CISSP - Certified Information Systems Security Professional, Domain 1. Security and Risk Management, 1.6 Understand legal and regulatory issues that pertain to
* information security in a global context, 1.6.3 Understand, adhere to, and promote professional ethics,
1.6.3.1 (ISC)2 Code of Professional Ethics; CISSP Exam Outline, Domain 1. Security and Risk Management, 1.6 Understand legal and regulatory issues that pertain to information security in a global context, 1.6.3 Understand, adhere to, and promote professional ethics, 1.6.3.1 (ISC)2 Code of Professional Ethics