For the first time, and with input from Jisc, a code of ethics has been created for all professionals working in product/computer security incident response teams (PSIRTs and CSIRTs) in all sectors, including education and research.
Cyber security and the important work of security incident response teams in keeping the internet safe has never been more important. As the security landscape changes, more is expected of experts working in this field.
The new, internationally-applicable code could supersede the historical position, whereby different sectors and certification bodies have developed their own guidelines or rules that, if not followed, could lead to removal of membership. For example, the (ISC)2 Code of Ethics that applies to those undertaking the CISSP exam or the CSIRT Code of Practice adopted by TF-CSIRT/TI Accredited Teams.
Created by the Forum of Incident Response and Security Teams (FIRST) with the help of the head of Jisc’s security operations centre, Dr John Chapman, the new guidelines have now been issued for consultation – a process which completes at the end of this month.
Almost two years in the making, EthicsfIRST - Ethics for Incident Response and Security Teams - aims to provide practical advice and support to the CSIRT community, including those among European NRENs. The code is designed to inspire and guide the ethical conduct of all team members, including current and potential practitioners, instructors, students, inﬂuencers, and anyone who uses cyber security in an impactful way.
The framework, which includes statements of responsibility, based on the understanding that the public good is always the primary consideration, seeks to reinforce the duties of trustworthiness, coordinated vulnerability disclosure, authorisation, team health, and recognition of jurisdictional boundaries, among others.
Dr Chapman, who was involved in developing the new code as part of his role on FIRST's ethics special interest group, said:
“As security professionals rise to the challenge of technology changes and evolving threats, the way they make decisions about handling incidents can raise ethical questions.
“The EthicsfIRST guidelines gives security professionals and teams the confidence to better handle difficult ethical situations in a methodical manner. It’s a big step forward in further professionalising security practitioners.
“Individual professional bodies, such as ISACA or BCS have their own codes for members, but FIRST’s code of ethics is an all-encompassing, cross-sector document that’s relevant for all. EthicsfIRST code will be freely available to any organisation and I’ll certainly be encouraging Jisc’s members running their own CSIRTs to adopt it. Jisc’s Janet Network CSIRT has been a member of FIRST for some years and will also be adhering to the code.
“I hope that, by putting EthicsfIRST into practice, it will help strengthen the trust between teams and between teams and their communities.”
The document is now available on the FIRST.org Ethics SIG page for public consultation.