[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.63.0508190802260.2468@forced.attrition.org>
Date: Fri Aug 19 13:22:34 2005
From: jericho at attrition.org (security curmudgeon)
Subject: Re: MS not telling enough - ethics
: Well done, anyone else who knows of people committing fraud against isc2
: should report them. Unfortunately I don't think its feasible for isc2 to
: check everybody.
Oh, how coincidental..
: They do random credential checking and I should I know, since I was
: audited after I passed the exam.
Ethics Complaint Procedures [0]
The board and its agents undertake to keep the identity of the complainant
and respondent in any complaint confidential from the general public.
[..]
The board will consider only complaints that specify the canon of our code
that has been violated.
[..]
Complaints will be accepted only from those who claim to be injured by the
alleged behavior. While any member of the public may complain about a
breach of Canon I, only principals may complain about violations of Canons
II and III, and only other professionals may complain about violations of
Canon IV.
[..]
All complaints must be in writing. The board is not an investigative body
and does not have investigative resources. Only information submitted in
writing will be considered.
[..]
Complaints and supporting evidence must be in the form of sworn
affidavits. The board will not consider other allegations.
[..]
Where there is disagreement between the parties over the facts alleged,
the ethics committee, at its sole discretion, may invite additional
corroboration, exculpation, rebuttals and sur-rebuttals in an attempt to
resolve such dispute. The committee is not under any obligation to make a
finding where the facts remain in dispute between the parties. Where the
committee is not able to reach a conclusion on the facts, the benefit of
all doubt goes to the respondent.
[..]
Discipline of certificate holders is at the sole discretion of the board.
Decisions of the board are final.
--
Ok, let me translate this for you:
Keep it private, for your own good, we swear! This way the complaint is
kept out of public scrutiny. You have to clearly define what canon was
violated, even though they are general and vague. You must personally be
injured to complain, even though breaking any of the four canons may not
directly harm one individual! You must submit said complaint in writing,
and the board does not have time to investigate your complaint at all.
Such complaints must be in the form of sworn affidavits [1], signed by a
notary as witness to your signature etc. If there is any dispute of
facts, which is entirely up the to the (ISC)2 board, it is entirely
their discretion whether to act on or continue the process. The board
may arbitrarily decide not to pursue or consider additional evidence,
will make no effort to research the matter themselves, and drop the
matter without further consideration. Even if the board finds someone
guilty of breaking one of the canons, the board will decide what
punishment, if any, is appropriate, including 'none'.
How many hoops does one have to jump through to file a complaint that will
actually be considered?! Should I slice my wrists and bleed all over the
signed and notarized document in case they need a blood sample or DNA?
Does the complaint need to be shouted out from town square right after
slaughtering a chicken while juggling hedgehogs? I mean really, how many
ways can they make this process counter-productive and full of backdoors
so the 'board' can simply ignore your complaint?
: Ivan Coric, CISSP
You are so proud of our certificiation, you won't even list yourself in
the (ISC)2 directory so that we can verify you even hold the
certification! [2]
: The CISSP cert is the best security cert around, without a doubt.
Best for who?! Oh yes, for you since you hold it. And best for those
issuing it, since they profit directly from the ceritification and the
yearly 'renewal' fee. The fact is, (ISC)2 and the CISSP certification is a
marketing ploy and money maker. It is *not* in their best interest to
allow the credibility of their certification to be tarnished for any
reason, even when criminals are 'earning' it.
security curmudgeon
[0] https://www.isc2.org/cgi-bin/content.cgi?page=176
[1] http://en.wikipedia.org/wiki/Affidavit
[2] https://www.isc2.org/cgi-bin/directory.cgi?displaycategory=503
Powered by blists - more mailing lists