4.1.

1 Information Security Management Systems (ISMS)

What is ISMS?
An information security management system (ISMS) is a set of policies and procedures for
systematically managing an organization's sensitive data. The goal of an ISMS is to minimize
risk and ensure business continuity by proactively limiting the impact of a security breach.
An ISMS typically addresses employee behavior and processes as well as data and technology. It
can be targeted toward a particular type of data, such as customer data, or it can be implemented
in a comprehensive way that becomes part of the company's culture.

How does ISMS work?

An ISMS provides a systematic approach for managing the information security of an
organization. Information security encompasses certain broad policies that control and manage
security risk levels across an organization.
ISO/IEC 27001 is the international standard for information security and for creating an ISMS.
Jointly published by the International Organization for Standardization and the International
Electrotechnical Commission, the standard doesn't mandate specific actions but includes
suggestions for documentation, internal audits, continual improvement, and corrective and
preventive action. To become ISO 27001 certified, an organization requires an ISMS that
identifies the organizational assets and provides the following assessment:
 the risks the information assets face;
 the steps taken to protect the information assets;
 a plan of action in case a security breach happens; and
 identification of individuals responsible for each step of the information security process.

Benefits of ISMS
ISMS provides a holistic approach to managing the information systems within an organization.
This offers numerous benefits, some of which are highlighted below.
 Protects sensitive data. An ISMS protects all types of proprietary information assets
whether they're paper-based, preserved digitally or reside in the cloud. These assets can
include personal data, intellectual property, financial data, customer data and data
entrusted to companies through third parties.
 Meets regulatory compliance. ISMS helps organizations meet all regulatory
compliance and contractual requirements and provides a better grasp on legalities
surrounding information systems. Since violation of legal regulations comes with hefty
fines, having an ISMS can be especially beneficial for highly regulated industries with
critical infrastructures, such as finance or healthcare.
 Provides business continuity. When organizations invest in an ISMS, they automatically
increase their level of defense against threats. This reduces the number of security
incidents, such as cyber attacks, resulting in fewer disruptions and less downtime, which
are important factors for maintaining business continuity.
 Reduces costs. An ISMS offers a thorough risk assessment of all assets. This enables
organizations to prioritize the highest risk assets to prevent indiscriminate spending on
 unneeded defenses and provide a focused approach toward securing them. This structured
approach, along with less downtime due to a reduction in security incidents, significantly
cuts an organization's total spending.
 Enhances company culture. An ISMS provides an all-inclusive approach for security
and asset management throughout the organization that isn't limited to IT security. This
encourages all employees to understand the risks tied to information assets and adopt
security best practices as part of their daily routines.
 Adapts to emerging threats. Security threats are constantly evolving. An ISMS helps
organizations prepare and adapt to newer threats and the continuously changing demands
of the security landscape.

Implementing ISMS
There are various ways to set up an ISMS. Most organizations either follow a plan-do-check-
act process or study the ISO 27001 international security standard which effectively details the
requirements for an ISMS.
The following steps illustrate how an ISMS should be implemented:
1. Define the scope and objectives. Determine which assets need protection and the
reasons behind protecting them. Consider the preference of what the clients, stakeholders
and trustees want to be protected. Company management should also define clear-cut
objectives for the areas of application and limitations of the ISMS.
2. Identify assets. Identify the assets that are going to be protected. This can be achieved by
creating an inventory of business-critical assets including hardware, software, services,
information, databases and physical locations by using a business process map.
3. Recognize the risks. Once the assets are identified, their risk factors should be analyzed
and scored by assessing the legal requirements or compliance guidelines. Organizations
should also weigh the effects of the identified risks. For example, they could question the
amount of impact it would create if the confidentiality, availability or integrity of
information assets is breached, or the probability of that breach's occurrence. The end
goal should be to arrive at a conclusion outlining which risks are acceptable and which
must be tackled at all costs due to the potential amount of harm involved.
4. Identify mitigation measures. An effective ISMS not only identifies risk factors but also
provides satisfactory measures to effectively mitigate and combat them. The mitigation
measures should lay out a clear treatment plan to avoid the risk altogether. For example, a
company trying to avoid the risk of losing a laptop with sensitive customer data should
prevent that data from being stored on that laptop in the first place. An effective
mitigation measure would be to set up a policy or rule that doesn't permit employees to
store customer data on their laptops.
5. Make improvements. All the previous measures should be monitored, audited and
checked repeatedly for effectiveness. If the monitoring reveals any deficiencies or new
risk management factors, then restart the ISMS process from scratch. This enables the
ISMS to rapidly adapt to changing conditions and offers an effective approach to
mitigating the information security risks for an organization.
4.1.2 Risk management and assessment
What is risk assessment?
Risk assessment refers to the evaluation of all the potential risks associated with a certain activity
or your organization’s way of doing business. It includes different types of risks such as
operational risks, project-related risks, process-related risks, and much more.

Every risk assessment process consists of two critical procedures, namely:

 Risk Identification
Since risk constitutes of two parts i.e., the probability of something going wrong and what could
be the consequences of it.
Considering the probability of things going wrong at different phases or processes comes under
risk identification. For example – you are manufacturing a spare part, the things that can go
wrong are its measurements such as height or weight dimensions. Hence, you have identified the
risks involved.
 Risk Analysis
On the other hand, risk analysis covers the other part where the possible consequences of a risk
are considered. For example – if the spare part is manufactured with wrong dimensions, what
could be the consequences? Will it lead to the product failure? Or How it will be impacting the
functionality of the product.

What are the different types of risk assessments?

The types of risk assessment activities in any organization depend on the operational activities
conducted on a regular basis. Many industries have specific environmental or legislative
requirements to take care of. Some of the most common types of risk assessment activities
include:
 Fire-Safety Related Risk Assessments
To prevent fire incidents in the organization.
 Health and Safety Related Risk Assessments
To prevent any disease or injury to the workforce.
 Equipment Usage Related Risk Assessments
To prevent risks of overusing the equipment.

Why are risk assessments important?

As already discussed above, risk assessments are the primary step for effective risk management.
It is recommended for every industry or organization to document their risk assessment strategy.
After-all, it ensures the well-being of the employees and employers.

The main objectives of performing risk assessments are:

 Identification of the health and safety-related hazards by evaluating the risks identified
within the workplace.
 Evaluation of the effectiveness of existing risk control measures and recognizing the need
for new controls.
 Ensuring that all the controls are correctly implemented, leaving no room for loopholes.
 Prioritizing the other resources to ensure adequate controls and risk management.
Not having sufficient risk management controls may transform risks into expensive learning for a
business to prioritize risk for making better business decisions. There will not be only the
financial loss. The companies will also see the impact on productivity, equipment efficiency,
employee engagement, and most importantly, brand reputation and market share.
When and how to conduct the risk assessments?
Another critical aspect of risk assessment that businesses face more often is when to conduct
them.
The best time to perform a risk assessment is before the task/activity designated. It will help
eliminate and prevent numerous issues beforehand that may have severe consequences if left
unattended.
You must take into consideration that risk assessment is not a one-time activity. You need to
review it regularly to make necessary changes and upgrades to managing risk more proactively
and efficiently.
Now that you know how a regular risk-assessment activity should be planned and reviewed
regularly, you must create a suitable strategy for conducting the risk assessments.
For any type of risk- the typical risk assessment plan includes following steps:
 Identifying the critical assets or data that are vulnerable to the risks.
 Creating different risk profiles for different assets.
 Mapping the processes connected with those assets.
 Prioritizing the risks to be addressed on urgent basis.
 Developing a corrective action plan for sudden failures.
 Developing a preventive plan to minimize attacks and vulnerabilities.
 Monitoring and reviewing risks on a continuous basis.
The industries generally prioritize their process/product related risks as:
 Moderate
 Severe
 High
 Low

What is risk management?

Risk management refers to the process of identifying, assessing, and eliminating risks that can
cost businesses more than monetary loss. Through risk management strategies, companies can
stay prepared for unexpected events and surprises. You have different ways of managing risks,
such as:
 Avoiding the risks that are of no advantage to your business.
 Sharing the risks with the team, stakeholders, and third-party to lower its burden.
 Accepting the risks that have no possible solution at the particular time or may require a
contingency plan in the later phase.
 Controlling the risks through suitable CAPA Management plans. You can also rely on
PDCA, i.e., Plan-Do-Check-Act methodology, to manage risks efficiently and effectively

Benefits of Risk Management

 Creating a safer and secure work environment for your workforce and manufacturing
safer products for the customers.
 Increasing the operational excellence of the business while decreasing the possibilities of
compliance issues.
 Ensuring protection from adverse events that may impact the company’s reputation and
work environment.
 Protecting all involved parties and critical assets from the potential risks.
 Helping organizations to establish prevention strategies and contingency plans.
Hence, risk management is the umbrella term covering all the risks related activities, including
risk assessment, risk analysis, and much more.
Risk Assessment & Risk Management
Understanding the risks is the first step to make informed business plans, strategies, procedures,
processes, and decisions. The organizations that overlook the concept of risks are likely to face
more challenges than usual and a declined productivity. Hence, it is imperative to perform risk
management right to avoid any unpleasant surprises.
Every business face certain risk to achieve its quality objectives. It will not be wrong to say that
risk is the primary requirement for development, growth, and profitability.

4.2.1 Developing and implementing security policies

What is an information security policy?
An information security policy is a set of rules and guidelines on how to use, manage, and
protect sensitive data. ISPs address all aspects related to enterprise data security, including the
data itself and the organization’s systems, networks, programs, facilities, infrastructure, internal
users, and third-party users. An ISP applies to all users within your organization and its networks.
It connects people, processes, and technologies so they can work together to prevent
databreaches.

How to implement an information security policy in your organization

Implementing an information security policy for employees typically requires a structured
approach with several key stages. These stages can be summarized as follows:
1. Assess the risks This initial stage involves identifying and evaluating the organization’s
information assets, potential threats, and vulnerabilities. The assessment can help you understand
the risks and prioritize security measures.
2. Outline the policy Based on the risk assessment results, create your information security
policy. Consider outlining all possible rules, procedures, and guidelines depending on the defined
scope and the type of information security policy you are going to implement.
3. Implement the policy Once you’ve outlined a policy, it’s time to put it into action. This stage
includes assigning a specialized team to be responsible for policy implementation, creating
instructions on how to comply with the policy, and implementing security controls to mitigate
the identified risks.
4. Communicate the policy Communication about the ISP is essential to its success. Therefore,
educate employees, contractors, and other stakeholders about the information security policy, its
importance, and their individual responsibilities in adhering to it.
5. Monitor the policy’s effectiveness It’s critical to assess the effectiveness of the implemented
security controls and policies. This involves reviewing logs, conducting audits, and identifying
any gaps or areas for improvement. The policy itself should also be reviewed and updated
periodically to ensure it remains relevant and effective in the evolving threat landscape.
These implementation stages have a cycle-like nature, with the information gained from
monitoring and maintenance feeding back into the risk assessment and policy development
stages.

7-Steps for Creating your Security Policy

Security policies are never one-size-fits-all. Since each organization has its own risk appetite and
unique security requirements, It becomes necessary that you understand how to create a policy
that fits your security requirements.
Here are the 7- steps to help you create your next security policy:
1. Identify the need for having a particular policy. Does it align with your security
objectives and goals? Who does it affect? What would happen in the absence of this
policy?
2. Get approval from the management and stakeholders to develop a security policy.
3. Perform a risk analysis to identify vulnerabilities in your IT environment. And then
prioritize risks based on their potential consequences.
4. Create a comprehensive first draft security policy and get feedback from legal, IT, HR,
and other stakeholders. Once the feedback is in, make necessary changes and finalize the
policy.
5. Train your employees, and ensure that they understand the scope, purpose, and
consequences related to the policy.
6. Publish the security policy and inform stakeholders, customers, contractors, and everyone
who has access to the resources of your organization. Work with your web team to
publish public policies on your website.
7. Regularly review and update your policy to meet evolving security requirements, also
monitor the efficiency and compliance of the security policy by performing timely
vulnerability and penetration testing. Ensure compliance through internal audits and
maintain a good security posture.

7 benefits of implementing information security policies

1. Set clear data security goals

2. Guide the implementation of proper cyber security controls
3. Respond to incidents promptly and efficiently
4. Meet IT compliance requirements
5. Increase accountability of users and stakeholders
6. Maintain the organization’s reputation
7. Increase operational efficiency

4.2.2 Incident response planning and management

What is an incident response plan?
An incident response plan is a set of instructions to detect, respond to and limit the effects of an
information security event. Sometimes called an incident management plan or emergency
management plan, an incident response plan provides clear guidelines for responding to several
potential scenarios, including data breaches, DoS or DDoS attacks, firewall breaches, malware
outbreaks, insider threats, data loss and other security breaches.

Why is having an incident response plan important?

Incident response plans help reduce the effects of security events and, therefore, limit
operational, financial and reputational damage. They also lay out incident definitions, escalation
requirements, personnel responsibilities, key steps to follow and people to contact in the event of
an incident.
An incident response plan establishes the recommended actions and procedures needed to do the
following:
 Recognize and respond to an incident.
 Assess the incident quickly and effectively.
 Notify the appropriate individuals and organizations of the incident.
 Organize a company's response.
 Escalate the company's response efforts based on the severity of the incident.
 Support the business recovery efforts made in the aftermath of the incident.

Benefits of incident response plan

 Faster incident response. A formal plan ensures an organization uses its risk assessment
and response activities to spot early signs of an incident or attack. It also helps
organizations follow proper protocols to contain and recover from the event.
 Early threat mitigation. A well-organized incident response team with a detailed plan can
mitigate the potential effects of unplanned events. An incident response plan can speed
up forensic analysis, minimizing the duration of a security event and shortening recovery
time.
 Disaster recovery (DR) plan launch prevention. Quick incident handling could save an
organization from invoking more complex and costly business continuity (BC) and DR
plans.
 Good Business Continuity. Organizations such as the Business Continuity Institute and
Disaster Recovery Institute International include incident response planning as a key part
of the overall Business Continuity management process.
 Better communication for faster action. Situations exist where the severity of an incident
is beyond the capabilities of an incident response team. In these scenarios, incident
response teams relay the information they know to emergency management teams and
first responder organizations to try and resolve the incident.
 Regulatory compliance. Many regulatory and certification bodies require organizations
have an incident response plan. To remain compliant with certain regulations, such as
PCI DSS, having an incident response plan is critical.

How to create an incident response plan

1. Determine the critical components of your network
To protect your network and data against major damage, you need to replicate and store your
data in a remote location. Because business networks are expansive and complex, you should
determine your most crucial data and systems. Prioritize their backup, and note their locations.
These actions will help you recover your network quickly.
2. Identify single points of failure in your network and address them
Just as you should back up your data, you should have a plan B for every critical component of
your network, including hardware, software, and staff roles. Single points of failure can expose
your network when an incident strikes. Address them with redundancies or software failover
features. Do the same with your staff. If a designated employee can’t respond to an incident,
name a second person who can take over. By having backups and fail-safes in place, you can
keep incident response and operations in progress while limiting damage and disruption to your
network and your business."
3. Create a workforce continuity plan
During a security breach or a natural disaster, some locations or processes may be inaccessible.
In either case, the top priority is employee safety. Help ensure their safety and limit business
downtime by enabling them to work remotely. Build out infrastructure with technologies such as
virtual private networks (VPNs) and secure web gateways to support workforce communication.
4. Create an incident response plan
Draw up a formal incident response plan, and make sure that everyone, at all levels in the
company, understands their roles.
An incident response plan often includes:
 A list of roles and responsibilities for the incident response team members.
 A business continuity plan.
 A summary of the tools, technologies, and physical resources that must be in place.
 A list of critical network and data recovery processes.
 Communications, both internal and external.
5. Train your staff on incident response
Only IT may need to fully understand the incident response plan. But it is crucial that everyone
in your organization understands the importance of the plan. After you’ve created it, educate
your staff about incident response. Full employee cooperation with IT can reduce the length of
disruptions. In addition, understanding basic security concepts can limit the chances of a
significant breach.

4.3.1 Overview of key regulations (GDPR, HIPAA, etc.)

Why Is Data Compliance Important?
Data can be a valuable asset, especially when they contain exclusive information. Since the old
days, companies have always invested money and resources on protecting intellectual property
and trade secrets from theft. But more recently, a new type of information is gaining increasing
value – personally identifiable information (PII).
Compared to intellectual property, companies are less cautious about protecting PII. There are
two main reasons behind it. First is that personal data of customers and employees do not require
much effort (i.e. economic sacrifice) to obtain. Second is that unlike intellectual property, even if
a copy of personal data gets leaked, it does not significantly devalue the original copy.
This does not mean that personal data is any less important. When PII ends up in the wrong
hands, severe consequences like identity theft and financial fraud can impact thousands and even
millions of people. As consumers become more aware of this danger, companies need to reassure
their customers that they are safe to do business with by taking full responsibility in keeping PII
safe.
This is where data privacy regulations come into play. They help companies reassure the general
public that doing business (i.e. sharing data) with them is safe, but also ensures fairness in the
market by punishing those who fail to meet their responsibilities.
There are plenty of data privacy laws and standards designated for a variety of industries and for
different regions of the world. It is crucial to understand which laws apply to your business and
how to comply with them.

GDPR (General Data Protection Regulation)

Country of origin: European Union
Established by: European Parliament and Council of the European Union
Effective since: May 25, 2018
Main purpose:
 To obtain consent before collecting personal data
 To keep stored personal data at a minimum
 To protect stored personal data with adequate measures
What is considered “personal data”?
 “Any information related to a natural person that can be used to directly or indirectly
identify that person”
Who must comply?
 Any business entity that does business in the EU
 Any business entity that monitors, collects, or stores personal data of EU residents
Overview:
As one of the strictest data privacy laws in the world, the European Union’s General Data
Protection Regulation guards personal data from the collection process. Businesses are only
allowed to collect personal data if there is a legitimate reason for doing so, and are required to
inform the data subject on how their data would be processed.
Companies are also required to implement privacy by design for all new systems and processes,
meaning that adequate cybersecurity measures should be implemented at all times, including
having PII encrypted. When necessary, GDPR recommends businesses to assign a data
protection officer to handle GDPR compliance.
Penalties and fines:
GDPR outlines two tiers of fines. Tier 1 applies to all kinds of failure in having proper database
security measures in place, usually revealed following a data breach. The maximum tier 1 fine is
set at 2% of a company’s global revenue or 10 million euros, whichever is greater.
Tier 2 is related to data collection and usage, punishing companies who fail to obtain consent
before collecting and processing personal data. The maximum tier 2 fine is 4% of a company’s
global revenue or 20 million euros, whichever is greater.

HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule

Country of origin: United States
Established by: 104th United States Congress
Effective since: April 14, 2003
Main purpose:
 To keep protected health information (PHI) and medical records safe
 To obtain patient authorization on the use and disclosure of PHI
 To give patients rights over their PHI, including right to obtain copies
What is considered “protected health information (PHI)”?
 Any information regarding a person’s health status, healthcare provisions, or healthcare
payments that can be used to identify that person
Who must comply?
 Any “covered entity” (i.e. health plans, healthcare providers, healthcare clearinghouses,
and insurance providers) that collects and stores PHI of United States citizens
Overview:
The HIPAA Privacy Rule strictly limits when and how an individual’s PHI may be used or
disclosed by the covered entities. To list a few, the PHI could only be used for providing
information to the individual, providing treatments and payments, providing information for
research activities of public interest, etc.
Since PHI is highly sensitive, all covered entities must keep any PII safely encrypted at all times.
Especially during the current COVID-19 pandemic, where healthcare data have become the most
popular target for cybercriminals, healthcare and insurance providers must be extra cautious
when handling data.
Penalties and fines:
For those who violate the Privacy Rule, a fine of $100 to $50,000 or more will be applied per
violation and up to $1,500,000 can be applied per year.
Organization Organization Areas of Requirement
s Applies To Governed By Coverage s
Covered
entities Protecting
Cybersecurity
Health (hospitals, Private
Department of controls;
Insurance doctors, Health
Health and physical and
Portability and insurance Information
Human Services administrative
Accountability companies) (PHI) from
(HHS) privacy
Act (HIPAA) and their unauthorized
controls
business disclosure
associates
Corporations
must
implement
security,
Requiring
U.S. Securities transparency,
Sarbanes- transparency
Publicly traded and Exchange and
Oxley Act in corporate
corporations Commission accountability
(SOX) financial
(SEC) into financial
reporting
reporting to
stakeholders
and the
government
Businesses
must
implement
All businesses
Protecting privacy,
General Data collecting The EU
consumer security, and
Protection consumer data Information
information consent
Regulation in the Commissioner’s
in EU controls to
(GDPR) European Office (ICO)
jurisdictions protect
Union
consumer data
from disclosure
or abuse
Businesses
must
implement
Protecting privacy,
California Midsize and California
consumer security, and
Consumer large Privacy
information consent
Privacy Act businesses in Protection
in California controls to
(CCPA)* California Agency (CPPA)
jurisdictions protect
consumer data
from disclosure
or abuse
 Securing
cloud CSPs must
Federal Risk The Joint
Cloud service systems implement
and Authorization
providers used by NIST 800-53
Authorization Board (JAB) and
working with federal and other
Management Program
federal agencies controls to
Program Management
agencies through meet minimum
(FedRAMP) Office (PMO)
third-party standards
vendors
Contractors
Digital Securing must
Cybersecurity contractors defense- implement
Maturity Model working with The Department related IT NIST 900-171
Certification Department of of Defense systems in and NIST 800-
(CMMC) Defense the DoD 172 controls to
agencies supply chain work in the
supply chain

4.3.2 Ethical considerations in cyber security

What Are Ethics?

Ethics means the standards of what is right and wrong that mention what we have to do when
specific circumstances arise. The objective of ethics is not to dictate what professionals must do
when faced with every ethical dilemma but to instill a strong sense of principles that govern
behavior or conduct.
Ethics is of utmost importance when applied to cyber security as seemingly unimportant actions
can lead to consequences for the professionals and the organizations both they work for. Thus,
cyber security experts can figure out what is expected of them professionally by understanding
the rules of ethical behavior.

Why Are Ethics in Cyber Security Important?

Protection of Privacy and Data
An ethical cyber security program ensures that personal and sensitive data is handled responsibly
and securely. Adhering to ethical principles can help to prevent security threats such as
unauthorized access, data breaches of sensitive personal data, and identity theft, which can have
severe consequences for both individuals and organizations.
Trust and Reputation
Having cyber security ethics as part of an organization’s culture helps build and maintain trust
internally and externally. When companies demonstrate ethical practices in their processes, such
as handling sensitive data and protecting systems, key stakeholders like customers and partners
are more likely to trust them, resulting in increased stakeholder satisfaction and retention.
Long-Term Sustainability
Implementing ethical cyber security practices helps to contribute to the long-term sustainability
of digital systems, data and technologies. Prioritizing ethical considerations in cyber security can
help to reduce the number of data breaches and increase the security of sensitive data, helping to
improve the overall safeguarding of sensitive data worldwide and creating a strong ethical core.
Cyber Security Ethical Issues
Here ethical issues refer to the consequences, whether damages or benefits, that can come from
the choices of cyber security professionals. For instance, it is easy to know how ethical issues in
fields like engineering and aeronautics can have severe impacts on both individuals and
companies. In the same way, ethical issues take place in cyber security too, and below are some
of the key issues:

Harm to Privacy
Harm to privacy refers to an individual’s privacy becoming compromised. Negative
consequences include unauthorized access, identity theft, reputational damage and distress. A
cybersecurity professional’s decisions ultimately impact privacy protection. They can safeguard
privacy in several ways, including implementing security measures, tools and practices; calling
out designs and apps that mislead users into sharing excessive information; ensuring compliance
with security frameworks; and mitigating risks.
Harm to Property
Harm to property refers to damage to both physical and digital assets. It can lead to unauthorized
access and the disruption of services. For a cybersecurity professional, prioritizing network
security becomes an ethical matter. They have a responsibility to implement countermeasures,
which can include risk assessments, firewalls and continuous monitoring. Failure to do so can
lead to property harm caused by a cyber attack.
Cybersecurity Resource Allocation
Determining what to invest in cybersecurity activities can be a challenge. Large companies can
invest more resources to enhance their cyber defenses, improving their chances of detecting
anomalies or intrusions. More important, knowing how to allocate resources is essential.
Cybersecurity professionals must properly use resources for the greater good of the organization
and its stakeholders. Deploying a patch for a critical software vulnerability may be costly and
time consuming, but not doing so may risk a data breach that impacts millions of customers.
Transparency and Disclosure
Companies should promptly reveal critical vulnerabilities in their software upon learning about
them. This level of transparency can not only help cybersecurity professionals collaborate and
share information to respond quickly to attacks but also allow customers whose data is
threatened to take appropriate action to diminish their own risks.
Approaches to transparency and disclosure depend on the organization. However, the recent
Consolidated Appropriations Act of 2022 offers guidance: Section 2242 notes that companies
should voluntarily disclose a known cyber attack within 72 hours after its discovery.

Ethical Challenges Faced by Cybersecurity Professionals

From keeping sensitive data confidential to confronting user privacy issues in the workplace,
cybersecurity professionals must find a healthy balance between safeguarding information and
upholding cybersecurity ethics standards.
Confidentiality
Cybersecurity professionals handle sensitive information, from personal customer data to a
business’s proprietary information. Disclosing this data can have severe consequences, so
cybersecurity professionals must never reveal confidential information, unless a significant
public benefit exists for doing so.
Threats and Risks
Cybersecurity professionals are duty-bound to respond to cyber threats. Remaining vigilant is
always a priority, and their response is crucial. While individuals may overlook notifications or
leave their computers unattended, cybersecurity experts should never do so.
Balancing Security With Business Interests
Cybersecurity professionals may encounter unethical practices within a business unit. Reporting
the issue to supervisors may be the best first step. In the case of illegal activity, a cybersecurity
professional may consider reporting it to authorities or the media.
User Privacy
Cybersecurity professionals have to balance security and user privacy. In protecting their
organizations from cyber attacks, cybersecurity professionals sometimes have to access
employees’ online activities. Without carefully considering user privacy, this can come close to
violating a person’s rights.

What Are the Risks of Poor Ethics in Cyber Security?

Reputation Damage
Unethical behavior can erode trust and tarnish the reputation of individuals,
organizations, and even entire industries. A loss of reputation can lead to decreased
customer trust, investor confidence, and business opportunities, which creates ethical
issues for all parties involved.
Compromised Privacy
Poor cyber security practices can infringe on individual privacy rights by allowing
unauthorized access to sensitive information and other critical data. This can lead to
identity theft, stalking, and other forms of privacy violation, severely damaging
individuals’ personal and professional life.
Legal Consequences
Unethical misconduct can lead to legal action and regulatory penalties. In recent years,
jurisdictions have introduced an increasing number of laws and regulations that mandate
specific cyber security and data protection standards. Organizations that fail to meet these
requirements may be subject to legal consequences.