The scope and responsibilities of an information security professional are diverse, and afford a great deal of responsibility and trust in protecting the confidentiality, integrity, and availability of an organization's information assets. The services provided by an information security professional are critical to the success of an organization and to the overall security posture of the information technology community. Such responsibilities place a significant expectation on certified professionals to uphold a standard of ethics to guide the application and practice of the information security discipline.
A professional certified by GIAC acknowledges that such a certification is a privilege that must be earned and upheld. GIAC certified professionals pledge to advocate, adhere to, and support the Code of Ethics. It is not enough for information security professionals to simply "do the job". We must hold ourselves and our discipline to the highest standards of ethical and professional conduct.
GIAC customers and certified professionals who violate any principle of the Code may be subject to disciplinary action by GIAC. Sanctions include, but are not limited to:
- Revocation of certifications and/or forfeiture certification attempts
- GIAC/SANS participation ban
- Reporting of violation to management and/or other certifying organizations
- Public posting of ethics violation case details.
Exam Integrity Policy
GIAC takes exam integrity very seriously, as evidenced by the GIAC candidate agreement, GIAC code of ethics, and other exam related policies. Each of those documents describes procedures used by GIAC to ensure exam integrity.
Candidates are expected to complete exams independently, based on information mastered through individual preparation. Answering a question correctly due to exposure to exam content is different than answering a question correctly due to mastery of the associated knowledge area. The former situation is a violation of GIAC program rules.
Candidates may not ever take any action(s) to provide assistance or
receive assistance related to undermining the validity of specific
content presented on any GIAC exam. You may not share or accept
knowledge of test content, including questions or answers at any time or
by any means. In fact, the reputation of GIAC credentials lies in the
fact our exams accurately measure your mastery of specific content and
thus, the value to you of a credential is significantly harmed if other
candidates receive unfair assistance or cheat.
There are many areas related to exam integrity you should consider
before, during and after your exam administration. Below are some areas
to focus on:
Maintaining the Confidentiality/Security of Exam Content
The following are examples of specific actions that are prohibited. This list is not all-inclusive.
- Using unauthorized material in preparing for and attempting to earn a GIAC certification.
- Any use of or reference to "exam dump" sites, which contain actual or possible GIAC questions and/or answers.
- Any copying, screen capturing, disclosing, sharing, publishing, selling, posting, distributing, or even talking about specific exam content before, during or after an exam because those actions compromise the integrity of the GIAC exams.
- Copying exam items while taking your exam, using any type of recording device, whether analog or digital - and regardless of what your intention is with respect to using the copied items.
- Talking or communicating with other test takers during the exam administration.
- Memorizing or recording exam questions.
- Altering or misrepresenting your exam score or any credentials you hold.
- Impersonating another individual or allowing another person to impersonate you at an exam, or in any way falsifying your identity or misrepresenting your or another's identity before, during or after a test or exam.
- Colluding with test proctors, other candidates, or any third parties related to the development, maintenance, and/or use of the examination content, or to change any test score
- Obtaining improper access to any exam content from any source, which gives you an unfair advantage over other candidates.
Consequences of Exam Integrity Abuses
If you are found to be in violation of any of the prohibited actions outlined above, you may be immediately dismissed from the exam site or disqualified from completing the examination and you will be reported to GIAC.
GIAC exam content is the sole property of GIAC and protected under US copyright law. Therefore, GIAC may pursue legal action against you (both civil and criminal) in all applicable cases.
GIAC consistently monitors for threats to exam integrity through various methods, including but not limited to forensic analysis of exam results. When it has been determined that a candidate or several candidates acting together have violated the integrity of an exam in any manner, as set forth above, there are a number of sanctions that GIAC can apply. GIAC reserves the right to invalidate any exam results that, for reasons of exam validity and integrity, we cannot verify and stand behind. If you are found to have abused any aspects of GIAC exam integrity, your previous GIAC certifications may be revoked and future bans to participate in the GIAC program may be implemented. For your rights in these situations, see the GIAC Appeals Policy.
Code of Ethics
The following GIAC Code of Ethics was developed through the consensus of the GIAC Advisory Board members and GIAC management.
Respect for the Public
- I will accept responsibility in making decisions with consideration for the security and welfare of the community.
- I will not engage in or be a party to unethical or unlawful acts that negatively affect the community, my professional reputation, or the information security discipline.
Respect for the Certification
- I will not share, disseminate, or otherwise distribute confidential or proprietary information pertaining to the GIAC certification process.
- I will not use my certification, or objects or information associated with my certification (such as certificates or logos) to represent any individual or entity other than myself as being certified by GIAC.
Respect for my Employer
- I will deliver capable service that is consistent with the expectations of my certification and position.
- I will protect confidential and proprietary information with which I come into contact.
- I will minimize risks to the confidentiality, integrity, or availability of an information technology solution, consistent with risk management practice.
Respect for Myself
- I will avoid conflicts of interest.
- I will not misuse any information or privileges I am afforded as part of my responsibilities.
- I will not misrepresent my abilities or my work to the community, my employer, or my peers.
Personal Accountability to the Code of Ethics
Individuals may only make claims regarding their GIAC certification status with respect to the scope of specific certifications they have earned. Individuals may not use the certification or their certification status in such a manner as to mislead others, misrepresent unauthorized information or bring the certification body into disrepute.
If there are any matters affecting a certified individual's ability to continue to fulfill the competencies associated with a specific GIAC certification they hold, the certified individual is required under the code of ethics to inform GIAC without delay by emailing ethics@giac.org with specific information.
In the event that an individual's certified status is withdrawn for any reason, the person must refrain from use of all references to a certified status.
Exam Ethics
If GIAC detects any exam anomalies before, during or after a GIAC exam attempt, GIAC has the right to investigate, apply sanctions, and void certification results. GIAC also reserves the right to require the candidate to retest under formal proctored conditions.
Ethics Council
GIAC strives to maintain the highest ethical standards. The GIAC Ethics Council, with an international composition, is elected from the GIAC Advisory board and acts as an independent committee regarding ethical matters that may arise in matters of GIAC certification, use of the GIAC credentials and ethical conduct of GIAC certification holders. The primary functions of the Council are to:
- Provide investigative functions and recommendations to the GIAC Director concerning the enforcement of GIAC's Code of Ethics
- Provide advice and counsel to the GIAC Director regarding ethical issues, as requested, and recommend appropriate actions the organization may want to evaluate
- Provide confidential advice to the GIAC membership at-large, assisting members with ethical questions and concerns and reaching out to members whose companies may be involved in publicly-announced ethical situations
- Review the GIAC Code of Ethics annually to ensure it is addressing the needs of the membership and profession
Unified Framework of Professional Ethics for Security Professionals
At the present time the GIAC Ethics Council upholds the GIAC Code of Ethics. However, in early 2007 the GIAC Ethics Council joined with other security organizations to formulate a unified code of ethics for the security industry. The GIAC Ethics Council sees this work as an important milestone in achieving increased recognition for the security profession and is proud to be actively involved in this initiative.
Ethics Violation
The GIAC organization takes ethics very seriously. We are committed to enforcing our Code of Ethics, and have formal procedures that allow fair and objective review of allegations and evidence of violations to the GIAC Code of Ethics. The GIAC Ethics Council has the responsibility of formally reviewing any charges and evidence of ethics violations.
Complaint Submission
Any GIAC member, or member of the public who witness or suspect a violation of GIAC's Code of Ethics, may submit a written complaint to the GIAC Ethics via our online complaint form. The complaint must include the following at a minimum:
- A detailed description of the facts known and circumstances relevant to the complaint
- The Complainant's source(s) of information, the names, addresses, phone numbers and other contact information for and of witnesses and other knowledgeable individuals as known.
- Any and all supporting information or evidence
- The section or sections of the GIAC Code of Ethics violated
Each complaint will be reviewed for completeness and forwarded to the GIAC Ethics Council to initiate the review process. If not enough information is present to initiate a review, the form will be returned to the complainant requesting more information.
If enough corroborating evidence is available to support a thorough
investigation, the identity of the accuser will not necessarily be divulged
to the individual being investigated. If the investigation relies more
heavily on testimony from a single source or the evidence presented
obviously implicates the identity of the accuser, it may not be possible for
the accuser to remain unidentified.
Ethics Violation Review Process
The Ethics Council's chief responsibility is to investigate ethics complaints against GIAC certified individuals, or GIAC candidates.
The investigative process is initiated when the Director of GIAC requests the investigation of a potential misconduct or when the Director is in receipt of a written complaint alleging misconduct.
The Ethics Council will solicit details in writing from the individual being investigated as well as any others who may be able to provide corroborating or exculpatory information. After all solicited information has been reviewed the Council may request further clarification as required.
On completion of its investigation, the Ethics Council will make a written report to the Director recommending whether the complaint should be upheld, and the recommended course of discipline. The written report will be communicated to the Director for review and possible further action.
If a Council member or members have a strong opinion against the majority decision of council then a dissenting opinion may also be written and provided to the Director.
Appeal Process
Individuals found to be in violation may file an appeal within 30 days of the notice of decision, stating the specific grounds for appeal.
The appeal will be conducted by the GIAC Appeals Committee, who will review the details of the original investigation in addition to the appeal to determine if the appeal has merit. The GIAC Director will notify the appealing party regarding the outcome of the Appeal, and the decision will be final.
Statement of Impartiality
The GIAC organization understands the importance of impartiality, managing conflict of interest and objectivity and GIACs top management is committed to these practices in all of our certification activities.
The GIAC organization provides information security professionals with the opportunity to certify that they have the skills needed to do the job. GIAC certified professionals are individuals who have the knowledge and hands-on skill that distinguishes them among their peer group. In order for GIAC to maintain its high-value credentials, we ensure that our certification program adheres to defined measurement and testing guidelines to safeguard integrity, impartiality, validity and fairness.
In our effort to maintain impartiality, GIAC regularly performs reviews to assess potential threats to impartiality and acts proactively to mitigate conflict of interest and impartiality threats both actual and perceived. We welcome any questions or comments about our certification program: info@giac.org.