Skip to content

Ethics scenarios for Organisations and Individuals

The scenarios below are intended as a reference repository for Member Organisations and for the practitioners that represent them, to aid ethical judgement and behaviour.

Guidance for use

The scenarios below are differentiated by:

They have been sourced from experiences faced by various professional bodies in recent years, and the processes described are based on the results of these investigations. The Council may update these scenarios, or add new ones, from time to time.

For each scenario, the applicable ethical Principle - contained either within the Code of Ethics for Member Organisations or within the Guiding Ethical Principles for Cyber Security Practitioners - is shown. For scenarios that a practitioner may face, issues have been identified as either professional or personal.

The scenarios included are examples and do not represent an exclusive list. Both Member Organisations and practitioners are encouraged to recommend further scenarios to the Council for inclusion and to provide support to the cyber security community. The Council’s Ethics Committee will review both existing and suggested scenarios, building on them as necessary to ensure that all ethical Principles are represented, and determining whether the corresponding issues are appropriate for the Committee itself to address.

Key

Given the prominence of NCSC’s Cyber Body of Knowledge (CyBOK) within the Council, all scenarios have also been aligned to the relevant knowledge area.

 

A: Human, Organisational and Regulatory Aspects

  • A1: Risk Management & Governance Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
  • A2: Law & Regulation International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.
  • A3: Human Factors Usable security, social and behavioural factors impacting security, security culture and awareness, as well as the impact of security controls on user behaviours.
  • A4: Privacy & Online Rights Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing. It also includes other systems supporting online rights, touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems.

B: Attacks and Defences

  • B1: Malware and Attack Technologies Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.
  • B2: Adversarial Behaviours The motivations, behaviours, and methods used by attackers, including malware supply chains, attack vectors, and money transfers.
  • B3: Security Operations & Incident Management The configuration, operation, and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
  • B4: Forensics The collection, analysis, and reporting of digital evidence in support of incidents or criminal events.

C: Systems Security

  • C1: Cryptography Core primitives of cryptography as presently practiced, and emerging algorithms, techniques for analysis of these, and the protocols that use them.
  • C2: Operating Systems & Virtualisation Security Operating Systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multiuser systems, secure virtualisation, and security in database systems.
  • C3: Distributed Systems Security Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multi-tenant data centres, and distributed ledgers.
  • C4: Authentication, Authorisation & Accountability All aspects of identity management and authentication technologies, and architectures and tools to support authorisation and accountability in both isolated and distributed systems.

D: Software and Platform Security

  • D1: Software Security Known categories of programming errors resulting in security bugs, and techniques for avoiding these errors – both through coding practice and improved language design – and tools, techniques and methods for detection of such errors in existing systems.
  • D2: Web & Mobile Security Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
  • D3: Secure Software Lifecycle Secure Software Lifecycle. The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.

E: Infrastructure Security

  • E1: Network Security Network Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
  • E2: Hardware Security Security in the design, implementation, and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness.
  • E3: Cyber Physical Systems Security Security challenges in cyber-physical systems, such as the Internet of Things and industrial control systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
  • E4: Physical Layer & Telecommunications Security Security concerns and limitations of the physical layer including aspects of radio frequency encodings and transmission techniques, unintended radiation, and interference.

Scenarios for Organisations

Scenario ref. no.:

0001

Code reference:

Credibility (7.1)

CyBOK references:

A1, A2, A3

Scenario:

It emerges that an employee has breached confidentiality, by discussing the outcomes of a client project, assignment or audit with a third party. Such action could compromise the security of the business.

What action should we take? How can we stop them?

Process:

You should:

  • use company disciplinary/misconduct/gross misconduct policies
  • consider reporting the incident to any Body to which they are accredited.

If the individual is not accredited, consider reporting matter to the Council if their organisation is affiliated in some way.

Experience required on Ethics Committee:

Legal

HR

Board-level business

Cyber security knowledge (for implications to corporate security)

Last updated:

March 2021

 

Scenario ref. no.:

0002

Code reference:

Credibility (7.1)

CyBOK references:

A1, A3, B3, B4

Scenario:

A client has asked us to conduct an attack on the company that the client thinks mounted an attack on them.

Should we do this?

Process:

If your organisation is accredited to a professional or trade body: seek its advice. That body may then handle the incident via its own existing Codes of Conduct, or may decide to take it to the Ethics Committee for further opinion.

If your organisation is not accredited to a professional body: report this issue to the Council’s Ethics Committee.

Note that, in the UK, this action is illegal under the Computer Misuse Act and should be reported to the authorities.

Experience required on Ethics Committee:

Cyber security

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0003

Code reference:

Credibility (7.1)

CyBOK references:

A1, A2, C1, C2, C4?, D1, E1

Scenario:

It is discovered, during an assignment, that a client subject to national or international legislation/security frameworks (eg. PCI-DSS, GDPR) has had a serious security breach. However, the client refuses to follow the mandatory reporting procedures.

What should we do?

Process:

Irrespective of whether the issue is legislative or security framework-related, you should strongly encourage the client to report.

If your advice is ignored and the issue is related to legislation: there may be a legal obligation for a security professional to report the breach to the appropriate body.

If your advice is ignored and the issue is security framework-related: the obligation to report may not be as clear cut. You may require the guidance of NCSC, the Council or other appropriate professional and/or trade body.

You should also:

  • ensure that any confidentiality agreements in place specifically include an exemption for these types of circumstances
  • consider carefully the risks of disclosure of client confidential information to avoid breakdown of trust with the organisation.

Seek advice from the Regulator if legislative/security frameworks are applicable.

Experience required on Ethics Committee:

Cyber security

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0004

Code reference:

Integrity (7.2)

CyBOK references:

C1, C2, C3, C4

Scenario:

It emerges that a probe has been left in place on our network by a supplier at the end of a penetration testing assignment.

What should we do?

Process:

Establish whether action was intentional or accidental. This should determine whether the action was an ethical breach or not.

If the supplier responsible for leaving the probe is accredited to a professional body: raise a formal complaint to that body. That body may then handle the incident via its existing Codes of Conduct, or it may choose to take it to the Ethics Committee for a consolidated view.

If the supplier responsible for leaving the probe is not accredited to a professional body:

  • raise a complaint using the supplier’s complaints procedure; and
  • report the issue to the Council’s Ethics Committee.

Your supplier should provide formal assurances that:

  • all probes have been removed; and
  • any data gathered via the probe has been suitably destroyed.

If the supplier is an accredited company, you should expect the process for this to be validated at the point of next audit.

You should also ask for evidence that the policy has been distributed to all relevant staff members.

If the incident is deemed to be unethical practice, your supplier should:

  • bear the cost of removal; and
  • cover any consequential costs associated with rectification.

Experience required on Ethics Committee:

Technical cyber security organisation(s), e.g. CREST, NCSC – particularly if your supplier is an accredited company since, in which case action may be taken [by their accrediting body] via their own codes and processes.

You may require Legal advice regarding appropriate financial recompense.

Last updated:

March 2021

 

Scenario ref. no.:

0005

Code reference:

Integrity (7.2)

CyBOK references:

C1, C2, C3, C4

Scenario:

It emerges that a "honeypot", impersonating a real company or individual, is being used during a red-team penetration testing assignment without the knowledge or consent of the organisation or individual.

What should we do?

Process:

Establish whether action was intentional or accidental. This should determine whether the action was an ethical breach or not.

If the supplier responsible for leaving the probe is accredited to a professional body: raise a formal complaint to that body. That body may then handle the incident via its existing Codes of Conduct, or it may choose to take it to the Ethics Committee for a consolidated view.

If the supplier responsible for leaving the probe is not accredited to a professional body:

  • raise a complaint using the supplier’s complaints procedure; and
  • report the issue to the Council’s Ethics Committee.

If the incident is deemed to be unethical practice, your supplier should:

  • provide formal assurances that policies have been updated to reflect a requirement to notify any organisation that has been subjected to this practice; and
  • notify relevant staff accordingly

Experience required on Ethics Committee:

Technical cyber security organisation(s), e.g. CREST, NCSC – particularly if your supplier is an accredited company since, in which case action may be taken [by the accrediting body] via their own codes and processes.

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0006

Code reference:

Integrity (7.2)

CyBOK references:

A1, A2, A3

Scenario:

During production of a report for an organisation that has had a penetration test conducted, it emerges that the supplier was unduly influenced by that organisation to issue a positive report on the outcome; or, conversely, to withhold information from the report.

What should we do?

Process:

You should consider carefully the risks of disclosure of client confidential information to avoid breakdown of trust with the organisation.

If the supplier responsible for leaving the probe is accredited to a professional body: raise the issue to that body. That body may then handle the incident via its existing Codes of Conduct, or it may choose to take it to the Ethics Committee for a consolidated view.

If the report relates to a regulated scheme, report the issue to the Regulator.

Experience required on Ethics Committee:

Technical cyber security organisation(s), e.g. CREST, CIISec, BCS – particularly if your supplier is an accredited company since, in which case action may be taken [by the accrediting body] via their own codes and processes.

Board-level business.

Last updated:

March 2021

 

Scenario ref. no.:

0007

Code reference:

Integrity (7.2)

CyBOK references:

A1

Scenario:

We’ve identified misuse or exploitation of information, including for personal gain, in our organisation.

Where should we report this?

Note: there is a similar example in the scenarios for Individuals*.

Process:

If your organisation is accredited to a professional or trade body, you should consider seeking its advice, which will be independent.

Alternatively, consult the Council.

Experience required on Ethics Committee:

Legal

Board-level business

Last updated:

March 2021

 

Scenario ref. no.:

0008

Code reference:

Integrity (7.2)

CyBOK references:

A2, A3, A4

Scenario:

We are being asked to pay a Bug Bounty reward, but we are aware that the individual is a minor.

What do we do? Should we report it and, if so, to whom?

Process:

CREST has published this useful reference information on Bug Bounties.

Experience required on Ethics Committee:

Cyber security

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0009

Code reference:

Professionalism (7.3)

CyBOK references:

B3, C2, C4, E1, E2

Scenario:

A "backdoor" to a product has been identified that would allow unauthorised access to a network (or similar).

Where and how do we report this?

Process:

You should report serious vulnerabilities quickly and securely to the vendor or system owner (which may be your client). You will need to balance the public right to be informed and allowing the vendor or owner time to respond effectively.

When reporting to the vendor/system owner, you should also:

  • ensure sufficient information is provided to allow them to verify and evaluate the risk
  • apply your best efforts to preventing further exploitation that could adversely affect product or system availability, data integrity or confidentiality
  • ensure open and positive communication channels
  • consider carefully the risks of disclosure of client confidential information to avoid breakdown of trust with the organisation.

If appropriate (depending on product type): advise Government or the appropriate Regulator.

Experience required on Ethics Committee:

Cyber security

IoT (if appropriate)

Last updated:

March 2021

 

Scenario ref. no.:

0010

Code reference:

Professionalism (7.3)

CyBOK references:

B3, C2, C4, E1, E2

Scenario:

We have established that the supplier of a component part of our security architecture is making claims about the product that are untrue.

Should we report this?

Process:

If the supplier is a member of the UK Cyber Security Council, you should report the issue to the Council.

If the supplier is not a member of the Council, but is a member of another professional or trade body, you should report the issue to that body.

If the supplier is not a member of any body, you should open a dialogue with the supplier in the first instance.

Experience required on Ethics Committee:

 

Last updated:

March 2021

 

Scenario ref. no.:

0011

Code reference:

Professionalism (7.3)

CyBOK references:

A1, E2

Scenario:

A team of security researchers has discovered vulnerabilities in our product and is going to announce these at the conference Defcon. Although we’re aware that the team of researcher researchers would release its findings, we’ve continued to sell the product anyway.

What should we do?

Process:

You should:

  • complete a risk assessment to understand fully
  • the security issues that have been identified; and
  • how they will be fixed

As part of this process, you should consider how to publicly disclose your awareness of this issue and how it will be dealt with.

If not already in place, you should:

  • consider implementing a vulnerability disclosure policy as per the DCMS Secure by Design Code of Practice (ETSSI EN 303 645); and
  • develop a policy around how disclosed vulnerabilities will be acted on in a timely manner with your organisation.

For further guidance on vulnerability disclosure, refer to the ISO/IEC 29147 standard.

Experience required on Ethics Committee:

Cyber security

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0012

Code reference:

Professionalism (7.3)

CyBOK references:

A2, A3, A4

Scenario:

We have been contacted by a researcher who says that they have identified vulnerabilities with our product and are willing tell us subject to a fee. We do not have a bug bounty program.

Should we pay? What if we refuse and they leak to hacker community?

Process:

Most hunters will settle for acknowledgment, but the motivations of ethical hackers and criminal hackers are very different.

You may consider:

  • setting up an email address that will accept bug reports. ISO/IEC 29147 advises tech firms to establish a communications system by which it can receive bug reports.
  • establishing a Bug Bounty programme. CREST has published this useful reference information on Bug Bounties.

Experience required on Ethics Committee:

Cyber security

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0013

Code reference:

Responsibility & Respect (7.4)

CyBOK references:

C1, C2, C3, C4

Scenario:

We’ve discovered that a supplier has caused damage to our website during a routine penetration test.

What action can we take?

Process:

Firstly, you should ascertain whether or not the supplier acted reasonably.

If the supplier responsible is accredited to a professional body: raise a formal complaint to that body. That body may then handle the incident via its existing Codes of Conduct, or it may choose to take it to the Council’s Ethics Committee for a consolidated view.

If the supplier responsible is part of a Regulator scheme – for example, it is a CHECK provider – you should raise the issue with that Regulator.

If the supplier responsible is not accredited to a professional body:

  • raise a complaint using the supplier’s complaints procedure; and
  • report the issue to the Council’s Ethics Committee.

If your supplier is found to be at fault and is an accredited company, you should expect the process for this to be validated at the point of next audit.

You should also ask for evidence that the policy has been distributed to all relevant staff members.

If your supplier is found to be at fault:

  • it should cover any consequential costs associated with its rectification.
  • advise the appropriate Regulator, if applicable – for example, this would be the NCSC for a CHECK scheme member

Experience required on Ethics Committee:

Technical cyber security organisation(s), e.g. CREST – particularly if your supplier is an accredited company since, in which case action may be taken [by the accrediting body] via their own codes and processes.

NCSC

You may require Legal advice regarding appropriate financial recompense, if a resolution is unsatisfactory or unachievable.

Last updated:

March 2021

 

Scenario ref. no.:

0014

Code reference:

Responsibility & Respect (7.4)

CyBOK references:

A1, B1, D1, E1, E2

Scenario:

My organisation has received a ransomware demand. Management wants to pay, but someone on the management team believes that it is inappropriate or illegal.

Should we pay to recover our information?

Process:

Ensure that your data has actually been encrypted and that you are not a victim of "scareware".

Refer to NCSC’s advice on mitigating ransomware attacks.

Take legal advice on whether funds can be lawfully remitted into the hands of a ransomware operator.

Paying your attackers does not guarantee that files will be returned or that decryption functionality has been built into the malware: on average, 25% of data is not returned. The longer a ransom payment is delayed can also affect the quantity of data that might be returned.

You should:

  • develop a business continuity plan
  • ensure staff are trained to be cautious about attachments and links in emails and visiting unknown websites
  • consider additional cyber insurance to mitigate against financial losses.

You should also report such incidents to the Police and other law enforcement agencies, including NCSC.

Experience required on Ethics Committee:

Technical cyber security organisation(s), e.g. CREST, NCSC – particularly if your supplier is an accredited company since, in which case action may be taken [by the accrediting body] via their own codes and processes.

You may require legal advice.

Last updated:

March 2021

 

 

Scenario ref. no.:

0015

Code reference:

Responsibility & Respect (7.4)

CyBOK references:

A1, A3

Scenario:

When recruiting for a sensitive security role, is it acceptable for my company to conduct background research on a candidate’s personal life via social media?

Process:

Depending on the circumstances, you should seek advice from:

  • your HR department
  • an appropriately qualified lawyer

Experience required on Ethics Committee:

Legal

HR

Board-level business

Last updated:

March 2021

 

Scenario ref. no.:

0016

Code reference:

Responsibility & Respect (7.4)

CyBOK references:

A1, A3

Scenario:

We have been asked to punish staff for failing our simulated phishing exercises.

Should we do this?

Process:

No: NCSC advises against punishing staff, particularly around simulated phishing attacks.

Be aware that punishing staff for such action can encourage cover-ups, which may lead to more serious breaches.

Experience required on Ethics Committee:

Legal

HR

Cyber security

Last updated:

March 2021

Scenarios for individuals

Scenario ref. no.:

0017

Code reference:

Competition

CyBOK references:

B3, C2, C4, E1, E2

Type:

Professional

Scenario:

We think a supplier has made false claims about the efficacy of its tools/products (for example: monitoring software that has missed vulnerabilities but claims to catch 100%; or which claims not to cause degradation of a service but does).

To where, and how, can we report this?

Process:

Initially you should raise the issue with your:

o line manager and

o department head

If your supplier is accredited to a professional or trade body, consider seeking the advice of that body.

Experience required on Ethics Committee:

Cyber security

IoT (if appropriate)

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0018

Code reference:

Competition Inclusion

CyBOK references:

A3

Type:

Personal

Scenario:

I’ve become aware that a colleague is passing off as their own another person’s [or organisation’s] work

To where, and how, should I report this?

Process:

If your company is accredited to a professional or trade body, you should consider seeking its advice, which will be independent.

Your company should have a Whistleblowing Policy, which you could also use.

Experience required on Ethics Committee:

Cyber security

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0019

Code reference:

Honesty

CyBOK references:

A1, A2

Type:

Professional

Scenario:

I have been asked by my employer to provide information to a Regulator that I know to be factually incorrect.

To whom can I report this while protecting my position in the organisation?

Process:

If your employer is accredited to a professional or trade body, you should consider seeking its advice which will be independent.

After receiving advice from the relevant professional body, you may also consider reporting the issue to the Regulator.

Experience required on Ethics Committee:

Cyber security

Board-level business

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0020

Code reference:

Integrity

CyBOK references:

A3, B2, C2, C3, C4

Type:

Professional

Scenario:

I’ve been asked to use a "honeypot", which impersonates another organisation. But this other organisation has been neither informed nor asked.

Should I comply? Should I tell the other organisation?

Process:

If you hold a qualification from a professional body that has its own Code of Conduct, such as CREST, you should consider seeking their advice.

Alternatively, if appropriate, consult your line manager and/or department head.

You should also report the issue to your organisation’s CISO.

Experience required on Ethics Committee:

Cyber security

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0021

Code reference:

Integrity

CyBOK references:

A1, A3

Type:

Professional

Scenario:

I have learned that information provided to the Board of an organisation for which I have conducted work does not represent my views of the risks to its business – risks which could adversely impact the share price.

What can I do to raise this issue with the Board? Would I be supported by the professional body to which I belong?

Process:

In first instance, and if appropriate, speak to your line manager and/or department head.

If your company is accredited to a professional or trade body, you may consider seeking its advice, which will be independent. That body may then handle the issue via its existing Codes of Conduct, or it may choose to take the issue to the Ethics Committee for a consensus view.

You should note that:

  • an independent practitioner engaged by a client company owes a duty to the company, not to any individual who commissions the project
  • a report rendered to the company by an independent consultant ends their assignment; if somebody internally decides to "interpret" that report, and/or present a different view to the Board, responsibility for that decision falls upon the corporate officer who uses the report product to deliver a view to the Board. The only circumstance in which this would become a genuine conflict is if the original reporting practitioner were also at the Board meeting.

Experience required on Ethics Committee:

Cyber security

Board-level business

HR

Last updated:

March 2021

 

Scenario ref. no.:

0022

Code reference:

Integrity

CyBOK references:

A3, B3, C2, C4, E1, E2

Type:

Professional

Scenario:

I have found a backdoor into a piece of code that allows the extraction of personal data/monitoring of third party traffic.

What should I do?

Process:

Your course of action should include:

  • make best efforts to prevent further exploitation that could adversely affect product or system availability, data integrity and confidentiality
  • report your discovery to your line manager and department head
  • consider carefully the risks of disclosure of client confidential information to avoid breakdown of trust with the organisation

If appropriate, you should also advise Government or the Regulator.

Experience required on Ethics Committee:

Cyber security

IoT

Legal (specifically Privacy)

Last updated:

March 2021

 

Scenario ref. no.:

0023

Code reference:

Integrity

CyBOK references:

A1, A2, B2, B3, C2, C4, E1, E2

Type:

Professional

Scenario:

I have been asked to release our open source "red team" malware offensive tool to the community. But I know that making it open source will allow cyber criminals to use it for malicious purposes.

What should I do?

Process:

In the first instance and if appropriate, speak to your line manager.

If your company is accredited to a professional or trade body, consider seeking advice from that body.

Experience required on Ethics Committee:

Cyber security

Last updated:

March 2021

 

Scenario ref. no.:

0024

Code reference:

Integrity

CyBOK references:

A3, B2, C2, C3, C4

Type:

Professional

Scenario:

We’ve discovered a worm that is affecting users of our product. I’ve been told to release into the wild a patch-worm of our own that will fix the issue – but without the user being aware.

What should I do?

Process:

In the first instance and if appropriate, you should speak to your line manager. If it’s more appropriate, speak to your department head.

If your company is accredited to a professional or trade body, consider seeking advice from that body.

Experience required on Ethics Committee:

Cyber security

Last updated:

March 2021

 

Scenario ref. no.:

0025

Code reference:

Integrity

CyBOK references:

A3

Type:

Personal

Scenario:

I’ve discovered that a colleague has posted discriminating and/or derogatory material on social media.

What should I do?

Process:

In the first instance and if appropriate, you should speak to your line manager. If it’s more appropriate, speak to your department head.

Note that your company should have standard procedures enabling you to escalate this via HR without any risk to you as the discloser.

Experience required on Ethics Committee:

HR

Last updated:

March 2021

 

Scenario ref. no.:

0026

Code reference:

Lawful behaviour

CyBOK references:

A2, A3

Type:

Professional

Scenario:

I’ve discovered illegal material on a computer during a routine, legitimate test.

What should I do?

Process:

You should immediately:

  • advise your line manager; and
  • remind your line manager that the issue must also be reported to the police. Note that a determination of actual ownership and past access must be established, while ensuring that the chain of evidence is protected.

You should also ensure that your department head and HR are also advised: it’s the responsibility of your department head to ensure the issue is raised at a high enough level and with HR as soon as possible, as that’s from where most sanctions are likely to originate.

The affected company is likely to use its disciplinary/gross misconduct policy to handle the issue with its staff member/contractor. Your company should also advise the affected company to ensure its IT usage policy is up to date.

Note: this issue must be reported to the police.

Experience required on Ethics Committee:

Cyber security

Legal

HR

Last updated:

March 2021

 

Scenario ref. no.:

0027

Code reference:

Lawful behaviour

CyBOK references:

A1, A2, A4

Type:

Professional

Scenario:

I have been asked to implement policies that I know to be contrary to GDPR principles.

What pressure can I put on the organisation to change this? If they don’t agree, to where or to whom do I need to report it?

Process:

In this situation, you will need to exercise your judgement about whether the individual is acting as the DPO under GDPR, in which case when to report is addressed within GDPR principles.

In the first instance and if appropriate, you should speak to your line manager. If it’s more appropriate, speak to your department head.

You may also consider using internal grievance procedures or reporting the issue to your company’s internal legal adviser.

Alternatively, your organisation should have a Whistleblowing Policy, which you may use.

Experience required on Ethics Committee:

Legal (specifically GDPR/Privacy)

Board-level business

Last updated:

March 2021

 

Scenario ref. no.:

0028

Code reference:

Responsible reporting

CyBOK references:

A3, B2, C2, C3, C4

Type:

Professional

Scenario:

I’ve discovered that a probe has been left in place on a network at the end of a penetration test. But I don’t know if it was left from a recent test, or placed there by someone within the business.

Should I remove it, investigate or report it?

Process:

Your course of action in this situation should include:

  • advise your line manager and department head
  • advising the appropriate Network/Systems Administrator(s)
  • conducting and audit of the relevant system (note that familiarity with previous efforts and knowledge of past testing processes is needed for this)

You should also report the issue to your CISO.

Experience required on Ethics Committee:

Cyber security

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0029

Code reference:

Responsible reporting

CyBOK references:

A3, B1, B2, B3, B4

Type:

Professional

Scenario:

To obtain potential threat sources, our internal threat intelligence team is using techniques that I think are bordering on illegal.

How do I raise this and question their practices?

Process:

In the first instance and if appropriate, you should speak to your line manager. If it’s more appropriate, speak to your department head.

You will need to consider carefully the risks of disclosure of client confidential information to avoid breakdown of trust with the organisation.

If your company is accredited to a professional or trade body, consider seeking advice from that body.

The issue may need to be reported to the Regulator if the intelligence is being gathered in the course of providing a service attached to a Regulator’s scheme.

Experience required on Ethics Committee:

Cyber security (especially Threat Intelligence) experience

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0030

Code reference:

Responsible reporting

CyBOK references:

A1, A2, B3, C2, C4, E1, E2

Type:

Professional

Scenario:

I have significant concerns that a public-supporting system will go live with significant vulnerabilities that would not only put the company’s department at risk but also personal data. I’ve tried to report this through my line management but they are not interested.

Should I escalate this to the NCSC?

Process:

In the first instance and if appropriate, you should speak to your line manager. If it’s more appropriate, speak to your department head.

If your company is accredited to a professional or trade body, you should consider seeking its advice, which will be independent.

If appropriate (depending on product type), you should advise Government or the Regulator.

Experience required on Ethics Committee:

Cyber security

IoT (if appropriate)

Last updated:

March 2021

 

Scenario ref. no.:

0031

Code reference:

Responsible reporting

CyBOK references:

A1, A3

Type:

Professional & Personal

Scenario:

I’ve identified intentional malpractice that can put personal information at risk.

Should I report it? To whom?

Process:

If your company is accredited to a professional or trade body, you should consider seeking its advice, which will be independent.

Alternatively, your organisation should have a Whistleblowing Policy, which you could use.

Experience required on Ethics Committee:

Cyber security

Legal (specifically GDPR/Privacy)

HR

Last updated:

March 2021

 

Scenario ref. no.:

0032

Code reference:

Responsible reporting

CyBOK references:

A3

Type:

Professional & Personal

Scenario:

I suspect a candidate of cheating in an examination.

What should I do?

Process:

Your course of action in this situation should include:

  • assigning suitably qualified individual(s) to conduct a full assessment of the case
  • ensuring NDAs are in place, and advising the candidate of details
  • gathering all necessary evidence; interview the candidate if necessary or appropriate, ensuring their right to representation is offered
  • seek other testimonies as appropriate

At the end of the investigation, you should provide a written result of investigation to the candidate. Allow time for the candidate’s response, and provide written notice at the conclusion of the investigation.

Your investigation will need to determine culpability. You should use evidence that you’ve gathered and should reference specific Code Clause breaches.

If your investigation confirm the candidate’s malpractice, you will need to:

  • advise the candidate’s employer
  • remove any existing qualifications awarded by the same Certifying Body
  • ban the candidate from sitting the Certifying Body’s exams for an agreed period of years
  • advise other third parties, such as Regulator(s), if appropriate.

Experience required on Ethics Committee:

Certification Bodies

HR

Last updated:

March 2021

 

Scenario ref. no.:

0033

Code reference:

Responsible reporting

CyBOK references:

A1, A2, B3, C2, C4, E1, E2

Type:

Professional

Scenario:

My company has a limited security budget, so it’s considering the release of a product to market without security due diligence (security by design). It intends to fix any issues identified by the security community once the product is on the market.

What should I do?

Process:

In the first instance and if appropriate, you should speak to your line manager. If it’s more appropriate, speak to your department head.

If your company is accredited to a professional or trade body, you should consider seeking its advice, which will be independent.

Experience required on Ethics Committee:

Cyber security

IoT (if appropriate)

Last updated:

March 2021

 

Scenario ref. no.:

0034

Code reference:

Responsible reporting

CyBOK references:

A1, A4?

Type:

Professional

Scenario:

Information on a competitor’s bid has comes into my possession, by accident, during a competitive tender process.

What should I do?

Process:

Your course of action should include:

  • informing your line manager or department head
  • informing the tendering authority of the information leak
  • deleting all copies of the acquired information

Experience required on Ethics Committee:

HR

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0035

Code reference:

Responsible reporting

CyBOK references:

A2, A3

Type:

Personal

Scenario:

I work as an in-house security manager with a small multinational company. A senior vice president in our UK administrative offices has asked me to access the emails of a UK-resident employee to search for evidence of fraud.

[Alt: A senior officer in our US office has asked me to access the email of a US-resident employee.]

What should I do?

Process:

In the first instance and if appropriate, you should speak to your line manager. If it’s more appropriate, speak to your department head.

Experience required on Ethics Committee:

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0036

Code reference:

Responsible reporting

CyBOK references:

A2, A3

Type:

Personal

Scenario:

My client has engaged me to review its data handling procedures. During the course of the engagement, the client has admitted to me that, three years ago, it failed to report a major data loss incident as required by GDPR. It wants to change their procedures to avoid any repetition of the mistakes of the past.

Am I required to report, allowed to report, or prohibited from reporting this confession to the authorities? What should I do?

Process:

In the first instance and if appropriate, you should speak to your line manager. If it’s more appropriate, speak to your department head, or your head of Legal.

Experience required on Ethics Committee:

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0037

Code reference:

Responsible reporting

CyBOK references:

A2, A3

Type:

Personal

Scenario:

I am the CISO for a medium-sized company, reporting to the head of IT. I am not the DPO.

Our CFO has decided to save money by aggregating the contents of a broad variety of individual data sets, with a variety of permission and security arrangements, and transferring these into a single unstructured cloud services storage solution.

I’ve written a memo, advising against this unless we adopt stringent security precautions due to the potential presence of sensitive operational data in some of these data sets.

My boss has acknowledged my memo, but says:

  • the company had decided: to accept the increased risk
  • that our DPO had not complained about the plan; and
  • the company was moving ahead due to severe budget constraints.

I’ve never trusted the DPO’s judgment. Am I required to report, allowed to report, or prohibited from reporting this to the ICO and/or the Council?

Process:

In the first instance and if appropriate, you should speak to your line manager. If it’s more appropriate, speak to your department head, or your head of Legal.

Experience required on Ethics Committee:

Legal

Last updated:

March 2021

 

Scenario ref. no.:

0038

Code reference:

Skills, knowledge & competence

CyBOK references:

A1, A2 – possibly others depending on the nature of the service

Type:

Professional & personal

Scenario:

I’m being asked to provide services in an area in which I do not feel qualified.

Should I do the work?

Process:

In the first instance and if appropriate, you should speak to your line manager. If it’s more appropriate, speak to your department head.

If your company is accredited to a professional or trade body, you should consider seeking its advice, which will be independent.

Experience required on Ethics Committee:

Cyber security

Legal

Last updated:

March 2021