authority and the incident caused your organization to deviate from any regulation, you must report the incident. Make sure you know what incidents you must report. For example, any organization that stores personal health information must report any incident in which disclo- sure of such information occurred. Before you encounter an incident, it is very wise to establish a relationship with your corpo- rate legal personnel and the appropriate law enforcement agencies. Find out who the appropri- ate law enforcement contacts are for your organization and talk with them. When the time comes to report an incident, your efforts at establishing a prior working relationship will pay off. You will spend far less time in introductions and explanations if you already know the per- son with whom you are talking. Once you determine to report an incident, make sure you have as much of the following information as possible: What is the nature of the incident, how was it initiated, and by whom? When did the incident occur? Be as precise as possible with dates and times. Where did the incident occur? If known, what tools did the attacker use? What was the damage resulting from the incident? You may be asked to provide additional information. Be prepared to provide it in as timely a manner as possible. You may also be asked to quarantine your system. As with any security action you take, keep a log of all communication and make copies of any documents you provide as you report an incident. Ethics Security professionals with substantial responsibilities are held to a high standard of conduct. The rules that govern personal conduct are collectively known as rules of ethics. Several orga- nizations have recognized the need for standard ethics rules, or codes, and have devised guide- lines for ethical behavior. We present two codes of ethics in the following sections. These rules are not laws. They are minimum standards for professional behavior. They should provide you with a basis for sound, ethical judgment. Any security professional should be expected to abide by these guidelines regardless of their area of specialty. Make sure you understand and agree with the codes of eth- ics outlined in the following sections. ISC 2 Code of Ethics The governing body that administers the CISSP certification is the International Information Systems Security Certification Consortium ISC 2 . The ISC 2 Code of Ethics was developed to provide the basis for CISSP behavior. It is a simple code with a preamble and four canons. Here is a short summary of the major concepts of the Code of Ethics.