ethical issues for it security professionals
TRANSCRIPT
-
8/2/2019 Ethical Issues for IT Security Professionals
1/5
Ethical issues for IT security professionals
By Deb Shinder
August 2, 2005 12:00 PM ET
Add a comment
WindowSecurity.com - Physicians, attorneys and other professionals
whose job duties affect others' lives usually receive, as part of their formal
training, courses that address ethical issues common to their professions.
IT security personnel often have access to confidential data and
knowledge about individuals' and companies' networks and systems that
give them a great deal of power. That power can be abused, either
deliberately or inadvertently. But there are no standardized training
requirements for hanging out your shingle as an IT security consultant or
in-house security specialist. Associations and organizations for IT pros arebeginning to address the ethical side of the job, but again, there is no
requirement for IT security personnel to belong to those organizations.
Why are ethical guidelines needed?
The education and training of IT professionals, including security
specialists, usually focuses on technical knowledge and skills. You learn
how to perform tasks, but with little consideration of how those abilities
can be misused. In fact, many IT professionals approach their work with a
hacker's perspective: whatever you can do, you're entitled to do. (Note: In
this article, we're using the word hackerin the current common meaning,pertaining to "black hat" hackers who use their skills to break into
systems and access data and programs without the permission of the
owners. We're well aware that the term originally referred to anyone with
advanced programming skills, and that there are "white hat hackers" who
use their skills to help companies and individuals protect against the black
hats.)
In fact, many IT pros don't even realize that their jobs involve ethical
issues. Yet we make decisions on a daily basis that raise ethical questions.
What are the ethical issues?
Many of the ethical issues that face IT professionals involve privacy. For
example:
Should you read the private e-mail of your network users just because youcan? Is it OK to read employees' e-mail as a security measure to ensure
that sensitive company information isn't being disclosed? Is it OK to read
employees' e-mail to ensure that company rules (for instance, against
http://www.computerworld.com/s/article/103564/Ethical_issues_for_IT_security_professionals#disqus_threadhttp://www.computerworld.com/s/article/103564/Ethical_issues_for_IT_security_professionals#disqus_thread -
8/2/2019 Ethical Issues for IT Security Professionals
2/5
personal use of the e-mail system) aren't being violated? If you do read
employees' e-mail, should you disclose that policy to them? Before or after
the fact?
Is it OK to monitor the Web sites visited by your network users? Shouldyou routinely keep logs of visited sites? Is it negligent to not monitor suchInternet usage, to prevent the possibility of pornography in the workplace
that could create a hostile work environment?
Is it OK to place key loggers on machines on the network to captureeverything the user types? What about screen capture programs so you
can see everything that's displayed? Should users be informed that they're
being watched in this way?
Remember that we're not talking about legal questions here. A company may
very well have the legal right to monitor everything an employee does with its
computer equipment. We're talking about the ethical aspects of having the
ability to do so.
As a network administrator or security professional, you have rights and
privileges that allow you to access most of the data on the systems on your
network.
You may even be able to access encrypted data if you have access to the
recovery agent account. What you do with those abilities depends in part on
your particular job duties (for example, if monitoring employee mail is a part
of your official job description) and in part on your personal ethical beliefs
about these issues.
The slippery slope
A common concept in any ethics discussion is the "slippery slope." This
pertains to the ease with which a person can go from doing something that
doesn't really seem unethical, such as scanning employees' e-mail "just for
fun," to doing things that are increasingly unethical, such as making little
changes in their mail messages or diverting messages to the wrong recipient.
In looking at the list of privacy issues above, it's easy to justify each of the
actions described. But it's also easy to see how each of those actions could
"morph" into much less justifiable actions. For example, the information you
gained from reading someone's e-mail could be used to embarrass that
-
8/2/2019 Ethical Issues for IT Security Professionals
3/5
person, to gain a political advantage within the company, to get him/her
disciplined or fired, or even for blackmail.
The slippery slope concept can also go beyond using your IT skills. If it's OK to
read other employees' e-mail, is it also OK to go through their desk drawers
when they aren't there? To open their briefcases or purses?
Real world ethical dilemmas
What if your perusal of random documents reveals company trade secrets?
What if you later leave the company and go to work for a competitor? Is it
wrong to use that knowledge in your new job? Would it be "more wrong" if
you printed out those documents and took them with you, than if you just
relied on your memory?
What if the documents you read showed that the company was violating
government regulations or laws? Do you have a moral obligation to turn themin, or are you ethically bound to respect your employer's privacy? Would it
make a difference if you signed a nondisclosure agreement when you accepted
the job?
IT and security consultants
who do work for multiple companies have even more ethical issues to deal
with. If you learn things about one of your clients that might affect your other
client(s), where does your loyalty lie?
Then there are money issues. The proliferation of network attacks, hacks,
viruses and other threats to their IT infrastructures have caused many
companies to "be afraid, be very afraid." As a security consultant, it may be
very easy to play on that fear to convince companies to spend far more money
than they really need to. Is it wrong for you to charge hundreds or even
thousands of dollars per hour for your services, or is it a case of "whatever the
market will bear?"
Is it wrong for you to mark up the equipment and software that you get for the
customer when you pass the cost through? What about kickbacks from
equipment manufacturers? Is it wrong to accept "commissions" from them for
persuading your clients to go with their products? Or what if the connection is
more subtle? Is it wrong to steer your clients toward the products of
companies in which you hold stock?
-
8/2/2019 Ethical Issues for IT Security Professionals
4/5
Another ethical issue involves promising more than you can deliver, or
manipulating data to obtain higher fees. You can install technologies and
configure settings to make a client's network more secure, but you can never
make it completely secure. Is it wrong to talk a client into replacing their
current firewalls with those of a different manufacturer, or switching to an
open source operating system which changes, coincidentally, will result in
many more billable hours for you on the premise that this is the answer to
their security problems?
Here's another scenario: What if a client asks you to save money by cutting
out some of the security measures that you recommended, yet your analysis of
the client's security needs shows that sensitive information will be at risk if
you do so? You try to explain this to the client, but he/she is adamant. Should
you go ahead and configure the network in a less secure manner? Should you"eat" the cost and install the extra security measures at no cost to the client?
Should you refuse to do the job? Would it make a difference if the client's
business were in a regulated industry, and implementing the lower security
standards would constitute a violation of the Health Insurance Portability and
Accountability Act, the Graham-Leach-Bliley Act, Sarbanes-Oxley or other
laws?
Summary
This article has raised a lot
of questions, but has not attempted to provide set answers. That's because,
ultimately, the answer to the question "Is it ethical?" must be answered by
each individual IT professional.
Unlike older, more established professions such as medicine and law, most
ethical issues that IT and security professionals confront have not been
codified into law, nor is there a standard mandatory oversight body, such as
the national or state medical association or bar association, that has
established a detailed code of ethics.
However, the question of ethical behavior in the IT professions is beginning to
be addressed. Voluntary professional associations such as the Association for
Computing Machinery (ACM) have developed their own codes of ethics and
professional conduct, which can serve as a guideline for individuals and other
-
8/2/2019 Ethical Issues for IT Security Professionals
5/5
organizations.
Resources
For an excellent, detailed paper on how to use the ACM code of ethics in
making decisions and discussion of many common scenarios,
see http://www-cs.etsu.edu/gotterbarn/p98-anderson.pdf.
For very detailed discussions of both technological and non-technological
ethical issues that face IT pros from systems admins to programmers to ISPs,
see Stephen Northcutt's bookIT Ethics Handbook, published by Syngress.
Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant,
trainer and writer who has authored a number of books on computer operating
systems, networking, and security. She is also a tech editor, developmental editor
and contributor to more than 20 additional books. Her articles are regularly
published on TechRepublic's TechProGuild Web site and Windowsecurity.com,and have appeared in print magazines such as Windows IT Pro (formerly
Windows & .NET) Magazine. She has authored training material, corporate
whitepapers, marketing material, and product documentation for Microsoft
Corp., Hewlett-Packard, DigitalThink, GFI Software, Sunbelt Software, CNET and
other technology companies. She lives and works in the Dallas-Fort Worth area
and can be reached [email protected] atwww.shinder.net.
http://www-cs.etsu.edu/gotterbarn/p98-anderson.pdfhttp://www.syngress.com/catalog/?pid=2900mailto:[email protected]://www.shinder.net/http://www.shinder.net/mailto:[email protected]://www.syngress.com/catalog/?pid=2900http://www-cs.etsu.edu/gotterbarn/p98-anderson.pdf