This action might not be possible to undo. Are you sure you want to continue?
com - Physicians, attorneys and other professionals whose job duties affect others' lives usually receive, as part of their formal training, courses that address ethical issues common to their professions. IT security personnel often have access to confidential data and knowledge about individuals' and companies' networks and systems that give them a great deal of power. That power can be abused, either deliberately or inadvertently. But there are no standardized training requirements for hanging out your shingle as an IT security consultant or in-house security specialist. Associations and organizations for IT pros are beginning to address the ethical side of the job, but again, there is no requirement for IT security personnel to belong to those organizations. Why are ethical guidelines needed? The education and training of IT professionals, including security specialists, usually focuses on technical knowledge and skills. You learn how to perform tasks, but with little consideration of how those abilities can be misused. In fact, many IT professionals approach their work with a hacker's perspective: whatever you can do, you're entitled to do. (Note: In this article, we're using the word hacker in the current common meaning, pertaining to "black hat" hackers who use their skills to break into systems and access data and programs without the permission of the owners. We're well aware that the term originally referred to anyone with advanced programming skills, and that there are "white hat hackers" who use their skills to help companies and individuals protect against the black hats.) In fact, many IT pros don't even realize that their jobs involve ethical issues. Yet we make decisions on a daily basis that raise ethical questions. What are the ethical issues? Many of the ethical issues that face IT professionals involve privacy. For example: Should you read the private e-mail of your network users just because you can? Is it OK to read employees' e-mail as a security measure to ensure that sensitive company information isn't being disclosed? Is it OK to read employees' e-mail to ensure that company rules (for instance, against
As a network administrator or security professional. such as making little changes in their mail messages or diverting messages to the wrong recipient. We're talking about the ethical aspects of having the ability to do so. such as scanning employees' e-mail "just for fun. A company may very well have the legal right to monitor everything an employee does with its computer equipment. it's easy to justify each of the actions described. For example. You may even be able to access encrypted data if you have access to the recovery agent account. if monitoring employee mail is a part of your official job description) and in part on your personal ethical beliefs about these issues. In looking at the list of privacy issues above. What you do with those abilities depends in part on your particular job duties (for example. But it's also easy to see how each of those actions could "morph" into much less justifiable actions. you have rights and privileges that allow you to access most of the data on the systems on your network." This pertains to the ease with which a person can go from doing something that doesn't really seem unethical. The slippery slope A common concept in any ethics discussion is the "slippery slope. to prevent the possibility of pornography in the workplace that could create a hostile work environment? Is it OK to place key loggers on machines on the network to capture everything the user types? What about screen capture programs so you can see everything that's displayed? Should users be informed that they're being watched in this way? Remember that we're not talking about legal questions here.personal use of the e-mail system) aren't being violated? If you do read employees' e-mail." to doing things that are increasingly unethical. the information you gained from reading someone's e-mail could be used to embarrass that . should you disclose that policy to them? Before or after the fact? Is it OK to monitor the Web sites visited by your network users? Should you routinely keep logs of visited sites? Is it negligent to not monitor such Internet usage.
to get him/her disciplined or fired. or are you ethically bound to respect your employer's privacy? Would it make a difference if you signed a nondisclosure agreement when you accepted the job? IT and security consultants who do work for multiple companies have even more ethical issues to deal with.person. is it also OK to go through their desk drawers when they aren't there? To open their briefcases or purses? Real world ethical dilemmas What if your perusal of random documents reveals company trade secrets? What if you later leave the company and go to work for a competitor? Is it wrong to use that knowledge in your new job? Would it be "more wrong" if you printed out those documents and took them with you. or even for blackmail. hacks. or is it a case of "whatever the market will bear?" Is it wrong for you to mark up the equipment and software that you get for the customer when you pass the cost through? What about kickbacks from equipment manufacturers? Is it wrong to accept "commissions" from them for persuading your clients to go with their products? Or what if the connection is more subtle? Is it wrong to steer your clients toward the products of companies in which you hold stock? . The slippery slope concept can also go beyond using your IT skills. where does your loyalty lie? Then there are money issues. Is it wrong for you to charge hundreds or even thousands of dollars per hour for your services. The proliferation of network attacks. If it's OK to read other employees' e-mail. be very afraid." As a security consultant. it may be very easy to play on that fear to convince companies to spend far more money than they really need to. to gain a political advantage within the company. than if you just relied on your memory? What if the documents you read showed that the company was violating government regulations or laws? Do you have a moral obligation to turn them in. If you learn things about one of your clients that might affect your other client(s). viruses and other threats to their IT infrastructures have caused many companies to "be afraid.
nor is there a standard mandatory oversight body. You can install technologies and configure settings to make a client's network more secure. However. Sarbanes-Oxley or other laws? Summary This article has raised a lot of questions. most ethical issues that IT and security professionals confront have not been codified into law. the answer to the question "Is it ethical?" must be answered by each individual IT professional. or switching to an open source operating system – which changes. Unlike older. the question of ethical behavior in the IT professions is beginning to be addressed. Should you go ahead and configure the network in a less secure manner? Should you "eat" the cost and install the extra security measures at no cost to the client? Should you refuse to do the job? Would it make a difference if the client's business were in a regulated industry. but he/she is adamant. Voluntary professional associations such as the Association for Computing Machinery (ACM) have developed their own codes of ethics and professional conduct. will result in many more billable hours for you – on the premise that this is the answer to their security problems? Here's another scenario: What if a client asks you to save money by cutting out some of the security measures that you recommended. but you can never make it completely secure. more established professions such as medicine and law. or manipulating data to obtain higher fees. and implementing the lower security standards would constitute a violation of the Health Insurance Portability and Accountability Act. coincidentally. yet your analysis of the client's security needs shows that sensitive information will be at risk if you do so? You try to explain this to the client. ultimately.Another ethical issue involves promising more than you can deliver. which can serve as a guideline for individuals and other . that has established a detailed code of ethics. the Graham-Leach-Bliley Act. That's because. Is it wrong to talk a client into replacing their current firewalls with those of a different manufacturer. but has not attempted to provide set answers. such as the national or state medical association or bar association.
organizations. developmental editor and contributor to more than 20 additional books.NET) Magazine..com. networking.shinder. Debra Littlejohn Shinder. published by Syngress. CNET and other technology companies. and have appeared in print magazines such as Windows IT Pro (formerly Windows & . and security. She is also a tech editor. . She has authored training material.net or at www. Hewlett-Packard. Her articles are regularly published on TechRepublic's TechProGuild Web site and Windowsecurity.edu/gotterbarn/p98-anderson. GFI Software. Sunbelt Software. and product documentation for Microsoft Corp. MVP (Security) is a technology consultant. MCSE. detailed paper on how to use the ACM code of ethics in making decisions and discussion of many common scenarios. She lives and works in the Dallas-Fort Worth area and can be reached at deb@shinder. For very detailed discussions of both technological and non-technological ethical issues that face IT pros from systems admins to programmers to ISPs. DigitalThink. see http://www-cs. corporate whitepapers. trainer and writer who has authored a number of books on computer operating systems.net. marketing material.etsu. see Stephen Northcutt's book IT Ethics Handbook.pdf . Resources For an excellent.