Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social group.

SA Ethics The SA may have access to all –Files –Backups – –Internet usage –Corporate secrets –Private employee information

SA is in a position of trust The SA may be subject to –Polygraph tests –Personal back ground checks –Credit reports –Drug testing

Computer Resource Usage Employers are concerned about how computing resources are used. Do Employers have a right to monitor usage of computing resources by their employees? Employers have an ethical responsibility to notify employees of system monitoring.

User Code of Conduct All companies using computers should have a written code of conduct for general users and privileged users. –Government –Private sector –Academics –Home?

Computer Usage Policy If there is no written usage policy at your work place, make an effort to create one. All employees should sign a usage policy. The policy should be signed and kept on file, a copy kept for the employee. Read the course syllabus for CS3353.

Usage Policy Do not use agency resources for personal use: –Starting a new business –Hosting a personal web site –Downloading copyrighted materials –Downloading illegal materials. –Pirating software –There may be legitimate exceptions.

SA Ethics Treat all files not belonging to you as sensitive. Computing systems do not exist for the amusement of the SA. (SA Mantra) Accessing sensitive files should always be on a need to know basis only. This will require coordinating such access with management and security personnel. This applies to .

Ethics The computing system does not exist solely for the SA’s personal amusement. The SA is providing a service to users. The system-users will ultimately determine an SAs future based upon satisfaction. An SA must be objective in dealing with colleagues and customers.

Ethics Separate personal and professional views.

Ethics: Informed Consent Informing your customers of events that will impact their system usage.

Informed Consent: SLA SLA – service level agreement informs customers of –Maintenance scheduling –Limited Liability due to down time or catastrophic events. –Warnings for interruption of service.

SAGE Code of Ethics Integrity of SA is beyond reproach. No infringement on the rights of users. High standard of professional conduct. Continuing education Exemplary work ethic Professionalism in the performance of their duties.

Privileged Access Conduct Privileged usage requires responsibility Privileged usage is solely for necessary work- related uses. Procedures should be developed to minimize errors. (example: Backups of critical data should be made before system changes are implemented.) Procedure for addressing accidental access to information not otherwise available. Warnings explaining what to expect when policies are violated.

Privileged Access Conduct All policies should be in writing and made available to privileged users. Privileged users should sign the document to acknowledge they understand their responsibilities.

Privileged Access Conduct A list of privileged users should be kept up to date. When someone is terminated or leaves voluntarily, appropriate measures must be taken: –Change passwords –Close accounts –Exit interview

Privileged Access Conduct Passwords to privileged accounts should be changed regularly, at least twice a year. Privileged users may have their access restricted on a regular basis for auditing purposes.

Copyright Adherence Organizations should have policies stating that their members abide by copyright laws. Software piracy is pervasive and is actually stealing. Companies are concerned about the liability of using pirated software.

Examples Individually licensed PC software packages should be purchased for individual PCs Single-user installation disk should not be used on multiple machines. Manuals and media for software for a single machine should be stored in the room where the machine is located.

Piracy Software piracy is not an acceptable cost cutting measure. Companies faced with copyright litigation will attempt to implicate whoever let the violation happen and relay damages to those responsible.

Make Compliance Easy Use Open Source software when practical. When open source is not available, buy additional licenses at a bulk rate.

Working With Law Enforcement Organizations should have a policy outlining how to work with law enforcement agencies. Verify the identities of LEA people requesting information. Beware of Social Engineering!

Social Engineering Start with a small piece of information. Contact employees within a company claiming to be a LEA official, new employee, executive, etc. Leverage a piece of information into more useful information. Repeat until sufficient information is gathered to wreak havoc.

Privacy Expectations Many organizations consider the computer and all related data and resources to be property of the organization. Your files and may be owned by your employer. In the financial community, is monitored. (Informed Consent) Internet usage may be monitored.

Privacy Expectations Privacy laws may be different in another country where you are doing business. A policy on privacy and monitoring should be in writing and provided to all employees.

has a life of its own. It is difficult to permanently dispose of . Not private. Not secure. Should be treated as public information. There are special security software packages for managing .

Unethical/Illegal Requests Document any and all requests made by colleagues to do any illegal or unethical activity. Resist. Coercion may be used. Check the employee’s guidelines for what to do. If the request seems dubious, verify by checking company policies and laws.

Unethical/Illegal Requests If given a dubious request, ask for the request in writing. If your request is denied, refuse to do the request. Be careful about making accusations without evidence.