IT Professionalism Ethics Modified by Andrew Poon

Ethics, What is it? Generally (commonly) accepted principles & practices Generally (commonly) accepted principles & practices Different among races, sexes, generations, and professions Different among races, sexes, generations, and professions The boring, but essential stuff that we take for granted The boring, but essential stuff that we take for granted

Why do we need ethics? Defines issues that are not covered by Law Defines issues that are not covered by Law Ethics is the common value shared between top management, middle managers, and line employees Ethics is the common value shared between top management, middle managers, and line employees These standards become the ethical behavior of the organization These standards become the ethical behavior of the organization Breach of company code of ethics could be serious threat to network security Breach of company code of ethics could be serious threat to network security

Roles of different level of employee in Ethical behavior Top management Top management Define corporate level of ethical practice Define corporate level of ethical practice Give guidance and clarification to ethical issues Give guidance and clarification to ethical issues Support the subscription of high ethical standards Support the subscription of high ethical standards Carry out disciplinary actions when necessary Carry out disciplinary actions when necessary Act as role model for staffs Act as role model for staffs

Role of different level of employee in Ethical behavior Middle managers: Middle managers: Enforce ethical standards with reference to top management ’ s clarification Enforce ethical standards with reference to top management ’ s clarification Provide training on ethical standards or code of practice to line staff Provide training on ethical standards or code of practice to line staff Design and implement re-training program Design and implement re-training program

Roles of different level of employee in Ethical behavior Line staff Line staff Follow strict code of ethics imposed by middle and top management Follow strict code of ethics imposed by middle and top management Report to chain of command or Compliance Officer in the organization Report to chain of command or Compliance Officer in the organization Report to law enforcement if necessary Report to law enforcement if necessary Clarify with management on interpretation of ethical standards whenever necessary Clarify with management on interpretation of ethical standards whenever necessary

Ethical standards: Corporate Vs. Personal Corporate concerns: Corporate concerns: The use of corporate resources must be monitored and controlled The use of corporate resources must be monitored and controlled Internet or access are corporate resources and should be monitored Internet or access are corporate resources and should be monitored Strict guidance and dealings with customers and suppliers must be observed (conflict of interest) Strict guidance and dealings with customers and suppliers must be observed (conflict of interest) Disclosure of sensitive information Disclosure of sensitive information Confidentiality Confidentiality

Ethical standards: Corporate Vs. Personal Personal interest: Personal interest: Invasion of privacy Invasion of privacy Conflict between moral standards and ethical standards Conflict between moral standards and ethical standards Ownership of personal materials Ownership of personal materials Installation and use of software by employees for personal convenience Installation and use of software by employees for personal convenience

Ethics standards: Corporate Vs. Personal In summary … In summary … The corporate ethical standards should not interfere with personal affairs beyond the point to protect the company ’ s integrity The corporate ethical standards should not interfere with personal affairs beyond the point to protect the company ’ s integrity

Ethics and the Internet RFC 1087 by Internet Activities Board RFC 1087 by Internet Activities Board “… Abuse of the system thus becomes a Federal matter above and beyond simple professional ethics. ” “… Abuse of the system thus becomes a Federal matter above and beyond simple professional ethics. ” People from all walks of life depend greater and greater on availability of and resources from the internet People from all walks of life depend greater and greater on availability of and resources from the internet

Ethics and the Internet Seeks to gain unauthoized access to the resources of the Internet Seeks to gain unauthoized access to the resources of the Internet Disrupts and intended use of the Internet Disrupts and intended use of the Internet Wastes resources (people, capacity, computer) through such actions Wastes resources (people, capacity, computer) through such actions Destroys the integrity of computer-based information, and/or Destroys the integrity of computer-based information, and/or Compromises the privacy of users Compromises the privacy of users

Qualities of a Professional Takes pride in their work Takes pride in their work Reaches out for responsibility Reaches out for responsibility Eager to learn Eager to learn Team player Team player Listens Listens Can be trusted Can be trusted Exercise ethical judgment rather than ethical behavior Exercise ethical judgment rather than ethical behavior Different ethical behavior among industries Different ethical behavior among industries

Ethical standards of an Information Security Professional High ethical standards help formulate trusted relationship High ethical standards help formulate trusted relationship The management, peers, or clients The management, peers, or clients Protect company ’ s or client ’ s interest as primary responsibility Protect company ’ s or client ’ s interest as primary responsibility Computer security officers should not disclose sensitive information to non-relevant colleagues Computer security officers should not disclose sensitive information to non-relevant colleagues Details of client ’ s security plans should “ NEVER ” be disclosed Details of client ’ s security plans should “ NEVER ” be disclosed

Ethical standards of an Information Security Professional Consultants should get written permission from clients before quoting customers as reference Consultants should get written permission from clients before quoting customers as reference Segregation of duties should be carefully defined and enforced Segregation of duties should be carefully defined and enforced Computer security officers should enforce security measures according to corporate security policy Computer security officers should enforce security measures according to corporate security policy Should be unbiased and avoid conflict of interests Should be unbiased and avoid conflict of interests

Ethical standards of an Information Security Professional Report suspicious incidents to Compliance Officer or OIC according to employee handbook Report suspicious incidents to Compliance Officer or OIC according to employee handbook Should never assist clients in illegal acts Should never assist clients in illegal acts Stand out for unfair and unethical practice Stand out for unfair and unethical practice

(ISC)2 Code of Ethics Protect society, the commonwealth, and the infrastructure Protect society, the commonwealth, and the infrastructure Act honorably, honestly, justly, responsibility, and legally Act honorably, honestly, justly, responsibility, and legally Provide diligent and competent service to principals Provide diligent and competent service to principals Advance and protect the profession Advance and protect the profession Give guidance in resolving Good Vs. Bad dilemmas Give guidance in resolving Good Vs. Bad dilemmas