1

Laws, Investigations & Ethical Issues in Security (CIM3562)

Chapter 6

Ethics & Computer Security

Ethics Overview

Ethics is about how we ought to live The purpose of Ethics in Information

Security is not just philosophically important, it can mean the survival of a business or an industryEthics is doing the right thing,

even when no one is looking

Ethical Challenges in Information Security

Misrepresentation of certifications, skills Abuse of privileges Inappropriate monitoring Withholding information Divulging information inappropriately Overstating issues Conflicts of interest Management / employee / client issues

The Needs of Code of EthicsFor Information Security Professionals Many of the international professional bodies such as

GIAC, EC Council and ISC2 use the code of ethics to provide benchmark to their professional members for self evaluation and also establish a framework for professional’s behavior and responsibilities.

4

Objective for the Code of Ethics (道德守則 ) for Information Security Professionals To guide information security professionals on how to align

behavior, action and decision with highest standards of professionalism.

To provide benchmark for information security professionals to use for self evaluation.

To minimize problems with ethical behaviors and encourages responsible behavior.

To help professionals identify and resolve the inevitable ethical dilemmas that they will confront during the course of their information security career.

5

Information Security Professionals

Based on the Institute of Information Security Professionals (IISP), information security professionals are distinguished by certain characteristics as follows:

Mastery of a particular information security skill, acquired by professional training, education, certification experience or combination of them.

Adherence by its members to a common set of values; and Acceptance of a duty to society as a whole.

6

Core Ethic Values (核心倫理價值 )

Integrity Objectivity Professional Competence & Due care

7

Core Values - Integrity

Perform duties in accordance with existing laws and exercising the highest moral principles

Refrain from activities that would constitute a conflict of interest

Act in the best interests of stakeholders consistent with public interest

Act honorably, justly, responsibly, and legally in every aspect your profession

8

Core Values - Objectivity

Perform all duties in fair manner and without prejudice Exercise independent professional judgment, in order to

provide unbiased analysis and advice. When an opinion is provided, note it as opinion rather than

fact

9

Core Values – Professional Competence and Due Care Perform services diligently and professionally Act with diligence and promptness in rendering service Render only those services with you are fully competent and

qualified Ensure that work performed meets the highest professional

standards. Where constraints exist, ensure that your work is both correct and complete within those limits. If, in your professional judgment, resources are inadequate to achieve an acceptable outcome, so inform clients and principals

Be supportive of colleagues and encourage their professional development. Recognize and acknowledge the contributions of others, and respect the decisions of principals and co-workers

10

Core Values – Professional Competence and Due Care Keep stakeholders informed regarding the progress of your

work Refrain from conduct which would damage the reputation of

the profession, or the practices of colleagues, clients and employers

Report ethical violations to the appropriate governing body in a timely manner

11

Guiding Principles

Act all times in accordance with existing laws, association values and exercising highest moral principles

Protect and maintain appropriate level of confidentiality, integrity and availability of sensitive information in any course of professional activities

Conduct the service with fairness, courtesy and good faith towards clients, colleagues and others, give credit where it is due and accept, as well as give, honest and fair professional comments

Do not engage in any crime or improper practices Perform all professional activities and duties in accordance

with the highest ethical principles

12

Guiding Principles

Avoid professional association with those whose practices or reputation might diminish the profession

Provide service with competence, honesty and forthrightness about limitations, experience and education

13

Ten Commandments of Ethics in Information Security

1. Thou shalt not use a computer to harm other people.

2. Thou shalt not interfere with other people's computer work.

3. Thou shalt not snoop around in other people's computer files.

4. Thou shalt not use a computer to steal.

5. Thou shalt not use a computer to bear false witness.

6. Thou shalt not copy or use proprietary software for which you have not paid.

7. Thou shalt not use other people's computer resources without authorization or proper compensation.

8. Thou shalt not appropriate other people's intellectual output.

9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.

10. Thou shalt always use a computer in ways that insure consideration and respect for your fellow humans.

-Courtesy of the Computer Ethics Institute, A project of the Brookings Institution

Ethical Principles – ExamplesCanada’s Association of Information Technology (IT) Professionals (CIPS)

The following five ethical principles are derived from the CIPS Code of Ethics and Professional Code of Conduct.

1. Protecting the Public Interest and Maintaining Integrity

2. Demonstrating Competent and Quality of Service

3. Maintaining Confidential Information and Privacy

4. Avoiding Conflict of Interest

5. Upholding Responsibility to the IT Profession

15

Corporate Ethics Policy

An ethics policy is a document that defines the essentials of how people within an organization will interact with one another, as well as how they will interact with any customers or clients they serve. A corporate ethics policy will also often address how employees are to interact with vendors and others who supply goods and services to the company.

Business ethics policy, also commonly called the corporate ethics policy, is the company’s statement, or guidelines, on the expected behavior of the employees and the company itself while dealing with others.

16

Corporate Ethics

Corporate ethics are a set of beliefs to which a company adheres that govern its behavior in the ways it conducts business.

Some corporations have well defined ethical parameters and others don’t, or they sacrifice ethical behavior to profit and determine that gaining profit and power are the most desired motives. When discovered in this type of activity, there is often a strong backlash that results in losing profits.

The ways companies conduct business are multiple and complex, and corporate ethics may operate on numerous levels.

17

Corporate Ethics

Ethical considerations can determine how a corporation competes at the business level with other corporations. Are they aggressive, and prone to change their minds or drop allegiances with other companies for their own benefits, or does the corporation cheerfully compete with and support the efforts of its competitors?

Another way corporate ethics get expressed is through the care a corporation takes in interacting with customers or people on other levels.

18

Corporate Ethics

Decisions about how customers are treated are important, but decisions on what type of responsibility the corporation plays in protecting the environments of people are valuable too.

A company that routinely releases chemicals into the environment can have great customer service, but its actions suggest the bottom line is not protecting the people that it serves. Many corporations now take great pains to promote sustainability, and these efforts are well received by customers and neighbors.

19

Corporate Ethics

Ethics are not easy, and might be considered as a series of judgment calls. A corporation must engage ethically with multiple parts of itself, other competitors, and the public, deciding what to do when ethical responsibilities conflict.

Following corporate ethics in one way might prevent satisfying some other part of the corporation: for example, laying off employees to satisfy shareholders or using more polluting chemicals to save on costs to save employee jobs. Such decisions are difficult to make.

Nevertheless, corporations that take a strong stance on ethical operation must try to negotiate each judgment call, while remaining true to their ethical code.

20

Corporate Ethics

When a company does not have a code of corporate ethics, its behavior tells others what the corporation considers ethical.

Constantly negative and only profit-induced decisions can be greatly disparaged by the public. Additionally, employees come to work with moral codes of their own, and might find it challenging to adopt a conflicting code at work. It is true, that many people sacrifice personal ethics in order to work or fail to see the obvious discrepancies between personal and business ethics.

21