ethics in cs cs5493(7493). work place ethics definition work place ethics are the rules of personal...
TRANSCRIPT
Ethics in CS
CS5493(7493)
Work Place Ethics Definition
• Work place ethics are the rules of personal conduct established by social traditions and the employer for the workplace environment.
Work Place Ethics
• The definition implies ethical relativism in the workplace.– Employers can have different policies for
similar situations. Example: per-diem.
Ethics in CS
• Computers are a part of our work place.
• Employers are concerned about how their employees use the computing resources.
Employee Contracts
• When a person is hired to work for an entity, a contract ensues.
• Disclosure: The employer has an ethical (and moral) obligation to inform their employees of the employer’s expectations, policies, etc.
Employee/Employer Contracts
• Detailed job description
• Acceptable usage policy
SA Ethics and Users
• The SA may have the ability to access any– Files– Backups– E-mail– Internet usage– Corporate secrets
Some Guidelines…
• Any information not belonging to you should be considered sensitive information.
• Accessing sensitive data requires coordinating such access with management and security personnel in accordance with documented “policy”.
The SA: A position of trust
• The SA may be subject to special security clearence– Polygraph tests– Personal back ground checks– Credit reports– Drug testing
Ethics: things to consider:
• The computing system does not exist solely for the SA’s personal amusement.
• The SA is providing a service to users.
• The system-users will ultimately determine an SAs future based upon satisfaction.
• An SA must be objective in dealing with colleagues and customers.
Ethics: things to consider…
• Separate personal and professional views.
Ethics: Informed Consent
• Informing your customers of events that will impact their system usage and the availability of services.
• Customers should give consent without coercion.
Informed Consent: SLA
• SLA – service level agreement between the SA staff and the system users.– Establishes expectations for users– Establishes responsibilities for the SA staff.
SLA Content
– Maintenance scheduling– Limited Liability due to down time or
catastrophic events.– Warnings for interruption of service.– etc
SLA
• The SA group should create an SLA so all using the computing services will know what to expect.
User Code of Conduct & Usage Policy
• All companies using computers should have a written computer system usage policy.– Government– Private sector (public and private companies)– Academics
Usage Policy
• If there is no usage policy, create one.
• Employees should read and sign the policy documenting they understand the usage policy
• The employer has an ethical responsibility to disclose the policy.
Usage Policy
• Do not use agency resources for personal use:– Starting a new business– Hosting a web site– Downloading copyrighted materials– Downloading illegal materials.– Pirating software– There may be legitimate exceptions.
Privileged Access Conduct
• Privileged usage requires responsibility• Privileged usage is solely for necessary work-
related uses.• Procedures should be developed to minimize
errors. (example: Backups of critical data should be made before system changes are implemented.)
• Procedure for addressing accidental access to information not otherwise available.
• Warnings explaining what to expect when policies are violated.
Privileged Access Conduct
• All policies should be in writing and made available to privileged users.
• Privileged users should sign the document to acknowledge they understand their responsibilities.
Privileged Access Conduct
• A list of privileged users should be kept up to date.
• When someone is terminated or leaves voluntarily, appropriate measures must be taken:– Change passwords– Close accounts– Notify vendors, clients, etc.– Exit interview
Privileged Access Conduct
• Passwords to privileged accounts should be changed regularly, at least twice a year.
• Privileged users may have their access restricted on a regular basis for auditing purposes.
Copyright Adherence
• Organizations should have policies stating that their members abide by copyright laws.
• Software piracy is pervasive and is considered stealing.
• Companies are concerned about the liability of using pirated software.
Examples
• Individually licensed PC software packages should be purchased for individual PCs
• Single-user installation disk should not be used on multiple machines.
• Manuals and media for software for a single machine should be stored in the room where the machine is located.
Piracy
• Software piracy is not an acceptable cost cutting measure.
• Companies faced with copyright litigation will attempt to implicate whoever let the violation happen and relay damages to those responsible.
Make Compliance Easy
• Use Open Source software when practical.
• When open source is not available, buy additional licenses at a bulk rate.
Working With Law Enforcement
• Organizations should have a policy outlining how to work with law enforcement agencies.
• Verify the identities of LEA people requesting information.
• Beware of Social Engineering!
Social Engineering
• In the context of security,– Deceitfully manipulating people into
performing actions or divulging information.
Privacy Expectations
• Many organizations consider the computer and all related data and resources to be the property of the organization.
• Your files and e-mail may be owned by your employer.
• In the financial community, e-mail, phone usage, & internet usage is monitored. (Informed Consent)
Privacy Expectations
• Privacy laws may be different in another country where you are doing business.
• A policy on privacy and monitoring should be in writing and provided to all employees (disclosure). The computer usage agreement or employee contract are appropriate places to state privacy expectations.
• E-mail has a life of its own. It is difficult to permanently dispose of e-mail.
• Not always private.
• Not always secure.
• Treat as public information.
• There are special security software packages for managing e-mail.
Unethical/Illegal Requests
• Document any and all requests made by colleagues to do any illegal or unethical activity.
• Resist.• Coercion may be used. Check the
employee’s guidelines for what to do.• If the request seems dubious, verify by
checking company policies and laws.
Unethical/Illegal Requests
• If given a dubious request, ask for the request in writing. If your request is denied, refuse to do the request.
• Be careful about making accusations without evidence.
Unethical/Illegal Requests
• Asking someone to collude is selfish, destructive, and unethical.
Firing an SA
• Follow your corporate HR policy.
• Determine how to remove computer system access.
• Remove physical and remote access.
• Remove service access.
• Inform vendors who had contact with the SA.
Follow Corporate HR Policy
• There are legal issues around employee termination.
• Large companies have well defined ways of terminating employees.
• Large companies restructure about once every 3 years. This provides an opportunity to terminate employees more easily.
Remove System Access
• Close and backup personal accounts.
• Change all privileged account passwords.
• Idle accounts may become a backdoor for access.
Remove Physical Access
• Access to the work facility must be removed.
• Keys and keycards must be collected.
• Some locks may need to be changed.
• Collect any equipment the SA may have possession of at work or at home.
Remove Physical Access
• An employee may be called and asked not to come into work.
• The HR department may schedule a meeting complete with security personnel that will escort the terminated employee out of the building.
Remove Remote Access
• A standard remote access method should be implemented to ease control of remote access.
• Collect or disable SecureID cards.
• Idle accounts closed by the SA can be a backdoor to access.
Remove Service Access
• Will e-mail be forwarded?
• Can the employee be removed from all mail lists?
• Contact management at vendors, suppliers, and clients.
• Agency E-mail lists should be to agency addresses only.
Procedures
• Create a check list of items to be completed when an SA leaves.
• Design an environment with a limited number of Access data bases.
• A single authentication data base is best.