Download Code of Ethics

Laws, Investigations & Ethical Issues in
Security (CIM3562)
Chapter 6
Ethics & Computer Security
1
Ethics Overview


Ethics is about how we ought to live
The purpose of Ethics in Information Security is not just
philosophically important, it can mean the survival of a
business or an industry
Ethics is doing the right thing,
even when no one is looking
Ethical Challenges in Information Security








Misrepresentation of certifications, skills
Abuse of privileges
Inappropriate monitoring
Withholding information
Divulging information inappropriately
Overstating issues
Conflicts of interest
Management / employee / client issues
The Needs of Code of Ethics
For Information Security Professionals

Many of the international professional bodies such as
GIAC, EC Council and ISC2 use the code of ethics to
provide benchmark to their professional members for self
evaluation and also establish a framework for
professional’s behavior and responsibilities.
4
Objective for the Code of Ethics (道德守則)
for Information Security Professionals




To guide information security professionals on how to align
behavior, action and decision with highest standards of
professionalism.
To provide benchmark for information security professionals
to use for self evaluation.
To minimize problems with ethical behaviors and encourages
responsible behavior.
To help professionals identify and resolve the inevitable
ethical dilemmas that they will confront during the course of
their information security career.
5
Information Security Professionals



Based on the Institute of Information Security Professionals
(IISP), information security professionals are distinguished by
certain characteristics as follows:
Mastery of a particular information security skill, acquired by
professional training, education, certification experience or
combination of them.
Adherence by its members to a common set of values; and
Acceptance of a duty to society as a whole.
6
Core Ethic Values (核心倫理價值)



Integrity
Objectivity
Professional Competence & Due care
7
Core Values - Integrity




Perform duties in accordance with existing laws and exercising
the highest moral principles
Refrain from activities that would constitute a conflict of
interest
Act in the best interests of stakeholders consistent with public
interest
Act honorably, justly, responsibly, and legally in every aspect
your profession
8
Core Values - Objectivity



Perform all duties in fair manner and without prejudice
Exercise independent professional judgment, in order to
provide unbiased analysis and advice.
When an opinion is provided, note it as opinion rather than
fact
9
Core Values – Professional Competence
and Due Care





Perform services diligently and professionally
Act with diligence and promptness in rendering service
Render only those services with you are fully competent and
qualified
Ensure that work performed meets the highest professional
standards. Where constraints exist, ensure that your work is both
correct and complete within those limits. If, in your professional
judgment, resources are inadequate to achieve an acceptable
outcome, so inform clients and principals
Be supportive of colleagues and encourage their professional
development. Recognize and acknowledge the contributions of
others, and respect the decisions of principals and co-workers
10
Core Values – Professional Competence
and Due Care



Keep stakeholders informed regarding the progress of your
work
Refrain from conduct which would damage the reputation of
the profession, or the practices of colleagues, clients and
employers
Report ethical violations to the appropriate governing body in
a timely manner
11
Guiding Principles





Act all times in accordance with existing laws, association
values and exercising highest moral principles
Protect and maintain appropriate level of confidentiality,
integrity and availability of sensitive information in any course
of professional activities
Conduct the service with fairness, courtesy and good faith
towards clients, colleagues and others, give credit where it is
due and accept, as well as give, honest and fair professional
comments
Do not engage in any crime or improper practices
Perform all professional activities and duties in accordance
with the highest ethical principles
12
Guiding Principles


Avoid professional association with those whose practices or
reputation might diminish the profession
Provide service with competence, honesty and forthrightness
about limitations, experience and education
13
Ten Commandments of Ethics in Information Security
1.
2.
3.
4.
5.
6.
7.
Thou shalt not use a computer to harm other people.
Thou shalt not interfere with other people's computer work.
Thou shalt not snoop around in other people's computer files.
Thou shalt not use a computer to steal.
Thou shalt not use a computer to bear false witness.
Thou shalt not copy or use proprietary software for which you have not paid.
Thou shalt not use other people's computer resources without authorization
or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are
writing or the system you are designing.
10. Thou shalt always use a computer in ways that insure consideration and
respect for your fellow humans.
-Courtesy of the Computer Ethics Institute, A project of the Brookings Institution
Ethical Principles – Examples
Canada’s Association of Information Technology (IT)
Professionals (CIPS)

1.
2.
3.
4.
5.
The following five ethical principles are derived from the
CIPS Code of Ethics and Professional Code of Conduct.
Protecting the Public Interest and Maintaining Integrity
Demonstrating Competent and Quality of Service
Maintaining Confidential Information and Privacy
Avoiding Conflict of Interest
Upholding Responsibility to the IT Profession
15
Corporate Ethics Policy


An ethics policy is a document that defines the essentials of
how people within an organization will interact with one
another, as well as how they will interact with any customers
or clients they serve. A corporate ethics policy will also often
address how employees are to interact with vendors and others
who supply goods and services to the company.
Business ethics policy, also commonly called the corporate
ethics policy, is the company’s statement, or guidelines, on the
expected behavior of the employees and the company itself
while dealing with others.
16
Corporate Ethics



Corporate ethics are a set of beliefs to which a company
adheres that govern its behavior in the ways it conducts
business.
Some corporations have well defined ethical parameters and
others don’t, or they sacrifice ethical behavior to profit and
determine that gaining profit and power are the most desired
motives. When discovered in this type of activity, there is
often a strong backlash that results in losing profits.
The ways companies conduct business are multiple and
complex, and corporate ethics may operate on numerous
levels.
17
Corporate Ethics


Ethical considerations can determine how a corporation
competes at the business level with other corporations. Are
they aggressive, and prone to change their minds or drop
allegiances with other companies for their own benefits, or
does the corporation cheerfully compete with and support the
efforts of its competitors?
Another way corporate ethics get expressed is through the care
a corporation takes in interacting with customers or people on
other levels.
18
Corporate Ethics


Decisions about how customers are treated are important, but
decisions on what type of responsibility the corporation plays
in protecting the environments of people are valuable too.
A company that routinely releases chemicals into the
environment can have great customer service, but its actions
suggest the bottom line is not protecting the people that it
serves. Many corporations now take great pains to promote
sustainability, and these efforts are well received by customers
and neighbors.
19
Corporate Ethics



Ethics are not easy, and might be considered as a series of
judgment calls. A corporation must engage ethically with
multiple parts of itself, other competitors, and the public,
deciding what to do when ethical responsibilities conflict.
Following corporate ethics in one way might prevent
satisfying some other part of the corporation: for example,
laying off employees to satisfy shareholders or using more
polluting chemicals to save on costs to save employee jobs.
Such decisions are difficult to make.
Nevertheless, corporations that take a strong stance on ethical
operation must try to negotiate each judgment call, while
remaining true to their ethical code.
20
Corporate Ethics


When a company does not have a code of corporate ethics, its
behavior tells others what the corporation considers ethical.
Constantly negative and only profit-induced decisions can be
greatly disparaged by the public. Additionally, employees
come to work with moral codes of their own, and might find it
challenging to adopt a conflicting code at work. It is true, that
many people sacrifice personal ethics in order to work or fail
to see the obvious discrepancies between personal and
business ethics.
21