Ethics

CPTE 433John Beckett

Ethics & Morals

• Morals tell us what is right and good.– Religious people believe morals come

from God– SAs often say something like “This is a

Good Thing” – meaning they feel its “goodness” is self-evident.

• Ethics are principles of conduct that govern a group of people.

• Policies attempt to implement Ethics.

Why Not Just Morals?

• Ethics are statements to which a group of people subscribe, so that they stay on the same track of goals.

• Policies save us time re-thinking every case.

• Ethics and Policies both help us know what specific behaviors to expect of others.

Structure

Morals

Ethics

From Group Culture

From other SAs

Written Policies

System-Configured

Policies

SA

Common Ethical Error: “If the system lets me do it, it’s OK.” Ignores the fact that people are responsible for the consequences of their own actions.

Custodian

• An SA is a custodian of data and procedures, not the legitimate authority.– “Legitimate” merely means having formal

authority• An SAs job may involve defining procedures

or taking leadership in their development and implementation.– You may have to lead people “above” you.– Lead gently!

• An SAs job rarely involves changing or revealing user data.– Either event should be carefully recorded.

SAGE Code of Ethics

1. The integrity of a system administrator must be above reproach.

2. A system administrator shall not unnecessarily infringe upon the rights of users.

3. Communications of system administrators with all whom they come in contact shall be kept to the highest standards of professional behavior.

4. The continuance of professional education is critical to maintaining currency as a system administrator.

5. A system administrator must maintain an exemplary work ethic.

6. At all times system administrators must display professionalism in the performance of their duties.

SAGE - 1

1. The integrity of a system administrator must be above reproach.

• Privileged information must be maintained in confidence.

• Difficulties users have should not be divulged in a manner degrading to those users.

• Uphold the law.

SAGE - 2

2. A system administrator shall not unnecessarily infringe upon the rights of users.

• Non-discrimination except where required by the task.

• May not use SA power to access information except as required to do the job.

• May request that someone else deal with a matter if it involves one’s own personal life.

• If you come in contact with information of personal interest, it is your job to isolate what you have learned from what you do or say.

– “I remember – I forgot that.”

SAGE - 3

3. Communications of system administrators with all whom they come in contact shall be kept to the highest standards of professional behavior.

• An important aspect of this is that we take care that we say things in an understandable manner.

• Be sensitive to the corporate culture.• Take special care not to indicate that

something is someone’s “fault” – that is a manager’s job.

– Probably will be done less than you expect.– A better focus is on “process.”

SAGE - 4

4. The continuance of professional education is critical to maintaining currency as a system administrator.

• You need technical knowledge.– Technical knowledge “keeps things in their

place” so you don’t make non-technical decisions in ignorance.

• You also need knowledge about how other SAs have handled ethical challenges.

– Discussions should be held in confidence.• Overall methods may have improved.• Specific challenges may arise.

SAGE - 5

5. A system administrator must maintain an exemplary work ethic.

• SA work takes energy.• Be resilient – able to handle

whatever comes.– “Let’s see what we can do.”

• Be aware of the effect your work has on your employer’s business.

– Learn what makes your business successful (or is perceived to).

SAGE - 6

6. At all times system administrators must display professionalism in the performance of their duties.

• Keep looking for ways to do a better job.

• Patience and care are needed in leading people.

– Yes! You are a leader. So is everyone else.

• Help your community.

Network/User Code of Conduct

• Personal use of employer equipment?• What if company equipment is used

at home?• Look at policies of other places

before developing your own.• The policy must be understandable,

yet sufficiently complete.• Expect to see some people

challenging the policies.– That may be a call to revisit them.

What About Policy Loop-Holes?• In time, policies are developed in the wake

of specific incidents.• Review policy to see if it can be pruned.• When an incident occurs, see if you can

handle it with current policy.– Don’t assume that establishing a policy will

prevent everything that might go wrong.– Don’t expect a policy to cover every detail.– Our policy was: the Golden Rule.

• Consider the Platinum Rule– Google policy: “Don’t be evil.” What does that

mean?

Privileged Access Code of Conduct

• Can’t cover everything.• If you’re in a gray area, get counsel.

– Perhaps have someone with you.– Ideally it will be someone with legitimate

authority over the information or application.

• For example, “Do you mind if I look at your email inbox in order to help you with this problem?”– Don’t just barge into data people consider

private without their knowledge.

Copyright

• I like Borland’s “like a book” copyright statement.– Wouldn’t it be nice if…

• You should have a statement of support for copyright law.– Indicate specific situations that would

violate.– Clarify what is meant by “site license”.– Designate who is the copyright

custodian for your site.

Law Enforcement.

• Be polite.• Get a number and say you’ll ask the boss to

call them back. – Make sure you know who you are talking to!– Caller ID can be spoofed, so get the number from

a source other than the inward call.• Log:

– All requests – What commands were typed– What information was provided

• Work through your legal department.

Social Engineering

How to break into a system:

• Start with a small piece of information.

• Make telephone calls (perhaps to different people) pretending to be an official or a new employee.

• Leverage information found into more useful information.

Anonymizing

• If you provide anonymizing services, you are possibly protecting evil actions of some.

• Proper use of anonymizing: You know who is talking and you know that they are in the group they claim to be in (e.g. HIV positive). You let them participate in an on-line discussion group.

• Beckett’s take:– Not surprised anonymity was chosen as an

example of “being too accommodating.”– Anonymous communication is almost always a

bad idea. – Anonymity is based on trust of a third party.

“I’m Getting Someone In Trouble”

• If someone has done something wrong, it is they who have gotten themselves in trouble.

• Your task is to clearly and accurately prepare and present evidence.

• Focus on finding the truth and presenting it correctly.

Rules

• Golden Rule: Do unto others as you would have them do to you.– Assumes you have good ethics and they

have the same values as you do.• Platinum Rule: Do unto others as

they would like you to do.– Assumes they have good ethics and you

understand their needs.