Ethics in CS

CS5493(7493)

Work Place Ethics Definition

• Work place ethics are the rules of personal conduct established by social traditions and the employer for the workplace environment.

Work Place Ethics

• The definition implies ethical relativism in the workplace.– Employers can have different policies for

similar situations. Example: per-diem.

Ethics in CS

• Computers are a part of our work place.

• Employers are concerned about how their employees use the computing resources.

Employee Contracts

• When a person is hired to work for an entity, a contract ensues.

• Disclosure: The employer has an ethical (and moral) obligation to inform their employees of the employer’s expectations, policies, etc.

Employee/Employer Contracts

• Detailed job description

• Acceptable usage policy

SA Ethics and Users

• The SA may have the ability to access any– Files– Backups– E-mail– Internet usage– Corporate secrets

Some Guidelines…

• Any information not belonging to you should be considered sensitive information.

• Accessing sensitive data requires coordinating such access with management and security personnel in accordance with documented “policy”.

The SA: A position of trust

• The SA may be subject to special security clearence– Polygraph tests– Personal back ground checks– Credit reports– Drug testing

Ethics: things to consider:

• The computing system does not exist solely for the SA’s personal amusement.

• The SA is providing a service to users.

• The system-users will ultimately determine an SAs future based upon satisfaction.

• An SA must be objective in dealing with colleagues and customers.

Ethics: things to consider…

• Separate personal and professional views.

Ethics: Informed Consent

• Informing your customers of events that will impact their system usage and the availability of services.

• Customers should give consent without coercion.

Informed Consent: SLA

• SLA – service level agreement between the SA staff and the system users.– Establishes expectations for users– Establishes responsibilities for the SA staff.

SLA Content

– Maintenance scheduling– Limited Liability due to down time or

catastrophic events.– Warnings for interruption of service.– etc

SLA

• The SA group should create an SLA so all using the computing services will know what to expect.

User Code of Conduct & Usage Policy

• All companies using computers should have a written computer system usage policy.– Government– Private sector (public and private companies)– Academics

Usage Policy

• If there is no usage policy, create one.

• Employees should read and sign the policy documenting they understand the usage policy

• The employer has an ethical responsibility to disclose the policy.

Usage Policy

• Do not use agency resources for personal use:– Starting a new business– Hosting a web site– Downloading copyrighted materials– Downloading illegal materials.– Pirating software– There may be legitimate exceptions.

Privileged Access Conduct

• Privileged usage requires responsibility• Privileged usage is solely for necessary work-

related uses.• Procedures should be developed to minimize

errors. (example: Backups of critical data should be made before system changes are implemented.)

• Procedure for addressing accidental access to information not otherwise available.

• Warnings explaining what to expect when policies are violated.

Privileged Access Conduct

• All policies should be in writing and made available to privileged users.

• Privileged users should sign the document to acknowledge they understand their responsibilities.

Privileged Access Conduct

• A list of privileged users should be kept up to date.

• When someone is terminated or leaves voluntarily, appropriate measures must be taken:– Change passwords– Close accounts– Notify vendors, clients, etc.– Exit interview

Privileged Access Conduct

• Passwords to privileged accounts should be changed regularly, at least twice a year.

• Privileged users may have their access restricted on a regular basis for auditing purposes.

Copyright Adherence

• Organizations should have policies stating that their members abide by copyright laws.

• Software piracy is pervasive and is considered stealing.

• Companies are concerned about the liability of using pirated software.

Examples

• Individually licensed PC software packages should be purchased for individual PCs

• Single-user installation disk should not be used on multiple machines.

• Manuals and media for software for a single machine should be stored in the room where the machine is located.

Piracy

• Software piracy is not an acceptable cost cutting measure.

• Companies faced with copyright litigation will attempt to implicate whoever let the violation happen and relay damages to those responsible.

Make Compliance Easy

• Use Open Source software when practical.

• When open source is not available, buy additional licenses at a bulk rate.

Working With Law Enforcement

• Organizations should have a policy outlining how to work with law enforcement agencies.

• Verify the identities of LEA people requesting information.

• Beware of Social Engineering!

Social Engineering

• In the context of security,– Deceitfully manipulating people into

performing actions or divulging information.

Privacy Expectations

• Many organizations consider the computer and all related data and resources to be the property of the organization.

• Your files and e-mail may be owned by your employer.

• In the financial community, e-mail, phone usage, & internet usage is monitored. (Informed Consent)

Privacy Expectations

• Privacy laws may be different in another country where you are doing business.

• A policy on privacy and monitoring should be in writing and provided to all employees (disclosure). The computer usage agreement or employee contract are appropriate places to state privacy expectations.

E-mail

• E-mail has a life of its own. It is difficult to permanently dispose of e-mail.

• Not always private.

• Not always secure.

• Treat as public information.

• There are special security software packages for managing e-mail.

Unethical/Illegal Requests

• Document any and all requests made by colleagues to do any illegal or unethical activity.

• Resist.• Coercion may be used. Check the

employee’s guidelines for what to do.• If the request seems dubious, verify by

checking company policies and laws.

Unethical/Illegal Requests

• If given a dubious request, ask for the request in writing. If your request is denied, refuse to do the request.

• Be careful about making accusations without evidence.

Unethical/Illegal Requests

• Asking someone to collude is selfish, destructive, and unethical.

Firing an SA

• Follow your corporate HR policy.

• Determine how to remove computer system access.

• Remove physical and remote access.

• Remove service access.

• Inform vendors who had contact with the SA.

Follow Corporate HR Policy

• There are legal issues around employee termination.

• Large companies have well defined ways of terminating employees.

• Large companies restructure about once every 3 years. This provides an opportunity to terminate employees more easily.

Remove System Access

• Close and backup personal accounts.

• Change all privileged account passwords.

• Idle accounts may become a backdoor for access.

Remove Physical Access

• Access to the work facility must be removed.

• Keys and keycards must be collected.

• Some locks may need to be changed.

• Collect any equipment the SA may have possession of at work or at home.

Remove Physical Access

• An employee may be called and asked not to come into work.

• The HR department may schedule a meeting complete with security personnel that will escort the terminated employee out of the building.

Remove Remote Access

• A standard remote access method should be implemented to ease control of remote access.

• Collect or disable SecureID cards.

• Idle accounts closed by the SA can be a backdoor to access.

Remove Service Access

• Will e-mail be forwarded?

• Can the employee be removed from all mail lists?

• Contact management at vendors, suppliers, and clients.

• Agency E-mail lists should be to agency addresses only.

Procedures

• Create a check list of items to be completed when an SA leaves.

• Design an environment with a limited number of Access data bases.

• A single authentication data base is best.