How Does the Code of Ethics Relate to Security?
Security issues should be addressed throughout your ethics document. This article takes a practical approach to relating ethics to common security concerns.
Perhaps a better question would be: how does the Code of Ethics not relate to security. Security issues should be addressed throughout the ethics document. The Code of Ethics acts as a multi-edged sword for management and system administrators. First, the Code will immediately prevent some of the common abuses of the system that have historically occurred simply due to lack of company direction ("Gee...I didn't know that I shouldn't setup an FTP server on my computer here at work"). Secondly, in the event that an administrator is questioned as to why they took the actions they did, their arguments can be strengthened by the official guideline under which the actions were invoked. Also, if a user asks why they have been reprimanded for using the computer systems in an unwanted manner, the administrator need look no further than the code for support.
Let's suppose the company says, "Thou shalt not view pornography on the company computer network at any time". Let's also say that this company employs several students who are still attending University. Because of this, the company has made allowances for their employees to use the computers for school-related work. Now let's say that one of these students is taking a fine-arts course in Styles of the Moguls in Performance art. During the course of this students' studies, they must view their course notes online, and these notes contain several rather graphic pictures of what some artists consider to be a stunning study of the nude human body. How do we deal with this? My point is this: there is no silver bullet that will encompass all possible uses under all possible circumstances. We must instead provide generic guidelines that prevent the specific problems that have occurred without overloading the reader with too much information.
Perhaps a good model to follow would be that of one of the major University's computer departments, as many of them, due in no small part to various political forces they must endure, have very good guidelines for their users. Universities are very interesting cases because most claim to be bastions for higher learning, places where people can explore beliefs of themselves and others, where challenging the norm is not only expected, but required. Because of this, computer usage policies must be as liberal as possible, allowing students to explore and research as they see fit, but must also be sensitive to the highly political nature of the institution. As much as the administration would like the public to believe that freedom of expression is unlimited in the academic environment, it stands to reason that because the vast majority of funding comes from government and corporations special considerations will be made to appease these organizations to ensure continued funding. Litigation is also increasingly becoming a concern as organizations such as the RIAA crack down on services like Napster.
I think a brief discussion into the psyche of the average user may be in order. It should be noted that I am in no way an expert on the human mind, nor the behaviors that the mind dictates, so all of the following discussion will be drawn simply from my observations and dealings directly with users.
First off, most users are generally unwilling to escalate matters past the initial confrontation because of the hassle and attention that such a step would involve. But why would they wish to avoid further conflict? Often the users are perfectly aware that they have bent or broken the rules in the first place, and being talked to by the sys admin is merely a formality. Escalating the complaint to the next level would simply be ridiculous and a waste of everyone's time. Once caught, many will avoid that practice simply because they have been caught and suspect that it is easy to be caught again. Also, in the case of less socially redeeming infractions such as viewing pornography or downloading illegal copies of programs from the Internet, the user will realize the social embarrassment that they would incur if the incident is brought to light.
Secondly, it is entirely possible that a user be simply ignorant of the policies in place, and once they are set straight by the admin they will never break the rule again. If these situations are dealt with properly, the user will leave the admin's office with not only a better understanding of the company's usage policy/code but will also likely feel more responsible for their future actions and will, in a situation where the activity could be deemed unacceptable, err on the side of caution.