Discussion post due Thursday (2)

profilegamesia23

Read: "Ethics in IT." Information technology is the engine that makes business run smoothly. Organizations today have policies guiding the use of company equipment, customer records, and use of the Internet. An organization's integrity can be questioned when the Internet is used capriciously, or if customer records are not carefully guarded. Systems for protecting customer records from "hacking" are essential and policies for reporting hacking activities are required. Using the principles outlined in the article, discuss how an employee has the responsibility of reporting known breaches of cyber-security. Further, discuss the consequences to a major retailer when a breach is discovered.

To ensure your participation meets the expectations, refer to the G.R.E.A.T. Discussion and Feedback guidelines provided in the Resources. A well-developed post, one that would be considered "distinguished," will usually be between 250 and 350 words. Also, please post your initial discussion (main post) by Thursday to allow time for your peers to respond.

Response Guidelines

After posting your initial response, read your peers' posts. Respond to two of your peers. Are you in agreement that reporting violations of policy is always necessary?

A well-developed response is generally stated in 50–100 words. Besides responding directly to your peers' comments, the responses should expand the dialogue by asking questions or adding new information.

---------------------------------------------------------------------------------------------------------------------------

Ethics in IT

Abstract

Translate AbstractTranslateUndo Translation
Press the Escape key to close
Translation in progress...

[[missing key: loadingAnimation]]

The full text may take 40-60 seconds to translate; larger documents may take longer.



 
 

What Bryan found on an executive's computer six years ago still weighs heavily on his mind. He is particularly troubled that the man he discovered using a company PC to view pornography of Asian women and of children was subsequently promoted and moved to China to run a manufacturing plant. Bryan's case is a good example of the ethical dilemmas that IT workers may encounter on the job. IT employees have privileged access to digital information, both personal and professional, throughout the company, and they have the technical prowess to manipulate that information. Ideally, corporate policy takes over where the law stops, governing workplace ethics to clear up gray areas and remove personal judgment from the equation as much as possible. But many corporate policies are ill defined, fail to keep up with new technologies and are poorly communicated to the IT department.

What Bryan found on an executive's computer six years ago still weighs heavily on his mind. He is particularly troubled that the man he discovered using a company PC to view pornography of Asian women and of children was subsequently promoted and moved to China to run a manufacturing plant. Bryan's case is a good example of the ethical dilemmas that IT workers may encounter on the job. IT employees have privileged access to digital information, both personal and professional, throughout the company, and they have the technical prowess to manipulate that information. Ideally, corporate policy takes over where the law stops, governing workplace ethics to clear up gray areas and remove personal judgment from the equation as much as possible. But many corporate policies are ill defined, fail to keep up with new technologies and are poorly communicated to the IT department.

You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer

Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer Translations powered by LEC.LEC

 

Translations powered by LEC. LEC

 

 

Full Text

 

 
Headnote

Dark secrets, ugly truths. And little guidance. BY TAM HARBERT

What Bryan found on an executive's computer six years ago still weighs heavily on his mind. He's particularly troubled that the man he discovered using a company PC to view pornography of Asian women and of children was subsequently promoted and moved to China to run a manufacturing plant. * "To this day, I regret not taking that stuff to the FBI," says Bryan. * It happened when Bryan, who asked that his last name not be published, was IT director at the U.S. division of a $500 million multinational corporation based in Germany.

The company's Internet usage policy, which Bryan helped develop with input from senior management, prohibited the use of company computers to access pornographic or adult-content Web sites. One of Bryan's duties was to monitor employee Web surfing using products from SurfControl PLC and report any violations to management.

Bryan knew that the executive, who was a level above him in another department, was popular within both the U.S. division and the German parent. But when the tools turned up dozens of pornographic Web sites visited by the exec's computer, Bryan followed the policy. "That's what it's there for. I wasn't going to get into trouble for following the policy," he reasoned.

So he went to his manager with copies of the Web logs (which he still has in his possession and made available to Computerworld for verification).

POWER AND RESPONSIBILITY

Bryan's case is a good example of the ethical dilemmas that IT workers may encounter on the job. IT employees have privileged access to digital information, both personal and professional, throughout the company, and they have the technical prowess to manipulate that information.

That gives them both the power and responsibility to monitor and report employees who break company rules. IT professionals may also uncover evidence that a co-worker is, say, embezzling funds, or they could be tempted to peek at private salary information or personal e-mails. But there's little guidance on what to do in these uncomfortable situations.

In the case of the porn-viewing executive, Bryan didn't get into trouble, but neither did the executive, who came up with "a pretty outlandish explanation" that the company accepted, Bryan says. He considered going to the FBI, but the Internet bubble had just burst, and jobs were hard to come by. "It was a tough choice," Bryan says. "[But] I had a family to feed."

In theory, ethical behavior is governed by laws, corporate policy, professional ethics and personal judgment. But as IT pros discover all the time, finding a way through that thorny thicket can be one of the most daunting challenges in their careers.

Perhaps it would ease Bryan's conscience to know that he did just what labor attorney Linn Hynds, a senior partner at Honigman Miller Schwartz and Conn LLP, would have advised in his case. "Let the company handle it," she says. "Make sure you report violations to the right person in your company, and show them the evidence. After that, leave it to the people who are supposed to be making that decision."

PICKING UP THE SLACK

Ideally, corporate policy takes over where the law stops, governing workplace ethics to clear up gray areas and remove personal judgment from the equation as much as possible.

"If you don't set out your policy and your guidelines, if you don't make sure that people know what they are and understand them, you're in no position to hold [workers] accountable," says John Reece, a former CIO at the Internal Revenue Service and Time Warner Inc. Having clear ethical guidelines also lets employees off the hook emotionally if the person they discover breaking the policy is a friend, a direct report or a supervisor, says Reece, who is now head of consultancy John C. Reece and Associates LLC.

That policy should warn all employees that their PCs are company property, and therefore any information on them is fair game for investigation, says Art Crane, principal of Capstone Services, a human resources consultancy. It should provide clear instructions on what to do when employees encounter a violation of the policy, including guidance on how to bring it up the chain of command. It should also have whistle-blower provisions that protect employees from retaliation.

But many corporate policies are ill defined, fail to keep up with new technologies and are poorly communicated to the IT department.

That's partly because ethics policies are typically defined by an organization's lawyers or regulatory compliance staff, says Larry Ponemon, chairman of Ponemon Institute LLC, a research company that specializes in privacy and data protection. "These folks may not fully understand or respect the complexities that IT-related ethical issues create," he notes.

TROUBLES, PAST AND FUTURE

Organizations that have policies in place often focus on areas where they had trouble in the past or emphasize whatever they are most worried about. When Reece was at the IRS, for example, the biggest emphasis was on protecting the confidentiality of taxpayer information, he says.

At the U.S. Department of Defense, policies usually emphasize procurement rules, notes Stephen Northcutt, president of the SANS Technology Institute and author of IT Ethics Handbook: Right and Wrong for IT Professionals (Syngress, 2004).

Adding to the complexity, an organization that depends on highly skilled workers might be more lenient. When Northcutt worked in IT security at the Naval Surface Warfare Center in Virginia, it was a rarefied atmosphere of highly sought-after Ph.D.s. "I was told pretty clearly that if I made a whole lot of Ph.D.s very unhappy so that they left, the organization wouldn't need me anymore," says Northcutt.

Of course, that wasn't written in any policy manual, so Northcutt had to read between the lines. "The way I interpreted it was: Child pornography, turn that in," he says. "But if the leading mathematician wants to download some pictures of naked girls, they didn't want to hear from me."

Northcutt says that he did find child porn on two occasions and that both events led to prosecution. As for other offensive photos that he encountered, Northcutt pointed out to his superiors that there might be a legal liability, citing a Supreme Court decision that found that similar pictures at a military installation indicated a pervasive atmosphere of sexual harassment. That did the trick. "Once they saw that law was involved, they were more willing to change culture and policy," Northcutt says.

When policies aren't clear, ethical decisions are left to the judgment of IT employees, which varies by person and the particular circumstances.

For example, Gary, a director of technology at a nonprofit organization in the Midwest, flat-out refused when the assistant CEO wanted to use a mailing list that a new employee had stolen from her former employer. But Gary, who asked that his last name not be used, didn't stop his boss from installing unlicensed software on PCs for a short time, though he refused to do it himself. "The question is, how much was it really going to hurt anybody? We were still going to have 99.5% compliant software. I was OK with that." He says he uninstalled it, with his boss's approval, as soon as he could - about a week later.

Northcutt argues that the IT profession should have two things that professions such as law or accounting have had for years: a code of ethics and standards of practice. That way, when company policy is nonexistent or unclear, IT professionals still have standards to fall back on.

That might be useful for Tim, a systems administrator who works at a Fortune 500 agricultural business. When Tim, who asked that his last name not be published, happened across an unencrypted spreadsheet of salary information on a manager's PC, he copied it. He didn't share the information with anyone or use it to his advantage. It was an impulsive act, he admits, that stemmed from frustration with his employer. "I didn't take it for nefarious reasons; I just took it to prove that I could," he says.

Tim's actions point to a disturbing trend: IT workers justifying their ethically questionable behavior. That path can end in criminal activity, says fraud investigator Chuck Martell. "We started seeing a few cases about seven or eight years ago," says Martell, managing director of investigative services at Veritas Global LLC, a security firm in Southfield, Mich. "Now we're [investigating] a tremendous amount of them."

Whichever side of the line they're on, IT workers will - for now at least - continue to muddle through ethical dilemmas on their own and wrestle with their consciences afterward.

Sidebar

Over the Line

In the spring of this year, security vendor Cyber-Ark Software Ltd. conducted a survey in which one-third of 200 IT employees who responded admitted using their administrative passwords to snoop through company systems and peek at confidential information such as salary data. A poll of more than 16,000 U.S. IT practitioners conducted in June 2007 by the Ponemon Institute returned these equally disturbing findings:

* 62% of IT employees polled said they had accessed another person's computer without permission.

* 50% said they had read confidential or sensitive information without a legitimate reason.

* 42% said they had knowingly violated their company's privacy, security or IT policies.

* 32% of the respondents were at or above the manager level, and the average experience level was 8.4 years.

- TAM HARBERT

Sidebar

A Code of Ethics for IT

Some computing groups have developed, or are working to establish, ethics codes for IT.

The Association for Computing Machinery and the Association of Information Technology Professionals, for example, have adopted generalized ethics codes. And the Institute of Electrical and Electronics Engineers Inc. has both a general code of ethics and a software engineering code of ethics.

The following certification groups are currently working together to draw up a code of ethics for IT security professionals:

* Global Information Assurance Certification

* Information Systems Audit and Control Association

* International Information Systems security Certifications Consortium Inc.

* Information Systems Security Association Inc.

* ASIS International

If a universal code is adopted, the next step would be standards of practice that would serve as teeth behind the code-a sort of American Bar Association for IT. If an IT worker violated the standards, in theory he might be "disbarred" from the profession.

- TAM HARBERT

AuthorAffiliation

Herbert is a Washington-based freelance journalist specializing in technology, business and public policy.

Word count: 1741

Show less

You have requested "on-the-fly" machine translation of selected content from our databases. This functionality is provided solely for your convenience and is in no way intended to replace human translation. Show full disclaimer

Neither ProQuest nor its licensors make any representations or warranties with respect to the translations. The translations are automatically generated "AS IS" and "AS AVAILABLE" and are not retained in our systems. PROQUEST AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES FOR AVAILABILITY, ACCURACY, TIMELINESS, COMPLETENESS, NON-INFRINGMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Your use of the translations is subject to all use restrictions contained in your Electronic Products License Agreement and by using the translation functionality you agree to forgo any and all claims against ProQuest or its licensors for your use of the translation functionality and any output derived there from. Hide full disclaimer Translations powered by LEC.LEC

 

Translations powered by LEC. LEC

Copyright Computerworld, Inc. Oct 29, 2007

 

 

    • 8 years ago
    • 3
    Answer(1)

    Purchase the answer to view it

    blurred-text
    NOT RATED
    • attachment
      discussion_post_2.docx
    Bids(1)