General Ethical Issues in the IT Security Profession : General Ethical Issues in the IT Security Profession Kelley Kaminsky
This Presentation will Cover: : This Presentation will Cover: Basic and common issues faced by security professionals and network administrators, such as privacy issues
Other important ethical issues that occur in the real world of IT
Why do Ethical Issues Exist in the Security Realm? : Why do Ethical Issues Exist in the Security Realm? IT professionals such as network administrators or security consultants have rights and privileges that allow them to access a great deal of information stored on the systems in their network
It is up to them to decide how to use these privileges and what to do with the information they gain
Privacy Issues : Privacy Issues E-mail
Website monitoring
Key loggers
Screen capture programs
Privacy Issues: E-mail : Privacy Issues: E-mail Should you read the private e-mail of the users on your network?
Is it OK to read it as a security measure to ensure policies aren’t being violated?
Personal use of e-mail not allowed
Sensitive information being kept confidential
Should you disclose the e-mail reading policy to the employees?
Before or after you read it?
Privacy Issues – Other Forms of Monitoring : Privacy Issues – Other Forms of Monitoring Web site Monitoring
Is it ethical to monitor the sites users visit?
Is it unethical not to monitor visited sites, in the instance where pornography or other offensive sites are being visited (potentially creating a hostile work environment)?
Key loggers
These capture everything typed by the user
Screen Capture Programs
Allow you to view a user’s computer screen exactly as they are viewing it
Privacy Issues – Taking Action : Privacy Issues – Taking Action If you find something incriminating in an e-mail, should you report it?
Should you report it if you never disclosed to the user that you can/will be reading their mail?
Are you being consistent?
Are you only reporting the violations that you consider unethical?
example: should you only report someone who visits a porn site, but let people visiting social networking sites (assuming use of these sites are prohibited) slide?
“Real World” Issues : “Real World” Issues You have obtained company trade secrets; You later leave this company and work for a competitor
Is it wrong to use this knowledge in your new job?
Is it possible to ignore this knowledge at your new job?
“Real World” Issues (cont.) : “Real World” Issues (cont.) You work for multiple companies
If you learn something about a client that could affect another client, where do your loyalties lie?
You discover that your employer is violating government regulations/laws
Should you turn them in?
Should you respect their privacy?
What if you signed a non-disclosure form?
Monetary Issues : Monetary Issues Is it wrong to convince your client that they need additional, expensive security measures they essentially do not (and charge hundreds of dollars an hour)?
it is easy to play up fear of viruses, hackers, etc as a security professional
Monetary Issues (cont.) : Monetary Issues (cont.) Your client wishes to cut costs by not installing/removing security features that protect otherwise vulnerable information
Is it ethical to respect their wishes and configure a less-secure network?
Should you be liable for not exercising best possible security?
Should you install the extra measures at no cost to the client, essentially eating the cost?
If you have another client paying for the same measures, how do you justify them paying for it and the other client not?
Final Thoughts : Final Thoughts Each question in regards to ethical issues seems to open a myriad of other questions
I have posed a lot of questions, but no answers
Ultimately, the answers to these questions depend on your personal set of beliefs and ethical inclinations
Should you personal set of ethics affect how you use your privileges as a network admin or security professional? Should you simply adhere to your job description, no questions asked?
Slide 13 :