1 / 24

Chapter 16

Chapter 16. Information Ethics and Codes of Conduct. Objectives. Explain the role of ethics in information assurance Identify the fundamental elements of a professional code of conduct Define and apply an ethical system. Ethics. Information practitioners need guidance in correct behavior

ovid
Download Presentation

Chapter 16

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 16 Information Ethics and Codes of Conduct

  2. Objectives • Explain the role of ethics in information assurance • Identify the fundamental elements of a professional code of conduct • Define and apply an ethical system

  3. Ethics • Information practitioners need guidance in correct behavior • Especially essential because the commodity is abstract and information assurance professionals have unprecedented access • Anonymity, intangibility, and evolution of the technology, increase ethical grey areas • Technological advances usually come without ethical instructions • Ethical violations of cyberspace occur regularly without widespread recognition or response • Nobody has thought through what a particular capability or activity represents in terms of right and wrong

  4. What is Ethics? • A global term describing the system by which individuals distinguish right from wrong • Ethical systems describe the duties and behaviors commonly considered correct for a given circumstance • Documented by an ethical guideline that aids in behavior evaluation and as a framework to judge behavior • Ethics benefit information assurance because they are applied morality • They are logical assumptions about how moral principles should be applied in practice • They represent an understanding of what is morally correct • They become legal systems when the morality they capture is formalized into law

  5. Ethics and Information Assurance • Although abstract, the requirement for an ethical system is a critical part of information assurance • Ethics establishes the foundation of group trust and trustworthiness • Policies should be formulated based on the ethical values of the organization while not contradicting the principles of individuals • An established ethical standard guides the preservation of confidentiality, integrity, and availability • Ethical standard must be clearly articulated and understood throughout the organization

  6. Ethics and Technology • Technology has advanced at a rate that exceeds society’s ability to decide about its appropriateness • Data-mining industry is an example of organizations operating without an ethical compass • Privacy concerns and the question of the ethics • More grey areas are likely to develop • It is essential for the information profession to consider, adopt, and use ethical guidelines • Without ethical guidance it is difficult to expect effective control of information workers’ behavior

  7. Practical Ethical Systems: Enforcing Proper Individual Behavior • A communal set of values provides the framework to ensure that individual decisions reflect the group’s common ethical principles • It assumes that all actions that constitute unacceptable behavior can be recognized • Group values have to be formally documented • Formal documentation of the values is an ethical code of conduct • Ethical code of conduct is the organization’s standard of behavior • Codes of conduct dictate the duties and obligations of individuals relative to group norms

  8. Enforcing Behavior Norms: Aligning Personal and Group Perspectives • Group norms are the measuring stick for evaluating individual behavior • Formally documented codes of conduct dictate the minimal moral tone and actions of an organization • Ethical systems delineate the correct choices for individuals relative to the group norms • Properly designed ethical systems always provide a concrete reference for decision making as well as an explanation of the consequences of deviation • In practical applications of codes of ethics, an explicit enforcement mechanism is a necessity

  9. Ensuring Professional Conduct • Professional codes of conduct define the values and beliefs of a profession • Communicate the formal models that make up the norms a group has chosen to adopt • Those models are based on each organization’s understanding of correct professional behavior • Professional codes of conduct are essential in information assurance because: • They cover a broad range of fundamental concerns raised by the ever-increasing and changing technology

  10. Establishing a Basis: Formal Codes of Conduct for Cyberspace • A formal code for cyberspace was published 1989 – sponsored by the Network Working Group of the Internet Activities Board (IAB) • To reinforce its authority in the area, the IAB was renamed the Internet Architecture Board in 1992 • IAB directive “Ethics and the Internet” (RFC 1087) outlines five principles – which state that it is unethical: • To seek to gain unauthorized access to the resources of the Internet • To disrupt the intended use of the Internet • To waste resources through such actions • To destroy the integrity of computer-based information • To compromise the privacy of users

  11. Establishing a Basis: Formal Codes of Conduct for Cyberspace • Organized religion has even weighed in on the ethical use of the Internet • Personal responsibility in governing acceptable use • National bodies who have established formal codes of conduct: • The Association for Computing Machinery (ACM) • The Institute for Electrical and Electronics Engineers (IEEE) • These codes are specific to the profession • They communicate the ethical responsibility of information professionals to perform their duties in a capable manner • They set the minimum expectations with respect to the level of capability required • They serve as a basis for judging whether that standard has been adequately met

  12. Establishing a Basis: Formal Codes of Conduct for Cyberspace • Professional societies that stipulate codes of ethical practice: • The Information Systems Audit and Control Association (ISACA) • The International Information Systems Security Certifying Consortium (ISC) • The SANS Institute • Concern: There is not a single universally recognized code of conduct for the information assurance profession

  13. Certification: Ensuring Professional Capability • Certification is a method of identifying individuals committed to ethical behavior • Standard level of professional competence • Certifications based on a number of representative common bodies of knowledge (CBK) • No single system guarantees that the practitioner responsible for protecting an organization’s information is competent • Few formally agreed-on definitions of the knowledge or competencies • Certification that attests to an individual’s ability to think critically about an identified problem space provides the most valid proof of competence

  14. Certification: Ensuring Professional Capability • Determining the value of a certification: • How long has the certification been in existence? • Does the certification organization’s process conform to established standards? • How many people hold the certification? • How widely respected is the certification? • Does the certificate span industry boundaries? • What is the probability that 5 or 10 years from now, the certificate will still be useful? • Does the certification span geographic boundaries? • Does the certification require attestation to a defined ethical behavior?

  15. Information Ethics • Deals with the ethical questions that relate to the use of information assets • Explores and evaluates the development of ethical principles in information assurance • Examines ethical concepts that support information assurance theory and practice, as well as their relevance to everyday information security work • A timely and important area because: • Traditional philosophical frame of reference is out of date • Information technology has extended capabilities beyond: • Traditional moral and philosophical realms • Precedents and principles of our legal system

  16. Information Ethics • Four areas where guidance about ethical behavior should be provided: • Invasion of privacy • Unauthorized appropriation of information • Breach of confidentiality • Loss of integrity

  17. Invasion of Privacy • Invasion of privacy is a common violation • The act of obtaining information to breach an individual’s reasonable expectation of privacy • Legally, the Bill of Rights does not guarantee a right to privacy from other individuals except in specific cases

  18. Invasion of Privacy • Ethics of invading your privacy for profits: the data mine • Data aggregation and data mining augments an organization’s ability to understand its customers better • These methods may intrude too far into personal lives • Other instances of intrusion: • Placing tracking cookies surreptitiously on computers • Credit-monitoring services • Telephone tapping • Solution is to build an understanding across society and grapple with the essential questions: • What is the limit to the acquisition and use of knowledge by institutions? • What can other people know without violating your privacy?

  19. Invasion of Privacy • Invading the privacy of your employees • Employer may reasonably monitor its employees • It is implied that people who come to work, have sacrificed some of their rights to privacy for the good of the organization • The organization has an unstated right to oversee employee behavior and communications on the job • More subtle activities which are not violations if used within the scope of work: • Keylogging of employees • Observing them through workplace video cameras and closed-circuit television

  20. Unauthorized Appropriation • Unauthorized appropriation – use of a computer to obtain something under false pretenses • A crime if an item of concrete value is taken • An ethical compromise where the value is either intangible or cannot be estimated • Typically takes place when another person’s intellectual property is either stolen or misused • Misappropriation of intellectual property presupposes that an identified piece of intellectual property exists

  21. Ethics of Confidentiality • Breach of confidentiality can be intentional or unintentional • Disclosure of private information is a matter of civil and even criminal liability in some states • Two well-known examples of the way federal legal system addresses breach of confidentiality: • Health Insurance Portability and Accountability Act (HIPAA) • The first comprehensive federal protection for the privacy of personal health information • Family Educational Rights and Privacy Act, 1974 (FERPA) • Limits the personal information that educational institutions can release to the public

  22. Ethics of Integrity • Integrity implies that the information is correct • Information has not been accidentally or maliciously altered or destroyed • The ethical issue can be characterized by a legal term, “false light” • A circumstance where information that is being kept either is false or harmfully misrepresents something about the individual

  23. Ethics of Integrity • Unintentional errors • Represented by incorrect or missing values • Ethical response to the inevitable inaccuracy: • Error-trapping functions in the system • Embedding rigorous audit and control mechanisms • Intentional errors • Sources • Insider who alters data to portray the facts of a given situation incorrectly • Insider who accepts and records incorrect information • Outsider who hacks into the system in order to change the integrity of its data

  24. Ethics of Integrity • Exercising due care • Characterized by a careful attention to detail in the process of: • Designing • Assessing • Updating • Monitoring data and systems • A statement of due care • To protect the organization from liability concerns as well as to ensure good ethical practice

More Related