Role of Ethics in IT SecurityOrganizations Put New Emphasis on Staff's Ethical Behavior
It happens when his team performs an information security penetration test for an external client. As part of the investigation, they accidently find a third-party security flaw. Maybe a link that is embedded within the organization's site, or web pages that lead to information regarding other vendor products that may not be secure. The dilemma is: What should he do with this knowledge?
"What tends to happen is we don't report it to our client," says Moretti, also a member of the (ISC)2 Board of Directors. "Ethically, we would like to disclose this type of information so that they can take appropriate security measures. But legally we don't, because it is outside of the scope of our employment, even though we may be operating in the best interests of our client."
Moretti's is a familiar challenge for today's information security professionals. Beyond what's legal, they also need to know and appreciate what's ethical. Not just because a particular decision might be the right thing to do, but because the power of unethical behavior today can lead to enormous damage to people and organizations.
Where Ethics Meet SecurityThe news of late has been rich with stories of security breaches and ethical lapses that have led to criminal behavior.
Consider the case of Bradley Manning, a United States Army soldier who was arrested and charged in July, 2010 for transferring classified data onto his personal computer and communicating national defense information to an unauthorized source, the notorious WikiLeaks. The leaked material included 250,000 U.S. diplomatic cables. The U.S. military has filed 22 charges against Manning which can carry the death sentence.
Also, a former Goldman Sachs computer programmer, Sergey Aleynikov, was convicted of stealing proprietary source code that could spot tiny discrepancies in stock prices and helped Goldman earn hundreds of millions of dollars in 2009. Aleynikov was sentenced in March 2011 to more than eight years in prison.
"These are criminal actions that perhaps go back to the failure of not acting on a certain code of ethics," says Dorsey Morrow, general counsel and corporate secretary for (ISC)2, a not-for-profit IT security training and certifying organization. "You cannot set what is good ethical behavior in every scenario, but providing guidelines and relating consequences can lead them to the right path."
IT security professionals are the custodians of information, says Frank Smith, CIO at Booz Allen Hamilton, a leading IT security and management consulting firm. "Therefore, they need to be made of the highest ethical fiber to effectively safeguard this information and operate on decisions and judgment calls that are in the best interest of the firm."
If a security professional fails to handle data in a manner that is expected, both the organization and the practitioner can experience serious legal and criminal consequences.
Take the case of Rajendrasinh Makwana, a contract computer programmer who almost succeeded in wiping out all of the Federal National Mortgage Association's financial data at the height of the housing market crash in 2009. He was sentenced to three years in prison in 2010.
"We handle classified data for the U.S. government and other private entities," Smith says. "If our professionals do not act ethically in handling this data, it will cost us not just our business, but legal proceedings and a total loss of reputation and trustworthiness in the industry."
Ethics Defined"Ethics have always been important in the past, it's however, the awareness of ethics that is becoming more critical now," Moretti says.
With electronic access and technological advancement, it is much easier for professionals today to make a mistake, behave incorrectly and have their unethical actions to go viral.
These mistakes can include providing an incorrect opinion un-professionally on someone via Twitter or Facebook, offering incorrect information in the event of a fraud investigation, or misusing access to the company's systems and files.
"To me, ethics is asking myself the question: Am I comfortable appearing as a headline in a local newspaper tomorrow morning with what I am about to do?" says Ed Schlesinger, head of the electrical and computing engineering department at Carnegie Mellon University. "If the answer is that I don't feel comfortable, then there's maybe something unethical in what I'm about to do."
The danger with emerging technologies such as social media is that security professionals can easily get into discussions about their work, which may divulge confidential or non-public information. On one hand, security practitioners need to participate in these discussions for the cause of promoting information security management globally. And yet they have to avoid these discussions for fear of information going viral or on record.
"I feel torn between deciding whether I should use social or electronic media to facilitate these discussions to elevate and improve the thinking of security practitioners, or revert back to the olden days of paper and pigeons," Moretti says.
With technological advancement, the ability and ease to discuss vulnerabilities or search for vulnerabilities in systems and product is high, and that makes the role of security professionals even more complex when it comes to ethics and ethical behavior in the workplace.
"When your mobile device was just a phone, that required one level of ethical behavior," Schlesinger says. "Now that your smart phone is your bank account and your entire life, we as practitioners have to figure out, what is ethical and what are the rules of ethical behavior?"
Instilling Ethics in the WorkplaceIncreasing incidents in the workplace have pushed organizations to either implement or actively promote their codes of ethics that act as a set of guide posts to helps practitioners understand expected behavior.
For example, Booz Allen Hamilton has implemented a code of ethics and training program that highlight clear expectations of employee behavior in terms of the organization's core values and adhered standards.
"These guidelines basically enable security professionals to recognize how they need to act in circumstances that require an ethics decision," Smith says. For example: Someone borrows an ID card because they forgot theirs. What could go wrong? How should employees behave? What's the correct action to take?
This document should clearly outline expected behavior of employees based on the values and standards of the organization. In the case of Booz Allen, these codes clearly spell out what is acceptable employee behavior, for instance, in the event an employee receives personally identified information from a client, or how the employee can protect confidential client information.
"What's important to the organization and how they would like to be viewed by other companies is what defines their ethical behavior," Smith adds.
Samples from Booz Allen's business code of ethics:
"Protecting Confidential Client Information: The best way to protect client information is to not take possession of it. Each of us must restrict receipt of client information to only information that is reasonable necessary to propose or conduct an engagement even if greater information access is offered. Your obligation to maintain the confidentiality and security of client information continues not only during and after the engagement ends, but also during and after your employment with the firm..."
"Employee Personal Data : Each of us must exercise extra caution when handling an employee's personal data. We do not disclose current or former employee's personal data to third parties other than confirmation of employment dates and position without prior written consent from the employee or former employee unless the information is required to fulfill a legitimate business need- such as employee benefits or as required by law..."
Ethical TrainingSmith also recommends organizations offer refresher courses regularly on codes of ethics to professionals. These courses will act as a positive reminder to them that ethical behavior is expected and mandated by the organization's culture. Other options organizations have used:
- Scenario-Based Training: Moretti goes through scenario-based training every six months in his multinational banking institution. The emphasis is on how professionals need to operate and follow basic information security principles and financial industry guidelines. For example, the training outlines a scenario of a professional's access to sensitive data and provides guidelines to practitioners on how they need to handle data and follow the rules of sharing, distributing and storing this information.
"Over the last five years these courses are getting better," Moretti says. "Professionals like me now understand that we are the ambassadors for ethical behavior and should actively encourage other employees to adhere to it."
- Affiliation with a Professional Association: As a manager of a security group, Moretti prefers hiring a certified professional who has demonstrated the capability of operating within a certain code of ethics. Professional associations like (ISC)2 and ISACA usually follow a strict code of ethics that helps security practitioners maintain their professional standards. "If you are accredited an information security certification, you are actively encouraged to go through training on ethics and are also reviewed by your other peers in the industry, as a result you build a strong ethical awareness."