1. Ethics CPTE 433 John Beckett

2. Ethics & Morals Morals tell us what is right and good. –Religious people believe morals come from God –SAs often say something like “This is a Good Thing” – meaning they feel its “goodness” is self- evident. Ethics are principles of conduct that govern a group of people. Policies attempt to implement Ethics.

3. Why Not Just Morals? Ethics are statements to which a group of people subscribe, so that they stay on the same track of goals. Policies save us time re-thinking every case. Ethics and Policies both help us know what specific behaviors to expect of others.

4. Structure Morals Ethics From Group Culture From other SAs Written Policies System- Configured Policies SA Common Ethical Error: “If the system lets me do it, it’s OK.” Ignores the fact that people are responsible for the consequences of their own actions.

5. Custodian An SA is a custodian of data and procedures, not the legitimate authority. –“Legitimate” merely means having formal authority An SAs job may involve defining procedures or taking leadership in their development and implementation. –You may have to lead people “above” you. –Lead gently! An SAs job rarely involves changing or revealing user data. –Either event should be carefully recorded.

6. SAGE Code of Ethics 1.The integrity of a system administrator must be above reproach. 2.A system administrator shall not unnecessarily infringe upon the rights of users. 3.Communications of system administrators with all whom they come in contact shall be kept to the highest standards of professional behavior. 4.The continuance of professional education is critical to maintaining currency as a system administrator. 5.A system administrator must maintain an exemplary work ethic. 6.At all times system administrators must display professionalism in the performance of their duties.

7. SAGE - 1 1.The integrity of a system administrator must be above reproach. Privileged information must be maintained in confidence. Difficulties users have should not be divulged in a manner degrading to those users. Uphold the law.

8. SAGE - 2 2.A system administrator shall not unnecessarily infringe upon the rights of users. Non-discrimination except where required by the task. May not use SA power to access information except as required to do the job. May request that someone else deal with a matter if it involves one’s own personal life. If you come in contact with information of personal interest, it is your job to isolate what you have learned from what you do or say. –“I remember – I forgot that.”

9. SAGE - 3 3.Communications of system administrators with all whom they come in contact shall be kept to the highest standards of professional behavior. An important aspect of this is that we take care that we say things in an understandable manner. Be sensitive to the corporate culture. Take special care not to indicate that something is someone’s “fault” – that is a manager’s job. –Probably will be done less than you expect. –A better focus is on “process.”

10. SAGE - 4 4.The continuance of professional education is critical to maintaining currency as a system administrator. You need technical knowledge. –Technical knowledge “keeps things in their place” so you don’t make non-technical decisions in ignorance. You also need knowledge about how other SAs have handled ethical challenges. –Discussions should be held in confidence. Overall methods may have improved. Specific challenges may arise.

11. SAGE - 5 5.A system administrator must maintain an exemplary work ethic. SA work takes energy. Be resilient – able to handle whatever comes. –“Let’s see what we can do.” Be aware of the effect your work has on your employer’s business. –Learn what makes your business successful (or is perceived to).

12. SAGE - 6 6.At all times system administrators must display professionalism in the performance of their duties. Keep looking for ways to do a better job. Patience and care are needed in leading people. –Yes! You are a leader. So is everyone else. Help your community.

13. Network/User Code of Conduct Personal use of employer equipment? What if company equipment is used at home? Look at policies of other places before developing your own. The policy must be understandable, yet sufficiently complete. Expect to see some people challenging the policies. –That may be a call to revisit them.

14. What About Policy Loop-Holes? In time, policies are developed in the wake of specific incidents. Review policy to see if it can be pruned. When an incident occurs, see if you can handle it with current policy. –Don’t assume that establishing a policy will prevent everything that might go wrong. –Don’t expect a policy to cover every detail. –Our policy was: the Golden Rule. Consider the Platinum Rule –Google policy: “Don’t be evil.” What does that mean?

15. Privileged Access Code of Conduct Can’t cover everything. If you’re in a gray area, get counsel. –Perhaps have someone with you. –Ideally it will be someone with legitimate authority over the information or application. For example, “Do you mind if I look at your email inbox in order to help you with this problem?” –Don’t just barge into data people consider private without their knowledge.

16. Copyright I like Borland’s “like a book” copyright statement. –Wouldn’t it be nice if… You should have a statement of support for copyright law. –Indicate specific situations that would violate. –Clarify what is meant by “site license”. –Designate who is the copyright custodian for your site.

17. Law Enforcement. Be polite. Get a number and say you’ll ask the boss to call them back. –Make sure you know who you are talking to! –Caller ID can be spoofed, so get the number from a source other than the inward call. Log: –All requests –What commands were typed –What information was provided Work through your legal department.

18. Social Engineering How to break into a system: Start with a small piece of information. Make telephone calls (perhaps to different people) pretending to be an official or a new employee. Leverage information found into more useful information.

19. Anonymizing If you provide anonymizing services, you are possibly protecting evil actions of some. Proper use of anonymizing: You know who is talking and you know that they are in the group they claim to be in (e.g. HIV positive). You let them participate in an on-line discussion group. Beckett’s take: –Not surprised anonymity was chosen as an example of “being too accommodating.” –Anonymous communication is almost always a bad idea. –Anonymity is based on trust of a third party.

20. “I’m Getting Someone In Trouble” If someone has done something wrong, it is they who have gotten themselves in trouble. Your task is to clearly and accurately prepare and present evidence. Focus on finding the truth and presenting it correctly.

21. Rules Golden Rule: Do unto others as you would have them do to you. –Assumes you have good ethics and they have the same values as you do. Platinum Rule: Do unto others as they would like you to do. –Assumes they have good ethics and you understand their needs.