Download presentation
Presentation is loading. Please wait.
Published byAdrian Hodge Modified over 9 years ago
1
Ethics in CS CS5493(7493)
2
Work Place Ethics Definition Work place ethics are the rules of personal conduct established by social traditions and the employer for the workplace environment.
3
Work Place Ethics The definition implies ethical relativism in the workplace. –Employers can have different policies for similar situations. Example: per-diem.
4
Ethics in CS Computers are a part of our work place. Employers are concerned about how their employees use the computing resources.
5
Employee Contracts When a person is hired to work for an entity, a contract ensues. Disclosure: The employer has an ethical (and moral) obligation to inform their employees of the employer’s expectations, policies, etc.
6
Employee/Employer Contracts Detailed job description Acceptable usage policy
7
SA Ethics and Users The SA may have the ability to access any –Files –Backups –E-mail –Internet usage –Corporate secrets
8
Some Guidelines… Any information not belonging to you should be considered sensitive information. Accessing sensitive data requires coordinating such access with management and security personnel in accordance with documented “policy”.
9
The SA: A position of trust The SA may be subject to special security clearence –Polygraph tests –Personal back ground checks –Credit reports –Drug testing
10
Ethics: things to consider: The computing system does not exist solely for the SA’s personal amusement. The SA is providing a service to users. The system-users will ultimately determine an SAs future based upon satisfaction. An SA must be objective in dealing with colleagues and customers.
11
Ethics: things to consider… Separate personal and professional views.
12
Ethics: Informed Consent Informing your customers of events that will impact their system usage and the availability of services. Customers should give consent without coercion.
13
Informed Consent: SLA SLA – service level agreement between the SA staff and the system users. –Establishes expectations for users –Establishes responsibilities for the SA staff.
14
SLA Content –Maintenance scheduling –Limited Liability due to down time or catastrophic events. –Warnings for interruption of service. –etc
15
SLA The SA group should create an SLA so all using the computing services will know what to expect.
16
User Code of Conduct & Usage Policy All companies using computers should have a written computer system usage policy. –Government –Private sector (public and private companies) –Academics
17
Usage Policy If there is no usage policy, create one. Employees should read and sign the policy documenting they understand the usage policy The employer has an ethical responsibility to disclose the policy.
18
Usage Policy Do not use agency resources for personal use: –Starting a new business –Hosting a web site –Downloading copyrighted materials –Downloading illegal materials. –Pirating software –There may be legitimate exceptions.
19
Privileged Access Conduct Privileged usage requires responsibility Privileged usage is solely for necessary work- related uses. Procedures should be developed to minimize errors. (example: Backups of critical data should be made before system changes are implemented.) Procedure for addressing accidental access to information not otherwise available. Warnings explaining what to expect when policies are violated.
20
Privileged Access Conduct All policies should be in writing and made available to privileged users. Privileged users should sign the document to acknowledge they understand their responsibilities.
21
Privileged Access Conduct A list of privileged users should be kept up to date. When someone is terminated or leaves voluntarily, appropriate measures must be taken: –Change passwords –Close accounts –Notify vendors, clients, etc. –Exit interview
22
Privileged Access Conduct Passwords to privileged accounts should be changed regularly, at least twice a year. Privileged users may have their access restricted on a regular basis for auditing purposes.
23
Copyright Adherence Organizations should have policies stating that their members abide by copyright laws. Software piracy is pervasive and is considered stealing. Companies are concerned about the liability of using pirated software.
24
Examples Individually licensed PC software packages should be purchased for individual PCs Single-user installation disk should not be used on multiple machines. Manuals and media for software for a single machine should be stored in the room where the machine is located.
25
Piracy Software piracy is not an acceptable cost cutting measure. Companies faced with copyright litigation will attempt to implicate whoever let the violation happen and relay damages to those responsible.
26
Make Compliance Easy Use Open Source software when practical. When open source is not available, buy additional licenses at a bulk rate.
27
Working With Law Enforcement Organizations should have a policy outlining how to work with law enforcement agencies. Verify the identities of LEA people requesting information. Beware of Social Engineering!
28
Social Engineering In the context of security, –Deceitfully manipulating people into performing actions or divulging information.
29
Privacy Expectations Many organizations consider the computer and all related data and resources to be the property of the organization. Your files and e-mail may be owned by your employer. In the financial community, e-mail, phone usage, & internet usage is monitored. (Informed Consent)
30
Privacy Expectations Privacy laws may be different in another country where you are doing business. A policy on privacy and monitoring should be in writing and provided to all employees (disclosure). The computer usage agreement or employee contract are appropriate places to state privacy expectations.
31
E-mail E-mail has a life of its own. It is difficult to permanently dispose of e-mail. Not always private. Not always secure. Treat as public information. There are special security software packages for managing e-mail.
32
Unethical/Illegal Requests Document any and all requests made by colleagues to do any illegal or unethical activity. Resist. Coercion may be used. Check the employee’s guidelines for what to do. If the request seems dubious, verify by checking company policies and laws.
33
Unethical/Illegal Requests If given a dubious request, ask for the request in writing. If your request is denied, refuse to do the request. Be careful about making accusations without evidence.
34
Unethical/Illegal Requests Asking someone to collude is selfish, destructive, and unethical.
35
Firing an SA Follow your corporate HR policy. Determine how to remove computer system access. Remove physical and remote access. Remove service access. Inform vendors who had contact with the SA.
36
Follow Corporate HR Policy There are legal issues around employee termination. Large companies have well defined ways of terminating employees. Large companies restructure about once every 3 years. This provides an opportunity to terminate employees more easily.
37
Remove System Access Close and backup personal accounts. Change all privileged account passwords. Idle accounts may become a backdoor for access.
38
Remove Physical Access Access to the work facility must be removed. Keys and keycards must be collected. Some locks may need to be changed. Collect any equipment the SA may have possession of at work or at home.
39
Remove Physical Access An employee may be called and asked not to come into work. The HR department may schedule a meeting complete with security personnel that will escort the terminated employee out of the building.
40
Remove Remote Access A standard remote access method should be implemented to ease control of remote access. Collect or disable SecureID cards. Idle accounts closed by the SA can be a backdoor to access.
41
Remove Service Access Will e-mail be forwarded? Can the employee be removed from all mail lists? Contact management at vendors, suppliers, and clients. Agency E-mail lists should be to agency addresses only.
42
Procedures Create a check list of items to be completed when an SA leaves. Design an environment with a limited number of Access data bases. A single authentication data base is best.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.