chapter 16
Download
Skip this Video
Download Presentation
Chapter 16

Loading in 2 Seconds...

play fullscreen
1 / 24

Chapter 16 - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

Chapter 16. Information Ethics and Codes of Conduct. Objectives. Explain the role of ethics in information assurance Identify the fundamental elements of a professional code of conduct Define and apply an ethical system. Ethics. Information practitioners need guidance in correct behavior

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Chapter 16' - ovid


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
chapter 16

Chapter 16

Information Ethics and Codes of Conduct

objectives
Objectives
  • Explain the role of ethics in information assurance
  • Identify the fundamental elements of a professional code of conduct
  • Define and apply an ethical system
ethics
Ethics
  • Information practitioners need guidance in correct behavior
    • Especially essential because the commodity is abstract and information assurance professionals have unprecedented access
    • Anonymity, intangibility, and evolution of the technology, increase ethical grey areas
    • Technological advances usually come without ethical instructions
    • Ethical violations of cyberspace occur regularly without widespread recognition or response
      • Nobody has thought through what a particular capability or activity represents in terms of right and wrong
what is ethics
What is Ethics?
  • A global term describing the system by which individuals distinguish right from wrong
    • Ethical systems describe the duties and behaviors commonly considered correct for a given circumstance
      • Documented by an ethical guideline that aids in behavior evaluation and as a framework to judge behavior
    • Ethics benefit information assurance because they are applied morality
      • They are logical assumptions about how moral principles should be applied in practice
      • They represent an understanding of what is morally correct
      • They become legal systems when the morality they capture is formalized into law
ethics and information assurance
Ethics and Information Assurance
  • Although abstract, the requirement for an ethical system is a critical part of information assurance
    • Ethics establishes the foundation of group trust and trustworthiness
    • Policies should be formulated based on the ethical values of the organization while not contradicting the principles of individuals
    • An established ethical standard guides the preservation of confidentiality, integrity, and availability
    • Ethical standard must be clearly articulated and understood throughout the organization
ethics and technology
Ethics and Technology
  • Technology has advanced at a rate that exceeds society’s ability to decide about its appropriateness
    • Data-mining industry is an example of organizations operating without an ethical compass
      • Privacy concerns and the question of the ethics
    • More grey areas are likely to develop
  • It is essential for the information profession to consider, adopt, and use ethical guidelines
    • Without ethical guidance it is difficult to expect effective control of information workers’ behavior
practical ethical systems enforcing proper individual behavior
Practical Ethical Systems: Enforcing Proper Individual Behavior
  • A communal set of values provides the framework to ensure that individual decisions reflect the group’s common ethical principles
    • It assumes that all actions that constitute unacceptable behavior can be recognized
    • Group values have to be formally documented
    • Formal documentation of the values is an ethical code of conduct
    • Ethical code of conduct is the organization’s standard of behavior
    • Codes of conduct dictate the duties and obligations of individuals relative to group norms
enforcing behavior norms aligning personal and group perspectives
Enforcing Behavior Norms: Aligning Personal and Group Perspectives
  • Group norms are the measuring stick for evaluating individual behavior
    • Formally documented codes of conduct dictate the minimal moral tone and actions of an organization
    • Ethical systems delineate the correct choices for individuals relative to the group norms
    • Properly designed ethical systems always provide a concrete reference for decision making as well as an explanation of the consequences of deviation
  • In practical applications of codes of ethics, an explicit enforcement mechanism is a necessity
ensuring professional conduct
Ensuring Professional Conduct
  • Professional codes of conduct define the values and beliefs of a profession
    • Communicate the formal models that make up the norms a group has chosen to adopt
    • Those models are based on each organization’s understanding of correct professional behavior
  • Professional codes of conduct are essential in information assurance because:
    • They cover a broad range of fundamental concerns raised by the ever-increasing and changing technology
establishing a basis formal codes of conduct for cyberspace
Establishing a Basis: Formal Codes of Conduct for Cyberspace
  • A formal code for cyberspace was published 1989 – sponsored by the Network Working Group of the Internet Activities Board (IAB)
    • To reinforce its authority in the area, the IAB was renamed the Internet Architecture Board in 1992
    • IAB directive “Ethics and the Internet” (RFC 1087) outlines five principles – which state that it is unethical:
      • To seek to gain unauthorized access to the resources of the Internet
      • To disrupt the intended use of the Internet
      • To waste resources through such actions
      • To destroy the integrity of computer-based information
      • To compromise the privacy of users
establishing a basis formal codes of conduct for cyberspace1
Establishing a Basis: Formal Codes of Conduct for Cyberspace
  • Organized religion has even weighed in on the ethical use of the Internet
    • Personal responsibility in governing acceptable use
  • National bodies who have established formal codes of conduct:
    • The Association for Computing Machinery (ACM)
    • The Institute for Electrical and Electronics Engineers (IEEE)
      • These codes are specific to the profession
      • They communicate the ethical responsibility of information professionals to perform their duties in a capable manner
      • They set the minimum expectations with respect to the level of capability required
      • They serve as a basis for judging whether that standard has been adequately met
establishing a basis formal codes of conduct for cyberspace2
Establishing a Basis: Formal Codes of Conduct for Cyberspace
  • Professional societies that stipulate codes of ethical practice:
    • The Information Systems Audit and Control Association (ISACA)
    • The International Information Systems Security Certifying Consortium (ISC)
    • The SANS Institute
  • Concern: There is not a single universally recognized code of conduct for the information assurance profession
certification ensuring professional capability
Certification: Ensuring Professional Capability
  • Certification is a method of identifying individuals committed to ethical behavior
    • Standard level of professional competence
    • Certifications based on a number of representative common bodies of knowledge (CBK)
      • No single system guarantees that the practitioner responsible for protecting an organization’s information is competent
    • Few formally agreed-on definitions of the knowledge or competencies
    • Certification that attests to an individual’s ability to think critically about an identified problem space provides the most valid proof of competence
certification ensuring professional capability1
Certification: Ensuring Professional Capability
  • Determining the value of a certification:
    • How long has the certification been in existence?
    • Does the certification organization’s process conform to established standards?
    • How many people hold the certification?
    • How widely respected is the certification?
    • Does the certificate span industry boundaries?
    • What is the probability that 5 or 10 years from now, the certificate will still be useful?
    • Does the certification span geographic boundaries?
    • Does the certification require attestation to a defined ethical behavior?
information ethics
Information Ethics
  • Deals with the ethical questions that relate to the use of information assets
    • Explores and evaluates the development of ethical principles in information assurance
    • Examines ethical concepts that support information assurance theory and practice, as well as their relevance to everyday information security work
  • A timely and important area because:
    • Traditional philosophical frame of reference is out of date
    • Information technology has extended capabilities beyond:
      • Traditional moral and philosophical realms
      • Precedents and principles of our legal system
information ethics1
Information Ethics
  • Four areas where guidance about ethical behavior should be provided:
    • Invasion of privacy
    • Unauthorized appropriation of information
    • Breach of confidentiality
    • Loss of integrity
invasion of privacy
Invasion of Privacy
  • Invasion of privacy is a common violation
    • The act of obtaining information to breach an individual’s reasonable expectation of privacy
  • Legally, the Bill of Rights does not guarantee a right to privacy from other individuals except in specific cases
invasion of privacy1
Invasion of Privacy
  • Ethics of invading your privacy for profits: the data mine
    • Data aggregation and data mining augments an organization’s ability to understand its customers better
      • These methods may intrude too far into personal lives
    • Other instances of intrusion:
      • Placing tracking cookies surreptitiously on computers
      • Credit-monitoring services
      • Telephone tapping
    • Solution is to build an understanding across society and grapple with the essential questions:
      • What is the limit to the acquisition and use of knowledge by institutions?
      • What can other people know without violating your privacy?
invasion of privacy2
Invasion of Privacy
  • Invading the privacy of your employees
    • Employer may reasonably monitor its employees
      • It is implied that people who come to work, have sacrificed some of their rights to privacy for the good of the organization
        • The organization has an unstated right to oversee employee behavior and communications on the job
      • More subtle activities which are not violations if used within the scope of work:
        • Keylogging of employees
        • Observing them through workplace video cameras and closed-circuit television
unauthorized appropriation
Unauthorized Appropriation
  • Unauthorized appropriation – use of a computer to obtain something under false pretenses
    • A crime if an item of concrete value is taken
    • An ethical compromise where the value is either intangible or cannot be estimated
    • Typically takes place when another person’s intellectual property is either stolen or misused
  • Misappropriation of intellectual property presupposes that an identified piece of intellectual property exists
ethics of confidentiality
Ethics of Confidentiality
  • Breach of confidentiality can be intentional or unintentional
    • Disclosure of private information is a matter of civil and even criminal liability in some states
  • Two well-known examples of the way federal legal system addresses breach of confidentiality:
    • Health Insurance Portability and Accountability Act (HIPAA)
      • The first comprehensive federal protection for the privacy of personal health information
    • Family Educational Rights and Privacy Act, 1974 (FERPA)
      • Limits the personal information that educational institutions can release to the public
ethics of integrity
Ethics of Integrity
  • Integrity implies that the information is correct
    • Information has not been accidentally or maliciously altered or destroyed
  • The ethical issue can be characterized by a legal term, “false light”
    • A circumstance where information that is being kept either is false or harmfully misrepresents something about the individual
ethics of integrity1
Ethics of Integrity
  • Unintentional errors
    • Represented by incorrect or missing values
    • Ethical response to the inevitable inaccuracy:
      • Error-trapping functions in the system
      • Embedding rigorous audit and control mechanisms
  • Intentional errors
    • Sources
      • Insider who alters data to portray the facts of a given situation incorrectly
      • Insider who accepts and records incorrect information
      • Outsider who hacks into the system in order to change the integrity of its data
ethics of integrity2
Ethics of Integrity
  • Exercising due care
    • Characterized by a careful attention to detail in the process of:
      • Designing
      • Assessing
      • Updating
      • Monitoring data and systems
    • A statement of due care
      • To protect the organization from liability concerns as well as to ensure good ethical practice
ad