Chapter 16
1 / 24

Chapter 16 - PowerPoint PPT Presentation

  • Uploaded on

Chapter 16. Information Ethics and Codes of Conduct. Objectives. Explain the role of ethics in information assurance Identify the fundamental elements of a professional code of conduct Define and apply an ethical system. Ethics. Information practitioners need guidance in correct behavior

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Chapter 16' - ovid

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chapter 16

Chapter 16

Information Ethics and Codes of Conduct


  • Explain the role of ethics in information assurance

  • Identify the fundamental elements of a professional code of conduct

  • Define and apply an ethical system


  • Information practitioners need guidance in correct behavior

    • Especially essential because the commodity is abstract and information assurance professionals have unprecedented access

    • Anonymity, intangibility, and evolution of the technology, increase ethical grey areas

    • Technological advances usually come without ethical instructions

    • Ethical violations of cyberspace occur regularly without widespread recognition or response

      • Nobody has thought through what a particular capability or activity represents in terms of right and wrong

What is ethics
What is Ethics?

  • A global term describing the system by which individuals distinguish right from wrong

    • Ethical systems describe the duties and behaviors commonly considered correct for a given circumstance

      • Documented by an ethical guideline that aids in behavior evaluation and as a framework to judge behavior

    • Ethics benefit information assurance because they are applied morality

      • They are logical assumptions about how moral principles should be applied in practice

      • They represent an understanding of what is morally correct

      • They become legal systems when the morality they capture is formalized into law

Ethics and information assurance
Ethics and Information Assurance

  • Although abstract, the requirement for an ethical system is a critical part of information assurance

    • Ethics establishes the foundation of group trust and trustworthiness

    • Policies should be formulated based on the ethical values of the organization while not contradicting the principles of individuals

    • An established ethical standard guides the preservation of confidentiality, integrity, and availability

    • Ethical standard must be clearly articulated and understood throughout the organization

Ethics and technology
Ethics and Technology

  • Technology has advanced at a rate that exceeds society’s ability to decide about its appropriateness

    • Data-mining industry is an example of organizations operating without an ethical compass

      • Privacy concerns and the question of the ethics

    • More grey areas are likely to develop

  • It is essential for the information profession to consider, adopt, and use ethical guidelines

    • Without ethical guidance it is difficult to expect effective control of information workers’ behavior

Practical ethical systems enforcing proper individual behavior
Practical Ethical Systems: Enforcing Proper Individual Behavior

  • A communal set of values provides the framework to ensure that individual decisions reflect the group’s common ethical principles

    • It assumes that all actions that constitute unacceptable behavior can be recognized

    • Group values have to be formally documented

    • Formal documentation of the values is an ethical code of conduct

    • Ethical code of conduct is the organization’s standard of behavior

    • Codes of conduct dictate the duties and obligations of individuals relative to group norms

Enforcing behavior norms aligning personal and group perspectives
Enforcing Behavior Norms: Aligning Personal and Group Perspectives

  • Group norms are the measuring stick for evaluating individual behavior

    • Formally documented codes of conduct dictate the minimal moral tone and actions of an organization

    • Ethical systems delineate the correct choices for individuals relative to the group norms

    • Properly designed ethical systems always provide a concrete reference for decision making as well as an explanation of the consequences of deviation

  • In practical applications of codes of ethics, an explicit enforcement mechanism is a necessity

Ensuring professional conduct
Ensuring Professional Conduct Perspectives

  • Professional codes of conduct define the values and beliefs of a profession

    • Communicate the formal models that make up the norms a group has chosen to adopt

    • Those models are based on each organization’s understanding of correct professional behavior

  • Professional codes of conduct are essential in information assurance because:

    • They cover a broad range of fundamental concerns raised by the ever-increasing and changing technology

Establishing a basis formal codes of conduct for cyberspace
Establishing a Basis: Formal Codes of Conduct for Cyberspace Perspectives

  • A formal code for cyberspace was published 1989 – sponsored by the Network Working Group of the Internet Activities Board (IAB)

    • To reinforce its authority in the area, the IAB was renamed the Internet Architecture Board in 1992

    • IAB directive “Ethics and the Internet” (RFC 1087) outlines five principles – which state that it is unethical:

      • To seek to gain unauthorized access to the resources of the Internet

      • To disrupt the intended use of the Internet

      • To waste resources through such actions

      • To destroy the integrity of computer-based information

      • To compromise the privacy of users

Establishing a basis formal codes of conduct for cyberspace1
Establishing a Basis: Formal Codes of Conduct for Cyberspace Perspectives

  • Organized religion has even weighed in on the ethical use of the Internet

    • Personal responsibility in governing acceptable use

  • National bodies who have established formal codes of conduct:

    • The Association for Computing Machinery (ACM)

    • The Institute for Electrical and Electronics Engineers (IEEE)

      • These codes are specific to the profession

      • They communicate the ethical responsibility of information professionals to perform their duties in a capable manner

      • They set the minimum expectations with respect to the level of capability required

      • They serve as a basis for judging whether that standard has been adequately met

Establishing a basis formal codes of conduct for cyberspace2
Establishing a Basis: Formal Codes of Conduct for Cyberspace Perspectives

  • Professional societies that stipulate codes of ethical practice:

    • The Information Systems Audit and Control Association (ISACA)

    • The International Information Systems Security Certifying Consortium (ISC)

    • The SANS Institute

  • Concern: There is not a single universally recognized code of conduct for the information assurance profession

Certification ensuring professional capability
Certification: Ensuring Professional Capability Perspectives

  • Certification is a method of identifying individuals committed to ethical behavior

    • Standard level of professional competence

    • Certifications based on a number of representative common bodies of knowledge (CBK)

      • No single system guarantees that the practitioner responsible for protecting an organization’s information is competent

    • Few formally agreed-on definitions of the knowledge or competencies

    • Certification that attests to an individual’s ability to think critically about an identified problem space provides the most valid proof of competence

Certification ensuring professional capability1
Certification: Ensuring Professional Capability Perspectives

  • Determining the value of a certification:

    • How long has the certification been in existence?

    • Does the certification organization’s process conform to established standards?

    • How many people hold the certification?

    • How widely respected is the certification?

    • Does the certificate span industry boundaries?

    • What is the probability that 5 or 10 years from now, the certificate will still be useful?

    • Does the certification span geographic boundaries?

    • Does the certification require attestation to a defined ethical behavior?

Information ethics
Information Ethics Perspectives

  • Deals with the ethical questions that relate to the use of information assets

    • Explores and evaluates the development of ethical principles in information assurance

    • Examines ethical concepts that support information assurance theory and practice, as well as their relevance to everyday information security work

  • A timely and important area because:

    • Traditional philosophical frame of reference is out of date

    • Information technology has extended capabilities beyond:

      • Traditional moral and philosophical realms

      • Precedents and principles of our legal system

Information ethics1
Information Ethics Perspectives

  • Four areas where guidance about ethical behavior should be provided:

    • Invasion of privacy

    • Unauthorized appropriation of information

    • Breach of confidentiality

    • Loss of integrity

Invasion of privacy
Invasion of Privacy Perspectives

  • Invasion of privacy is a common violation

    • The act of obtaining information to breach an individual’s reasonable expectation of privacy

  • Legally, the Bill of Rights does not guarantee a right to privacy from other individuals except in specific cases

Invasion of privacy1
Invasion of Privacy Perspectives

  • Ethics of invading your privacy for profits: the data mine

    • Data aggregation and data mining augments an organization’s ability to understand its customers better

      • These methods may intrude too far into personal lives

    • Other instances of intrusion:

      • Placing tracking cookies surreptitiously on computers

      • Credit-monitoring services

      • Telephone tapping

    • Solution is to build an understanding across society and grapple with the essential questions:

      • What is the limit to the acquisition and use of knowledge by institutions?

      • What can other people know without violating your privacy?

Invasion of privacy2
Invasion of Privacy Perspectives

  • Invading the privacy of your employees

    • Employer may reasonably monitor its employees

      • It is implied that people who come to work, have sacrificed some of their rights to privacy for the good of the organization

        • The organization has an unstated right to oversee employee behavior and communications on the job

      • More subtle activities which are not violations if used within the scope of work:

        • Keylogging of employees

        • Observing them through workplace video cameras and closed-circuit television

Unauthorized appropriation
Unauthorized Appropriation Perspectives

  • Unauthorized appropriation – use of a computer to obtain something under false pretenses

    • A crime if an item of concrete value is taken

    • An ethical compromise where the value is either intangible or cannot be estimated

    • Typically takes place when another person’s intellectual property is either stolen or misused

  • Misappropriation of intellectual property presupposes that an identified piece of intellectual property exists

Ethics of confidentiality
Ethics of Confidentiality Perspectives

  • Breach of confidentiality can be intentional or unintentional

    • Disclosure of private information is a matter of civil and even criminal liability in some states

  • Two well-known examples of the way federal legal system addresses breach of confidentiality:

    • Health Insurance Portability and Accountability Act (HIPAA)

      • The first comprehensive federal protection for the privacy of personal health information

    • Family Educational Rights and Privacy Act, 1974 (FERPA)

      • Limits the personal information that educational institutions can release to the public

Ethics of integrity
Ethics of Integrity Perspectives

  • Integrity implies that the information is correct

    • Information has not been accidentally or maliciously altered or destroyed

  • The ethical issue can be characterized by a legal term, “false light”

    • A circumstance where information that is being kept either is false or harmfully misrepresents something about the individual

Ethics of integrity1
Ethics of Integrity Perspectives

  • Unintentional errors

    • Represented by incorrect or missing values

    • Ethical response to the inevitable inaccuracy:

      • Error-trapping functions in the system

      • Embedding rigorous audit and control mechanisms

  • Intentional errors

    • Sources

      • Insider who alters data to portray the facts of a given situation incorrectly

      • Insider who accepts and records incorrect information

      • Outsider who hacks into the system in order to change the integrity of its data

Ethics of integrity2
Ethics of Integrity Perspectives

  • Exercising due care

    • Characterized by a careful attention to detail in the process of:

      • Designing

      • Assessing

      • Updating

      • Monitoring data and systems

    • A statement of due care

      • To protect the organization from liability concerns as well as to ensure good ethical practice