A number of professions in our society are required to abide by a certain set of rules that regulate their actions due to the nature of work they are engaged in. Examples are those of lawyers, doctors, accountants, who follow codes of ethics that define acceptable and punishable behavior to patients and clients. Now, as we are moving towards the information age, more and more organizations are evolving to system automation as they abandon old manual methods of data storage and maintenance.
The field of Information Technology has really changed the way people work. As company’s valuable information and data are stored, IT security professionals, just like doctors and lawyers are tasked with important functions, they hold responsibilities that are concerned with the protection of data and systems from unauthorized external and internal access, prevention of disruption especially from software and hardware attacks, modification and destruction of networks. By handling these delicate information they posses a great deal of power that may be abused.
The First issue that highlights the need for a code of ethics for IT professionals is that of privacy, one of the hottest topics in information security. These professionals are able to access crucial information which may be about customers, industries, government agencies, corporations, people and networks, that if used wrongly will result to serious legal implications. An example of which is an IT security personnel, in charge of regulating website access of employees of a company.
During the course of blocking off sites and programming firewalls, they can install key loggers that enables them to view whatever a person types on a keyboard, these may include credit card numbers, personal information, notes and emails. Release of such vital information can provide the necessary tools for identity theft, fraud, misrepresentation, blackmail and commission of many more crimes. Another issue linked to privacy of information, is confidentiality.
Company information such as new products, financial reports, projected plans and researches can be sold off to competitors, this can lead to serious business damage such as bankruptcy of a business. Third, is the monetary benefit that may be derived from the manipulation of a system. Aside from actual theft of information, IT security professionals can alter programmed security measures and charge additional fees for something that they themselves maneuvered.
They can make a system appear to be vulnerable to threats created by them. (Whitman and Mottard, 2007, p. 0-99) Moving forward, a number of companies are able to recognize the need to abide by ethical practices. An example of an ethical security practice is that of Cisco Systems Inc. , a multinational IT corporation that designs and sells network communication technology and services. They once encountered a vulnerability that the company felt would affect the health of the Internet, so the company contacted backbone providers first to ensure their systems were patched to protect them from the threat. (Davidson, 2008, Leading By Example).
The company has since then receive various awards for Ethical practices. Another example is the development of a software that would at least prevent and regulate unethical security attacks, such as identity theft. This was the creation of Secure Electronic Transfers (SET) which was as developed by SETco, led by VISA and MasterCard (and involving other companies such as GTE, IBM, Microsoft, Netscape, RSA and VeriSign). A set of security protocols that ensures the safety of information from the buyer to the internet, that also takes into consideration safety of consumers.
In conclusion, an organization entrusts valuable assets of network and data security to Information Security Professionals. However, unlike older professions such as medicine and law, most ethical issues regarding this occupation have not been codified to a specific law, and there is still no mandatory association such as (Bar association, American Board for Medicine) that has established a detailed code of ethics that is uniform across all IT professionals. So organizations must take it upon themselves to instill a code of ethics to ensure that these personnel understand the moral and legal implications of their actions.