Home > Uncategorized > Ethics in Information Security

Ethics in Information Security

At some point, every information security professional faces at least one (and usually many) serious ethical dilemma(s) related to the practice of information security in the workplace. Of all the facets of an information security professional’s job, however, I suspect that the ones involving ethical issues often receive the least attention. This is not at all to say that information security professionals are unethical—to the contrary—but with all the on-the-job pressures, many or most of which amount to quickly putting out “brush fires,” these professionals honestly do not have much time left to ponder ethical dilemmas, let alone successfully resolve them.

Numerous ethical standards for information security and auditing professionals have been published and are in effect. For example, (ISC)2’s standard of ethics applies to everyone who has received (ISC)2 certification such as CISSP certification. Similarly, the ISACA Code of Professional Ethics applies to information security professionals who have received certifications such as CISA and CISM certification. Both of these organizations will revoke certifications of individuals who have violated their ethics standards; ironically, however, despite several cases of which  I am aware in which certified professionals were accused by peers of having been in gross violation of these standards, only one person of whom I am aware has lost certification because of ethical violations. A good explanation, however, could very well be that I am not in a very good position to hear of other such cases!

The biggest ethical dilemma in information security that I have ever faced was when I was engaged in day-to-day intrusion detection monitoring. I caught a world-renown researcher regularly visiting a number of child pornography sites. I carefully gathered evidence of this activity (which was abundant) and submitted it to the person who was at that time my boss. Not too long afterwards, he told me that the person who had ostensibly been involved in this egregious activity was an “untouchable” because of his fame in the field and because he brought in so much research funding. I was thus in no uncertain terms told to drop the issue. Needless to say, I was troubled. The right thing to do from an ethical standpoint would be to report what I had seen, and I did that, yet the person I informed squashed any type of further investigation. To circumvent my boss’ orders could easily result in the termination of my employment. After considerable soul searching, I decided that the right thing to do from an ethical standpoint was to risk losing my job by reporting what I had observed to law enforcement. I called the local FBI office repeatedly over a span of several days, but not one of my calls was returned. I then called the FBI office that handles national computer crime cases. Interestingly, I have dealt with this office many times before in connection with my having in the past been the head of a national incident response team. I was probably unduly naïve; the turnover of staff there was virtually 100 percent since I had last dealt with this office. At any rate, the result was the same as before. Apparently, the FBI had “bigger fish to fry.” Fortunately for me, the indolence of law enforcement helped ensure that my boss never heard that I had contacted them.

Did I live up to the ethical standards that my CISSP and CISM certification status holds me to?  All I can say is that I did everything I could think of to do what was ethically correct. I’d be very interested in reactions and advice from readers—did I do enough, or should I have done more? If I should have done more, what should I have done and why? Frankly, I think that I would have done the same thing if I had not received any professional certifications. What genuinely troubles me, however, is that the perpetrator of the activity that I identified is without a doubt still up to his same tricks without any fear of punishment whatsoever.

Ethics in information security is extremely important. Despite the often frenzied levels of activity in which we engage, we should and must be on the lookout for ethical dilemmas that need to be solved in accordance with standards of ethical conduct. Resolving some of these issues is, however, too often anything but simple.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.