Security Professional Ethics:
Questionable ethical and Security professional practices have attained a high profile recently. Age-old discussions of right and wrong have resurfaced thanks to widely publicized malfeasance from top corporate executives. Debates on many key issues have risen in the media, in boardroom conferences, and around the water cooler. And trust? or rather mistrust? seems to be a prevailing theme.
This environment should give all professional workers pause to consider their own ethical values and how they practice them. Not only does this provide a chance to improve performance, but it allows professionals the chance to reexamine the social implications of their work and build a solid trust within their communities.
For the burgeoning information security industry, trust is a key component of professional conduct. Many professional information security workers enjoy not only unfettered access to company networks, but they are often trusted to handle a number of administrative and critical business activities. With these duties comes great responsibility. However, newly ordained information security professionals may not be conscious of the myriad expectations associated with their position. The focus of this paper is to promote a clearer understanding of the ethical and legal implications that come with a career in information security.
The Pitfalls of Shirking Information Security Responsibilities
Moral arguments for practicing ethical behavior are plentiful. But oftentimes these are too amorphous to begin a concrete discussion of the duties of trusted individuals. Frank descriptions of potential consequences may do more to drive home the need for adhering to accepted behaviors.
If a picture can say a thousand words, then the frequent snap-shots of CEOs in handcuffs should have reiterated every employee agreement, regulatory rulebook, and professional code of ethics one could read. The highly publicized "perp-walk" has become a powerful reminder of the penalties awaiting those who abuse their trusted positions. If there is one thing that all of these fallen executives share, it is their failure to abide by the ethical requirements of their posts.
For chief security officers, jail time is a potent incentive for taking the ethical high road. Although not every government or industry regulation carries an incarceration clause, negligent executives are likely to come across one that does. Absence of appropriate security controls has become a new focus for regulatory actions for industries ranging from healthcare and finance to those that control critical public infrastructure. Although some penalties associated with the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act have not yet been tested, this will not always be the case. Now is the time for security officers to begin viewing these rules and their sanctions with more than dismissive nods?if not for themselves, then for the reputations of their profession and respective companies.
Monetary penalties may seem less severe, but they are equally devastating methods of punishment. These are especially troublesome when they range in the tens of thousands of dollars and draw heavy media coverage. And with the steady integration of information technology with nearly every aspect of business and communication, the possible violations have grown exponentially.
Consider the predicament of the Guess Jeans Company in their battle with the Federal Trade Commission. The company was hit with a violation of trade practices in 2003 for a cyber security hole. Apparently, Guess had advertised that customer data, including credit card and password information, was always stored in encrypted formats to protect against identity theft and similar crimes. However, when an SQL injection vulnerability was discovered by a California software programmer, their claim was deemed fraudulent and misleading to the public. So, instead of being brought down by one of the many laws that mandate adequate security controls, the company is under a 20-year order to maintain a certified security program or face an $11,000 fine for each violation. That doesn't seem so bad at first glance, but in light of the possible 200,000 violations related to the initial discovery, the penalty quickly multiplies.
Although non-executive information security workers will not see the same degree of punishment, they should always remember that their corporate executives could. This means that a lapse in ethical responsibilities could, at the most, cost lower-ranking professionals their jobs. Plus, ethical violations are not exactly prime resume fodder.
