As children, most people learn the basic concept “treat others as you would want them to treat you.” Of course, life for adults is rarely that simple. Adults tend to complicate things. The study of ethics is essentially the study of those complications and how to navigate them back to the simplicity of “treat others as you would want them to treat you.” In this section, you’ll examine how ethics affect information security—specifically, the need for access controls.
“Right” and “wrong” may seem like basic concepts—most children learn that lying and stealing are wrong—but in the real world of organizational behavior, there is a gray area between the two absolutes. Most decisions people make fall into this gray area.
Organizational ethics programs are essential for defining the core values of the organization. However, an organization that forgets or ignores the code of ethics once it has been written does not fully take advantage of this powerful tool. An ethics program is far more than a written document. It involves several stages, which should be reviewed and repeated regularly:
This process is critical in times of rapid change and crisis, when there may not be time to deliberate on the ethical implications of behaviors and decisions. By placing a high priority on ethics and ensuring that every employee is well trained in the process of analyzing situations and making ethical decisions, an organization can ensure that its employees will behave ethically when it is most needed. Ongoing attention to the process of ethics management makes the code of ethics a real presence in organizational culture, not just another document in the employee handbook. It should inform every other policy, including those on information security.
Simply writing policies that define the responsibilities of information owners, managers, and employees is not sufficient to actually safeguard sensitive resources. Everyone concerned should understand, accept, and enforce those policies on all levels. For an information security policy to be truly effective, individual employees must accept its importance in meeting their needs and enforce it informally within their working groups.
Employees should understand that safeguarding information is vital to the continued success of the organization, and, therefore, the continuation of their jobs and their personal ability to meet the physical needs of their families. The policy itself should also specify who has the ultimate authority to enforce the policy and specific consequences of noncompliance. Managers should be proactive in providing resources and training for their employees. They are also responsible for formal policy enforcement. Information owners must also take their role seriously and ensure that the information they are responsible for is adequately protected.
Human resources should be an integral part of enforcing security policy. By providing resources and training opportunities, they can help prevent security policy noncompliance. They are also responsible for implementing the stated consequences for noncompliance, including formal employee censure and termination.
3.135.198.49