Ethics
As children, most people learn the basic concept “treat others as you would want them to treat you.” Of course, life for adults is rarely that simple. Adults tend to complicate things. The study of ethics is essentially the study of those complications and how to navigate them back to the simplicity of “treat others as you would want them to treat you.” In this section, you’ll examine how ethics affect information security—specifically, the need for access controls.
What Is Right and What Is Wrong
“Right” and “wrong” may seem like basic concepts—most children learn that lying and stealing are wrong—but in the real world of organizational behavior, there is a gray area between the two absolutes. Most decisions people make fall into this gray area.
Ethics Go Beyond “Do Not Steal”
Organizational ethics programs are essential for defining the core values of the organization. However, an organization that forgets or ignores the code of ethics once it has been written does not fully take advantage of this powerful tool. An ethics program is far more than a written document. It involves several stages, which should be reviewed and repeated regularly:
- Define the core values of the organization and ensure that those values are reflected in the stated code of ethics. An organization’s core values should be limited to those three to five values that are most critical to that particular organization. An educational institution, for example, may place intellectual development on its list of core values, while a manufacturing company may replace that value with one more suited to its purpose, such as quality assurance. These core values should be reviewed annually to ensure that the stated values still reflect the goals of the organization.
- Solicit input from a wide range of stakeholders across all levels and departments of the organization. Although a code of ethics should have strong backing from the highest levels of management, it is also important for employees at all levels to see that their perspectives are represented in the final document.
- Write or revise the code of ethics, including information on where an employee can go for clarification and how ethical dilemmas should be resolved. Distribute the document to every employee and post copies throughout the organization.
- Create or review structures within the organization that support the code of ethics. For example, many organizations create an ethics committee at the board level, which provides high-level leadership on ethics matters, as well as an ombudsman to assist in clarifying ethical questions by interpreting policies and procedures in the day-to-day operations of the organization. The ombudsman also assists in resolving ethical concerns employees may have about their duties or about the activities of management.
- Conduct training sessions and workshops to further clarify the core values contained within the code of ethics and to allow employees the opportunity to practice analyzing situations and making ethical decisions, in a low-stress environment. This experience will help them when they are faced with an ethical dilemma in higher-stress situations.
This process is critical in times of rapid change and crisis, when there may not be time to deliberate on the ethical implications of behaviors and decisions. By placing a high priority on ethics and ensuring that every employee is well trained in the process of analyzing situations and making ethical decisions, an organization can ensure that its employees will behave ethically when it is most needed. Ongoing attention to the process of ethics management makes the code of ethics a real presence in organizational culture, not just another document in the employee handbook. It should inform every other policy, including those on information security.
Enforcing Policies
Simply writing policies that define the responsibilities of information owners, managers, and employees is not sufficient to actually safeguard sensitive resources. Everyone concerned should understand, accept, and enforce those policies on all levels. For an information security policy to be truly effective, individual employees must accept its importance in meeting their needs and enforce it informally within their working groups.
Employees should understand that safeguarding information is vital to the continued success of the organization, and, therefore, the continuation of their jobs and their personal ability to meet the physical needs of their families. The policy itself should also specify who has the ultimate authority to enforce the policy and specific consequences of noncompliance. Managers should be proactive in providing resources and training for their employees. They are also responsible for formal policy enforcement. Information owners must also take their role seriously and ensure that the information they are responsible for is adequately protected.
Human Resources Involvement
Human resources should be an integral part of enforcing security policy. By providing resources and training opportunities, they can help prevent security policy noncompliance. They are also responsible for implementing the stated consequences for noncompliance, including formal employee censure and termination.