Introduction
Technology continues to push the availability of information to the outer edges of our environment. Information systems process, store, and transmit sensitive, often private information. As an IT professional it’s your job to ensure that critical information systems are up and running twenty-four hours a day, seven days a week, are free of malice, and are used for business appropriate functions. Most likely, you have direct access to these systems and the confidential information they process, store, and transmit.

Professions such as medicine and law have a well defined set of ethical codes that if not adhered to, result in significant penalties. No such code exists for the IT professional. Generally, IT professionals must adhere to personal codes of conduct and self-imposed ethical guidelines. Technology presents ethical complexities that were never before considered and where previous rules of behavior simply do not apply. This paper will explore ethical issues that IT professionals are faced with and provide insight as to how to choose an ethically correct path.

Information Technology and Ethics: A Difficult Combination
As an IT professional, you have the ability to access sensitive, private information on the systems throughout your organization. You may also have full access to the systems that perform data backups and are likely to be responsible for configuring and maintaining information security mechanisms. You have the keys to the kingdom.

A recent survey found that “one in three tech workers admit to using special IT privileges to peek at employees’ confidential data.” This includes private information such as wages, emails, HR documents, and other personal files. One ethically unsound IT administrator was quoted as saying: “Why does it surprise you that so many of us snoop around your files, wouldn’t you if you had secret access to anything you can get your hands on!”

While a single survey doesn’t paint all IT professionals an unethical shade of gray, it does create a considerable number of questions; as an IT manager are you responsible for the actions of your staff? How can you ensure they will not act in an unethical manner? How can you, as a manager, limit your liability and educate your staff on the matter of technology and ethics? How does an organization clearly state what it believes to be right or wrong and effectively communicate its message? Who decides what is right or wrong and how can we make conscious ethical decisions with some level of consistency? These questions only scratch the surface of the complexities created by technology and ethics.

A recent situation that I was made personally aware of involved an email filtering solution and an unscrupulous IT administrator. Organizations have an obvious need to limit the exposures represented by email including spam, viruses, phishing attacks, and other malicious payloads. As such, the IT administrator at this particular government facility configured an email filtering solution to quarantine all messages so that they could be individually reviewed before delivery. As part of the process, the administrator would individually review each and every email. Clearly, there was the potential to read sensitive information as the emails were reviewed for vulnerabilities. Even though it is well known that once an email is sent, confidentiality can not be guaranteed, there is still an expectation of privacy from peers and coworkers.

As it turns out, the administrator was not only reading sensitive information, but was making decisions about which emails to allow or deny not based on its technical risk, but on its content. Emails that involved information relating to the administrator’s actions as an employee and IT projects they were involved in mysteriously vanished and were never delivered. Fellow employees, managers, and even the IT administrator’s boss were not aware that each and every email was manually reviewed before being delivered.

What was the cause of this failure of ethics? Did the manual email review process start out as a well intended security measure that slowly morphed into the moral mess that it was? Or, was the IT administrator ethically unsound to start with? Were there other unethical actions performed by this person? Are all IT administrators prone to this same lack of recognition for what is right or wrong? As mentioned earlier, the topic of technology and ethics will typically create more questions than answers as it has clearly done in this case.

As ethically corrupt as this case was, I believe that many IT professionals have good morals and ethics and if presented with an ethical decision, will act honorably. Often, it is difficult to instantly know right from wrong, especially in the heat of the moment. Luckily, there are people and organizations that recognize the complex ethical issues created by information technology and help to educate and create awareness in regards to this issue.

Ethical Guidelines for the IT professional
Now that you’ve been thinking about technology and ethics (and the difficulties they create), you are probably wondering if you’ve made the correct decisions in the past and if you’ll do so in the future. Unfortunately, many individuals aren’t sure how they make sound ethical decisions and simply feel, or hope, that they will make the right decision when the time comes. The lack of a cognizant decision making process may lead to inconsistency – something all IT professionals should try to avoid. As such, it is important to be proactive and prepare oneself to make ethically sound decisions.

To help accomplish this, the use of ethical guidelines can help keep one’s moral compass pointed in the right direction. Guidelines are an excellent way to evaluate a situation as they are short, concise, and easy to reference. The Computer Ethics Institute provides a “highly effective code of ethics for the proper use of information technology,” known as the Ten Commandments of Computer Ethics and are as follows:

1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people's computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

For easy reference, this list is available in PDF format through the Computer Ethics Institute website at http://www.computerethicsinstitute.org.

Sound ethical decisions can also be reached by asking yourself some simple questions. Dr. Kabay of Norwich University published an article that highlighted questions that we can ask ourselves to ensure that we have applied an appropriate level of reason to our ethical dilemma:

Ask yourself
o Is it legal?
o If the tables were turned, would I want someone to act this way towards me?
o Does the idea feel wrong?
Would you
o tell your parents what you did?
o like to have your action shown on national TV?
o be proud of yourself in public for having done what you’re thinking about doing?
Would your action
o hurt others?
o violate their privacy?
o take their property?
o make others pay for your own (usually secret) benefit?
o break someone’s trust in you?
Would a proposed action
o hurt someone’s feelings?
o be unjust or unfair?
o involve untruths?
o make you a better person?
o make you kinder?
o make you smarter?
o make you proud of your integrity?
Does your idea show respect for other people or does it treat them as tools for your own gain?
Would you feel “used” if someone did to you what you are thinking about doing?

And finally, Dr. Kabay suggests that you ask yourself: “what if everyone acted as you suggest – would that be good or bad in general?”

Code of Ethics
As information security has become a business imperative, many IT professionals are pursuing certification in information security through formalized training from organizations such as (ISC)². A requirement of maintaining any (ISC) ² certification is to fully support the Code of Ethics as defined by four mandatory canons:
Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
Failure to uphold the Code may result in the revocation of certification. By creating a strict Code of Ethics, the (ISC)², and similar organizations, requires individuals to uphold a high
standard that is respected and recognized by peers, coworkers, and employers.

Conclusion
As technology continues to advance the IT professional will be faced with making ethical decisions that may greatly affect others and can result in either a negative or positive outcome. An IT professional must be prepared to handle these sometimes very difficult situations in a respectable and logical manner. Understanding the complexities that one may face and the implications of one’s actions is imperative to making sound ethical decisions.

Bibliography

Computer Ethics Institute, “Computer Ethics Institute,” http://www.computerethicsinstitute.org. (accessed June 28, 2008)

Computer Ethics Institute, “The Ten Commandments of Computer Ethics,” http://www.computerethicsinstitute.org/images/TheTenCommandmentsOfComputerEthics.pdf.
(accessed June 28, 2008)

Cyber-Ark, “Survey Reveals Scandal of Snooping IT Staff,”
http://www.cyber-ark.com/news-events/pr_20070530.asp. (accessed June 28, 2008)

(ISC)², “Code of Ethics,” https://www.isc2.org/cgi/content.cgi?category=12. (accessed June 28, 2008)

Kabay, M.E., “Making Ethical Decisions: A guide for Kids (and Parents and Teachers Too).” (2006).

TechRepublic, “10 ethical issues raised by IT capabilities,” Jul 06, 2006. http://articles.techrepublic.com.com/5100-22_11-6091121.html. (accessed June 28, 2008)

Download this paper in PDF format