I have been looking at Risk Management a lot lately and I realized that I have not looked at the people of IT in quite some time. Technology is wonderful, it is right and wrong, on and off, 1 and 0 but that same level of simplicity does not apply to people and when looking at Risk Management it is rarely an exercise in just looking at technology it has to be about the people too. The ethics of an organization and of the people who staff that organization is an often overlooked aspect of the organization and today I will look at IT Ethics.
To start off with lets take a quick look at the actual definition of Ethics according to dictionary.com:
eth·ics [eth-iks] plural noun1. (used with a singular or plural verb ) a system of moral principles: the ethics of a culture.2. the rules of conduct recognized in respect to a particular class of human actions or a particular group, culture, etc.: medical ethics; Christian ethics.3. moral principles, as of an individual: His ethics forbade betrayal of a confidence.4. (usually used with a singular verb ) that branch of philosophy dealing with values relating to human conduct, with respect to the rightness and wrongness of certain actions and to the goodness and badness of the motives and ends of such actions.
Definition #4 is most applicable to our conversation. When I sat down to look into the rights and wrongs of human behavior (especially focused on IT Professionals) I realized that it is not a topic that has been very popular lately. I found a very interesting book though that is a free download from http://www.ergen.gr/ Titled IT Ethics Handbook: Right and Wrong for IT Professionals I gave it a quick read and despite being from 2004, much of what is discussed is still very much relevant.
The challenge for many IT Professionals is not whether enough it is right or wrong to sell or share company information…that is not unique to IT Professionals…but there is the fact that IT Professionals are the keeper of all Data in the organization. They potentially have access to sensitive personal information and trade secrets / proprietary processes that even just reading could be a breach of ethics.
For each of us, choosing to be ethically responsible for our actions and the actions of those around us can at times be a constant challenge. There are many temptations but having a moral compass that is focused on True North (or the path of good ethics) is as important as having 4 degrees and 25 certifications.
For IT Professionals there are some interesting Code of Conduct or Code of Ethics out there…some far more detailed than others. The Association for IT Professionals has a Code of Ethics that is little more than a pledge but does provide some guidance for its members. Down in Australia though the Australian Computer Society I was able to locate a very detailed Code of Conduct and IT Ethics…but it would appear that this is now only available through the Wayback Engine (a way of finding and looking to old Internet materials).
Within your organization, when looking at Risk and Risk Mitigation…it is my opinion that as much as you may attempt to remove Risk…if you do not address the personal and organizational ethics at least in the IT Department…it doesn’t matter what controls and policies you put in place. Doing the right thing is rarely the easy thing…but having the reminder of a working Moral Compass helps out on a regular basis.
Chris J Powell