Ethics In IT

chiefloko writes "I am presently taking a Business Ethics class while earning my MBA. For my final paper topic I have chosen 'Ethics within the Information Technology realm.' Over the past 13 years I have worked for three corporations and have seen everything from the typical BOFH to ungodly pirated software use. I also bore witness to a remote user logging in to a poorly administrated Sun station, finding out s/he was root, and then reading co-workers' emails. I am interested in what the norm is for ethics in the IT world and some of the stories and outcomes."

ACM Code of Ethics

[floki]

The Association for Computer Machinery (ACM) has a Code of Ethics. Have a look at it. It gives quite a lot of guidance converning professional conduct in IT.

SAGE: System Administrators' Code of Ethics

[ukh]

And so does SAGE (for system administrators), more to the point: http://www.sage.org/ethics/ethics.html

What ethics?

[sr8outtalotech]

Maximizing shareholder value > anything else. Seriously, ethics? I'm in the SMB consulting industry. I sign NDA's on a regular basis with consulting companies so when the consulting company violates an ethical obligation to a client I'm contractually bound not to say anything. 13 passwords all the same for 13 company's but they (not me) billed their managed services as following best practices. PPTP VPN instead of LT2P/IPSEC (a stand alone certificate server = $), no account auditing(disk space = $), no logon failure limits(disrupted users = lost $), no port security at the switch (network admin = $), etc... I've yet to run across a salesperson that didn't upsell/oversell. I think most techs realize what's ethical behavior and what's not but they get pressured into not saying anything by management and sales.

Here's a scenario that happened to me in 2006. I had a contract terminated with no reason given. 4 days before the contract was terminated I sent a memo to the CEO (I reported to him) about sending bulk email without an opt-out option and without the companies physical address. I included relevant state and federal laws regarding the issue, mainly the Can Spam Act. 3 days before the contract was terminated the CEO confronts me in front of the whole office about how they were the following the law. I flatly told him I wouldn't send them or train anyone to send them until they added physical contact information and a way to opt-out. This was in front of his entire office staff. I wanted to discuss it in private and he wanted to discuss it in front of everyone. Friday, my contract got terminated, no reason given. Take a guess as to why it was terminated?

Re:You need to clarify your question

[pdwalker]

That's sociopaths, not psychopaths.

Think of it as the difference between a politician and a serial killer.

late payment

[pbhj]

Kupfernigk >>> "When I was a general manager, one of my policies was always to pay the small suppliers promptly, because they need it most."

Well, most companies don't hold to that.

Oft repeated rhetoric here is that a companies only purpose is to make money. You're actually depriving your shareholders of a small amount of capital by paying on time if it's possible to avoid.

I find that (as a director in a small business) we get paid late by big businesses and government organisations. They can pay late, we can't afford to sue and we need them more than they need us. We've been paid over a month late by a local council (!) for an amount equal to about 50% of our wages bill ... that doesn't help cash flow much!

Inspired by Google's early ethical policy of "do no evil" ours is "be nice". We've many times checked our behaviour, and adapted it (sometimes to our financial detriment), by following this code.

There is no norm for ethics in IT I think

[oldbamboo]

I've had to familiarise myself with Sarbanes Oxley (which applies only to US listed companies anyway) and that is the only piece of legislation which I am aware of which requires regular sign off of ethical conduct, and that only applies to the board I belive. Elsewhere, for IT workers, both the CISSP and CISA certifications require that a standard of ethical conduct is maintained, and a declaration of such is made by the applicant. I think ethics are only defined in this way, as a requirement for membership of specific professional organisations or for the holding of certain credentials, but these are the only ones I'm aware of. Beyond that, and this is the point, having conducted audits and reviews of a number of companies and the governance of their IT, I think this topic is universally ignored for IT staff specifically. I can not recall once seeing the discreet topic of "Ethics" enshrined within the IT policies and standards of any major company I have inspected. The best thing you can do is collect and review a number of general "End User" policies from different places and see to what degree promises to not view porn, sell secrets, access stuff you shouldn't, etc, etc, are reflected, and quantify them against the ethical requirements being taught on your MBA. IT User policies can be dredged up from the Internet ten a penny, and they should allow you to gather sufficient of them to launch an academic argument as to the provisions for ethical conduct they establish within companies or public bodies in general. The degree to which they are obeyed is impossible to measure, but you can certainly speculate on the need for regular training on ethics.