Ethical issues for IT security professionals

WindowSecurity.com - Physicians, attorneys and other professionals whose job duties affect others' lives usually receive, as part of their formal training, courses that address ethical issues common to their professions.
IT security personnel often have access to confidential data and knowledge about individuals' and companies' networks and systems that give them a great deal of power. That power can be abused, either deliberately or inadvertently. But there are no standardized training requirements for hanging out your shingle as an IT security consultant or in-house security specialist. Associations and organizations for IT pros are beginning to address the ethical side of the job, but again, there is no requirement for IT security personnel to belong to those organizations.
Why are ethical guidelines needed?
The education and training of IT professionals, including security specialists, usually focuses on technical knowledge and skills. You learn how to perform tasks, but with little consideration of how those abilities can be misused. In fact, many IT professionals approach their work with a hacker's perspective: whatever you can do, you're entitled to do. (Note: In this article, we're using the word hacker in the current common meaning, pertaining to "black hat" hackers who use their skills to break into systems and access data and programs without the permission of the owners. We're well aware that the term originally referred to anyone with advanced programming skills, and that there are "white hat hackers" who use their skills to help companies and individuals protect against the black hats.)
In fact, many IT pros don't even realize that their jobs involve ethical issues. Yet we make decisions on a daily basis that raise ethical questions.
What are the ethical issues?
Many of the ethical issues that face IT professionals involve privacy. For example:

• Should you read the private e-mail of your network users just because you can? Is it OK to read employees' e-mail as a security measure to ensure that sensitive company information isn't being disclosed? Is it OK to read employees' e-mail to ensure that company rules (for instance, against personal use of the e-mail system) aren't being violated? If you do read employees' e-mail, should you disclose that policy to them? Before or after the fact?
  
• Is it OK to monitor the Web sites visited by your network users? Should you routinely keep logs of visited sites? Is it negligent to not monitor such Internet usage, to prevent the possibility of pornography in the workplace that could create a hostile work environment?


• Is it OK to place key loggers on machines on the network to capture everything the user types? What about screen capture programs so you can see everything that's displayed? Should users be informed that they're being watched in this way?


• Is it OK to read the documents and look at the graphics files that are stored on users' computers or in their directories on the file server?