Information Technology Reference
In-Depth Information
5.9.4
Ethical Decision Making
he IA
2
Process identifies the existence and adequacy of organizational ethics pro-
grams.
Compliance management
attempts to avoid litigation by formally identifying
legislative requirements and managing organizational adherence to legislation.
Litiga-
tion management
attempts to minimize organizational impact of an incident where the
organization is found guilty of a legislative violation. For example, the U.S. Federal
Sentencing Guidelines Chapter 8 Sentencing of Organizations looks for the presence
and quality of an ethics program as part of calculating the degree of organizational
culpability. The presence of a quality ethics program reduces culpability which in
turn equates to a lesser fine and lesser opportunity for officer jail time.
One driver behind an organizational ethics program is legislative compliance. For
example, the Sarbanes-Oxley (SOX) Act of 2002 addresses the need for ethics rules
and standards of conduct for board members and executives. Another justification is
litigation management
, where the presence of an ethics program reduces organizational
culpability in the event of an incident going before a judge. Similar to the approach
for SETA, the IA professional may work with other parts of the organization (e.g.,
HR and legal) to determine a baseline requirement for organizational ethics, derive
the appropriate ethics messages, and devise an ethics dissemination program that
includes acknowledgment of reading, understanding, and compliance.
5.9.4.1 The Ethics Message
Driving behavior toward highly ethical actions requires an environment that com-
municates and fosters ethics. Proper behavior from the top down and strong mes-
sages of intolerance for inappropriate behavior go a long way in promoting ethical
behavior. Establishing an ethical standard, writing and disseminating ethics poli-
cies, is one thing; enforcing ethics policies is another. Higher education has little
tolerance for plagiarism, and an enforcement policy includes suspension or even
expulsion. Peer pressure from hardworking students also plays a factor in social
acceptance and dealing with others as academic peers. Similarly, organization cul-
ture should promote ethical behavior as a criterion for acceptance into the organiza-
tion and maintaining the individual as a contributing member.
Without a solid foundation of personal as well as corporate ethics, ethical
appeals in any context roll off individuals like waves off a jetty. The diminishing
focus of public education on ethics and the constant bombardment of the media on
antiethical behavior (e.g., reality show du jour) have provided the workforce with
many individuals who lack exposure to ethical behavior. Therefore, do not rely
exclusively on altruistic motivation to ensure security policy enforcement—
trust,
but verify
.
Ethics in technology is an instantiation of this broader ethical framework. Pro-
fessional societies need to establish and enforce ethical compliance for their mem-
bers; a good example is (ISC)
2
®. The goal is to present the existence of ethical models
