Case Study Section A
The world of Cybersecurity has become synonymous with ethics and ethical guidelines. They go hand in hand. You can’t truly understand the internal working of Cyber Security without having a good understanding of the ethical issues and dilemmas involved. CompTIA, ISSA, (ISC)2, and other organizations have created ethical guidelines which all security and non-security IT professionals should follow. Unfortunately, employees at TechFite, especially those that are assigned to or working directly with the Applications Division and Carl Jaspers, are in serious violation of Ethical standards and guidelines.
Get Help With Your Essay
If you need assistance with writing your essay, our professional essay writing service is here to help!
Professionals in the workplace are expected to follow the documented ethical guidelines at the time of employment and they will receive annual training on these guidelines so that they are at the forefront of each employees’ mind. IT professionals take those ethical guidelines a step further since the boundaries of the physical world are non-existent when dealing with systems over the internet, but still need to be present. The following TechFite employees, Carl Jaspers, Nadia Johnson, Sarah Miller, Megan Rogers, and Jack Hudson are all in some way violating those ethical standards.
All the organizations listed have some of the same basic ideas and verbiage in their ethics policies, especially those that specifically written for IT security professional and how they are also expected to follow all federal, state, and tribal laws. It has already been proven that the identified employees of TechFite have already broken this and other ethical standards. Security IT professionals are expected to always uphold Duty of Care, security best practices, the CIA tirade, and due diligence.
The International Information Systems Security Certification Consortium or (ISC)2 for short, has a very simple but powerful code of ethics that each of its members is to follow. Not only are they to act honorably, honestly, justly, responsibly, and legally, but they are also to advance and protect the profession. ((ISC)2, 2019) They are to act in a way that promotes these ethical values in not only their professional employment but should extend to their personal handling of anything within the realm of computing. The Information Systems Security Association (ISSA) goes a step further with its code of ethics. ISSA adds the following statement to their list of ethical bi-laws: “To refrain from activities which might constitute a conflict of interest or otherwise damage the reputation of or is detrimental to employers, the information security profession, or the association” (ISSA, 2019) It’s that extra little reminder that anyone that is working in the profession of System Security should always follow regardless of their association or membership to any of the listed System Security organizations. All these guidelines and standards apply in the TechFite case study; however, it is unfortunate how the members of the applications team ignored these standards, especially those that are members of a similar organization.
Most companies have policies and guidelines that address issues that are relevant to the TechFite case study, and most of them post their ethics policy on the company’s web site. Reviewing Amazon’s ethics policy, it specifically addresses one of the TechFite issues involving Nadia Johnson and Carl Jaspers, “A conflict of interest may also arise from an employee’s business or personal relationship with a customer, supplier, competitor, business partner, or other employee, if that relationship impairs the employee’s objective business judgment.” (Amazon, 2019) Intel specifically addresses the protection of the companies physical assets in its code of ethics, “We need to follow applicable security and use procedures to protect the company’s physical assets from theft, loss, damage, and misuse, including unauthorized access.” (Intel, 2019) Both of these companies have public facing documents that spell out their vision, values, and ethics to anyone and everyone to view. Transparency between a company and their customers help alleviate any questions or potential issues because the customer is already aware of the policies and guidelines that the employees of the company are expected to abide by under their employ.
After reading the case study, it is clear there are many ethical violations involving all the employees mentioned. First, Nadia Johnson is receiving praise from Carl Jaspers, the head of the applications division, at the time of her annual review. While giving employee praise that has done work for another department isn’t an ethics violation, however, according to the narrative, it appears that this is a form of Quid Pro Quo based on the actions of Nadia in the case study. Quid Pro Quo is the act of “something for something” based on its Latin origins. (Kenton, 2019) By violating cybersecurity ethics and not properly ensuring that the proper documentation is available and up to date on performing tasks such as auditing of accounts, that no account escalation has occurred, enforcement of DLP, and surveillance of the internal network, it gives the appearance that she is purposefully neglecting these duties in order to hide or protect illegal actions.
Since there is no “policy” that keeps the IT security team and any of the other TechFite employees they may be involved directly with, which puts those staff members into a gray area in which to conduct their outside interactions with employees outside of the security group. Most companies do not discourage social interaction between employees, however, most have policies that supply guidelines on such interactions. If the relationship becomes romantically involved or dating, most companies express the need for disclosure with HR to ensure that there are no ethical violations or actions will that not reflect badly on the company. Even though Jaspers nor Johnson directly supervises the other, giving gifts to employees that are in a position that directly affects another is an ethical gray area. Since Jaspers, according to the narrative, is giving a gift specifically to Johnson for her birthday and has been inviting her to other social gatherings that have been hosted by Jaspers, gives the impression of favoritism as well. Favoritism is “Demonstrating preferential treatment to one person over all the other employees for reasons unrelated to performance” and while it isn’t illegal, it certainly could be used in a legal case such as treating someone differently based on their age. (Lucas, 2019)
Sarah Miller, Megan Rogers, and Jack Hudson are all IT professionals that have been found violating the CFAA, SOX, and IT Professional ethics by accessing systems owned by other companies without the consent of the companies being accessed. All three have broke cybersecurity ethical guidelines by committing a crime and breaking the law. Sarah Miller, as an acting manager or team lead to the other two employees, had specifically given the directive to perform the same illegal actions. Jack Hudson is a member of an organization, much like (ISC)2 and the other organizations that are mentioned previously. SCIP members are to uphold a set of standards and a code of ethics to remain in good standings with the organizations. As a member, Jack is to “comply with applicable laws, domestic, and international, and is expected to promote the code of ethics within one’s company, with third-party contractors and within the entire profession”. (SCIP, 2019) While the employees acted on their own accord, they should have recognized the requested actions were illegal and unethical and should have reported Sarah Miller for her role in this case study. As a manager or a direct report, Sarah has acted against the ethical guidelines of the IT profession, as well as, the ethical company policies due to her role in the case study.
Carl Jaspers is the most unethical individual in the case study and would serve the most amount of Jail time, as well as, fined an exuberant amount of money. Mr. Jaspers has not only used his position as the head of the applications division to ensure that these illegal activities are carried out and hidden from not only the CISO of TechFite, but most importantly the shareholders, other employees, and the CEO. Mr. Jaspers has violated two NDA’s according to this narrative. Mr. Jaspers has also involved Nadia Johnson in unethical acts and computer fraud by failure to report audits and other crucial information that would have protected the data of TechFite’s customers and non-customers. Sold or gave information of potential customers to their competitors. Jaspers has also engaged in Quid Pro Quo with Johnson, as evidence from the praise that she received from Jaspers at raise time. Conflict of Interest by working with Yu Lee, a fellow classmate that graduated with Jaspers at Stanford, and the three companies that appear to be paying TechFite for services, however the activities have been kept off the books. Jaspers has also had accounts created that will be used to obtain information from competitors via information gathering techniques such as dumpster diving. This case study has alluded to his illegal actions, as well as, many ethical violations against not only TechFite but their customers and their competitors.
Find Out How UKEssays.com Can Help You!
Our academic experts are ready and waiting to assist with any writing project you may have. From simple essay plans, through to full dissertations, you can guarantee we have a service perfectly matched to your needs.
View our academic writing services
TechFite, according to the narrative, does not seem to have a grasp on policies that specifically details ethical and unethical issues performed by their employees. Most companies have a board or ethics officer appointed that specifically handles the creation, maintenance, and support of the company’s ethical compliance. TechFite does not have a policy for the interactions of TechFite employees with their managers, department heads, nor the IT security staff. There was also a lapse of measures that safeguard sensitive and proprietary information. Even though the professional IT employees at TechFite should have been acting accordingly to the code of ethics surrounding the IT field, there also needs to be policies and guidelines in place, created by TechFite, that all employees must adhere too. If there is ever a gray area in policy, rules, and guidelines, they can be exploited by any of the company’s employees to justify their actions.
Case Study Section B
TechFite, along with creating an Ethics board or creating a ethics officer position who would give guidance on ethical issues, creation of ethical policy, and be the point of contact for any interaction that may be questionably unethical. TechFite needs to create a Security Awareness division and perform regular yearly training in addition, to ensure that its employees are following ethical standards and company policies. An Acceptable Use Policy needs to be integrated into all new higher orientation packets along with the communications investigative disclosure form. All systems owned by TechFite and used by its employees will fall under the AUP, as well as, the user and email accounts used on TechFite systems, web browsing traffic, and other electronic interests of the company. (Team, Acceptable Use Policy, 2014) Another important IT Security policy that must be implemented within TechFite is an Information Logging Standard policy. This is another standard that is provided by SANS for company use to create a policy on auditing and how to maintain, archive, and data retention of system logs for forensic use. (Team, Information Logging Standard, 2014) These are two important standards that would have kept some of the illegal actions at bay in this case study because other IT security personnel would also be performing and following standards. The lack of documentation and auditing procedures may have been avoided if the proper policies were in place.
Implementing a Cyber Security Education and Awareness program within TechFite would help other employees that are not IT professionals, but also provide a refresh to the IT staff on security policies and procedures. Creating an education and awareness program starts with identifying someone or a group that will be handling the responsibilities of creating, maintaining, and documenting the ongoing education program. Once the group or individual(s) have been identified, determining the topic areas to include in the training is the next step. What is important to the organization and how often will the subjects be covered? NIST, MS-ISAC, and many other cybersecurity organizations provide documentation on the areas of how to educate and develop the training.
TechFite should have a security awareness and education program already developed, however, there is no mention of awareness education being performed according to the case study. A couple of areas that need to be identified as learning objectives would be Policies – implications of noncompliance, timely application of system patches, and individual accountability. (Wilson & Hash, 2003) If a security awareness program was in place, it would have possibly alerted others who work with the applications division to the group’s illegal actions. Non-compliance is a training module that I would strongly recommend for this case study. Ensuring that all IT personnel who work at TechFite is consistently educated about the legal and ethical ramifications of being out of compliance when it comes to how the data is protected, how PII is protected when that data is at rest and in transit, and how TechFite’s Customers’ data is protected may have kept the case study incidents from occurring.
The other educational awareness area that I would recommend for this case study is individual accountability. Each user that works for TechFite must have accountability training for anyone who is accessing company systems, customers databases, and most importantly confidential customers proprietary data and what the legal implications are when employees violate these areas. My recommendation on how this information will be delivered to all TechFite employees would be to via a series of videos and interactive training modules that allow the user interactive learning experience. There are many cybersecurity organizations that have created large template libraries and videos about cybersecurity subject matter, that can be used to develop revolving monthly training modules. Education on the proper use of email accounts, user account creation and auditing of user accounts, and legal implications of unauthorized system access, will be included as well into the awareness training module.
The next step into the security awareness training and implementation is the collection and use of metrics from the training. This will allow the security awareness officer or team to determine what employees need more information in certain areas or if the training was beneficial. These metrics will need to be regularly reviewed and brought before the CEO and shareholders.
Works Cited
- (ISC)2. (2019, June 19). (ISC)2 Code of Ethics. Retrieved from (ISC)2: https://www.isc2.org/Ethics
- Amazon. (2019, June). Code of Business Conduct and Ethics . Retrieved from Amazon.com: https://ir.aboutamazon.com/corporate-governance/documents-charters/code-business-conduct-and-ethics?c=97664&p=irol-govConduct
- Intel. (2019, Jan). Intel Code of Conduct. Retrieved from Intel.com: https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/2019-code-of-conduct-eng.pdf
- ISSA. (2019, June 19). Information Systems Security Association . Retrieved from ISSA.org: https://www.isc2.org/Ethics
- Kenton, W. (2019, June 18). Investopedia. Retrieved from Quid Pro Quo: https://www.investopedia.com/terms/q/quidproquo.asp
- Lucas, S. (2019, April 05). Is Favoritism in the Workplace Illegal? Retrieved from The Balance Careers: https://www.thebalancecareers.com/is-displaying-favoritism-in-the-workplace-illegal-4159736
- SCIP. (2019, June 20). Code of Ethics. Retrieved from SCIP: https://www.scip.org/page/CodeofEthics
- Team, S. P. (2014, June). Acceptable Use Policy. Retrieved from SANS.org: https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy
- Team, S. P. (2014, June). Information Logging Standard. Retrieved from SANS.org: https://www.sans.org/security-resources/policies/server-security/pdf/information-logging-standard
- Wilson, M., & Hash, J. (2003, October). Building an Information Technology Security Awareness and Training Program. Retrieved from Crowell.com: https://www.crowell.com/files/nist-800-50.pdf
Cite This Work
To export a reference to this article please select a referencing style below: