by A few weeks ago, in the ComputerWorld article “_Look who has access to your email_”:http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004274, Bruce Hoard wrote about the dangers of system administrators having access to email and other files of high level executives. The article mostly focuses on technical issues such as encryption and access control software. It spends a little time on information classification and determining who has rights, but it never once delves to real root of the issue.
The issue of unauthorized access to confidential information is an issue that affects every profession, not just system administrators, and not just email. Your company’s accountant or auditor has access to your financial data. The nursing staff at your doctor’s office has access to your medical records. The branch manager at your bank has access to your financial records. It seems almost daily we hear stories about someone who took their laptop home with confidential information on thousands of people, and had it lost or stolen, potentially exposing those thousands of people to identity theft or fraid.
As professionals, we have a moral imperative to treat information with the utmost confidentiality and security. We are duty bound to ensure that only those who have a legitimate right have access and use that access. And that legitimate right extends to us. Sometimes, by virtue of our duties as administrators, we may have access that we don’t need. Our Code of Ethics requires that we access only the least amount of data necessary to perform our legitimate duties.
There was a course on System Administration Ethics offered at the Sys Admin Days training event in Phoenix last week. In the course, many ethical scenarios were presented and we discussed how each should be approached. While it was very easy to read more into the scenario than was presented and to come up with reasons why you might access information (and particularly emails), almost every one of the reasons and additional details were for expediency as opposed to true need. In every single case, an ethical solution (which did not involve directly accessing confidential information) could be found.
Every profession has a code of ethics. System Administrators are no different. We have a Code of Ethics, signed by LOPSA, SAGE, and USENIX. If you haven’t visited the “System Administrator Code of Ethics”:http://lopsa.org/CodeOfEthics/, you should. Even if you have, it is always good to go back for a refresher. Additionally, you should print it out and post it in your office, to let everyone around you know that you are a professional and that you believe in following an ethical code of conduct.