By Steven R. Lovaas, Norwich University

Introduction
    Many people see firewalls, intrusion detection and vulnerability assessment as the stuff of information security. These are important tools, but they achieve little if they are used in an environment without adequate information security policies. An organization should begin by developing a coherent body of policies regarding the proper use of information technology before any decisions are made about what kind of protection technologies will be used. An information security analysis, then, is the crucial first step in protecting the organization's technology infrastructure. The U.S. federal government regulates aspects of information security in some industries, such as publicly traded companies, financial institutions and health care providers. For these organizations, laws and rules like Sarbanes-Oxley (1) and the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (2) dictate both the kinds of policies that should be in place and - in some cases - details about their content. For other kinds of organizations, international and U.S. documents describing best-practice information security, such as ISO 17799 (3) and the Control Objectives for Information and related Technology (CoBIT) (4) are setting the standard against which due diligence in protecting information will be measured. Each of these standards stresses the importance of administrative policy before getting into specific information controls. Whether the organization is bound by law or by industry best practice, policy makers should pay special attention to the ethical dimension of their organization's information security policies. Each of the three phases of policy implementation - development, dissemination and enforcement - should be examined to be sure that stakeholders are treated ethically while protecting the information assets critical to the ongoing viability of the organization.

Development: Putting the pieces together
An organization develops security policies primarily to protect itself, its employees and its customers, by preventing unwanted behavior and by performing the due diligence required to demonstrate compliance with outside laws and regulations. Policies tell people what sorts of behavior are acceptable and what sorts are forbidden as well as what to expect when policies and procedures are violated. The number, length and complexity of policies depend on the nature of the organization, but clarity and cohesiveness should be the goal of policies of any size. Policies that are vague, disjointed and difficult to understand achieve little in the way of enabling desired behavior, and may not qualify as due diligence.

One of the most important ethical considerations in developing information security policy is the acknowledgement of employees' diversity of experience and opinion. The assumption that all employees share a common moral background is likely to result in misunderstanding. Policy-makers should be aware that any group might include members whose ethical sense is either underdeveloped or significantly different from the majority of members. For example, some employees may believe that Cyberspace is a different place with its own rules(5) and may feel no moral compunction about illegal downloading of music files, even though they would never steal a CD from a music store. Some may even espouse a completely different ethical system, such as the Hacker Ethic described by Pekka Himanen,(6) in which the free dispersal of information is far more important than societal protection of the fruits of labor.

If individual employees might not share the organization's moral stance, then policies should be developed as coherent entities that do not rely on any outside system of morality. When the justification for specific directives or prohibitions is clearly and explicitly indicated in the policy documents, the intent behind policy is made clear in a way that will guide employee decision-making in the desired direction and give enough clarity of direction to qualify for due diligence under the law.

The process of policy development provides an opportunity for ethical decision-making to be used as a tool to improve relations between management and employees. Whether a policy maker focuses primarily on the overall good of the organization or on the rights of each employee, the language of a policy can make clear that both are being considered. Where possible, utilizing input from employees in the development of policy shows corporate concern for the needs of employed individuals. Finally, a policy structure that specifically includes a process for appeal and revision sends a clear message that policies are designed to make the organization a better place.

Dissemination: Communicating with stakeholders
Once policies are in place, their effectiveness will vary according to the way in which they are communicated to employees. Communication can range from simple announcements to extensive awareness campaigns. Successful communication of new policy, regardless of the scope, should reflect two common elements: obvious management support and language indicating concern for the employee.

An organization whose management consistently follows its own policies - and is seen doing so - will find better compliance from employees. Treating employees as valued individuals, equal in the eyes of corporate policy, sends a clear message that will make employees feel good about their place in the organization. This feeling can be reinforced with the use of supportive language in the policy communication. Conversely, an organization that dictates information security policy without explanation, and shows no sign of management support, risks not only having employees ignore the particular policy but also finding that employees lose respect for organizational policy in general.(7)

After the initial announcement of a policy, realization of employees' varying ethical backgrounds can be used to great advantage in explaining and further advocating for the policy. Security professionals will frequently need to talk to users about ethical decision-making as it relates to corporate information security. Giving guidance to employees for making choices in accordance with policy can be a great help, but care should be taken to provide guidance that actually speaks to the employee. Reliance on standard ethical tests (like the "mom test" or the "sniff test") (8) might work for a person with a developed moral sense, but the security professional needs to realize that some users, particularly those who might be attacking or abusing a system, have a very different view of the world. As such, they might derive a very different answer from invoking the Golden Rule or some other such test based on shared morals. A system of policies that explains its goals and assumptions is much more likely to achieve broad compliance.

Enforcement: Making policy stick
Ethical decision-making must be at the forefront of the security professional's mind when dealing with policy enforcement. Since security policies can involve substantial penalties to an offending employee, serious attention must be given to balancing individual rights with the needs of the organization. The investigation of a reported violation should honor the same privacy and civil rights afforded an accused criminal by law enforcement agencies, with an added measure of respect and understanding indicating concern for an employee. Pursuing an investigation of an employee violation is a time to be concerned with treating the accused employee as a valuable human being.

If reported policy violations are treated seriously but with concern for the accused, employees will see that the organization truly views its employees as important individuals. This should make employees more at ease within the organization, and should also increase the chances that future violations will be reported. If a discovered violation results in a professional, consistent investigation and appropriate corrective action rather than in harsh, arbitrary punishment, employees will come to have respect for the policy since it shows respect for them.

An important part of enforcing policy is the ability to explain the policy to employees who disagree with it. Various tactics can be used to deal with employees who try to justify violations of security policy, depending on the sophistication of the objection. An explanation can appeal to Kant's categorical imperative, asking what would happen if everyone violated the policy; or use a more Utilitarian approach, asking the user to imagine all the possible effects brought upon the organization by violation of a policy. Still others might be swayed by Rawls' notion of Justice as Fairness, (9) putting themselves in the shoes of the other party. Whatever tactic is used, an objection should be taken seriously, indicating that the employee's voice is a valuable part of the organization.

Finally, if an employee presents an objection that actually points out an inconsistency or shortcoming in the organization's set of policies, the objection should be brought to the attention of policy-makers in order to remedy the problem. The organization should not treat a body of policies as a sacrosanct entity, but should be willing to allow policy to evolve in response to changes in the organization and feedback from stakeholders. Buy-in from employees should greatly increase if the organization not only treats their input seriously but also uses it to improve the organization.(10)

Conclusion
    Information security policies represent an organization's laws regarding its information systems. In order to be just and enforceable, and to contribute to a safer, more productive information system, security policies need to be developed, communicated, and enforced with an eye toward ethics and overall fairness. Implementing ethical policies that treat employees as valued individuals will create an environment in which ethical behavior becomes the norm, rather than the subject of enforcement and punishment.
References
(1) The Sarbanes-Oxley Act of 2002 - Public Company Accounting and Investor Protection Act, H.R. 3763. Retrieved April 23, 2004 from  http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf
(2) The Health Insurance Portability and Accountability Act (HIPAA) of 1996. Retrieved April 23, 2004 from http://www.hhs.gov/ocr/hipaa/
(3) International Organization for Standardization. Code of practice for information security management (ISO 17799). Retrieved April 23, 2004 from http://www.iso17799software.com/
(4) Information Systems Audit and Control Association. Control Objectives for Information and related Technology (CoBIT). Retrieved April 23, 2004 from http://www.isaca.org/cobit.htm
(5) Kabay, M.E. (2001). "The Napster Cantata." Retrieved October 31, 2003 from http://www2.norwich.edu/mkabay/ethics/napster.pdf
(6) Himanen, Pekka (2001) The Hacker Ethic. New York: Random House.
(7) Boatright, John R. (2003). Ethics and the Conduct of Business. New Jersey: Prentice Hall.
(8) Linderman, James Landon. Ethical Decision Making and High Technology. In S. Bosworth & M.E. Kabay (eds.), Computer Security Handbook, 4th edition (chapter 30).  New York: John Wiley & Sons, 2002.
(9) Rawls, John (2001). Justice as Fairness: A Restatement. Cambridge: Harvard University Press.
(10) Rudolph, K, Warshawsky, Gale, and Numkin, Louis. Security Awareness. In S. Bosworth & M.E. Kabay (eds.), Computer Security Handbook, 4th edition (chapter 29).  New York: John Wiley & Sons, 2002.