Codes of Ethics


Introduction.  Ethics are one of the most essential issues for system and network administrators.  Trying to determine what is truly ethical and unethical should result in some very important discussions.  People such as computer administrators and other privileged users have knowledge and access that can result in serious problems if used in clearly unethical ways.  Privileged users have access to things such as

  • confidential information

    • databases

    • usernames/passwords

    • e-mail


But it is also important to develop ethics policies that apply to all users.

One basic widespread approach to making use of ethics policies is to utilize something called informed consent.  In medical implementation, informed consent consists of the following.

  • Before something is done to another, this other should be fully informed about the options
    • benefits
    • detriments
    • likelihood of the outcomes
  • This should be explained in whatever ways the person is competent to understand.
  • Must be given option to accept or reject.
  • Whatever is chosen must have a high likelihood of success.

When applied to system and network administration, informed consent implies

  • People should know the rules under which they are living.
  • Users need to be made aware of how the system will operate in various situations.

SAGE Code of Ethics.  SAGE - System Administrators Guild has developed its own code of ethics.  This code is reviewed in the following list.

Canon 1:  The integrity of a system administrator must be beyond reproach.

A system administrator may come in contact with privileged information on a regular basis and has a duty to the owners of such information to both keep confidential and to protect the confidentiality of all such information.
Protecting the integrity of information includes ensuring that neither system administrators nor unauthorized users unnecessarily access, make any changes to, or divulge any data not belonging to them.  It includes all appropriate effort, in accordance with industry accepted practices, by the system administrator to enforce security measures to protect the computers and the data contained in them.
System administrators must uphold the law and policies established for the systems and networks they manage, and make all efforts to require the same adherence from their users.  Where the law is not clear, or appears to be in conflict with their ethical standards, system administrators must exercise sound judgment, and are also obliged to take steps to have the law upgraded or corrected as is possible within their jurisdiction.

Canon 2:  A system administrator shall not unnecessarily infringe upon the rights of users.

System administrators shall not act with, nor tolerate from others, discrimination between authorized users based on any commonly recognized grounds (e.g. age, gender, religion, etceteras), except when such discrimination (e.g. with respect to unauthorized users as a class) is a necessary part of their job, and then only to the extent that such treatment is required in dealing with the issue at hand.
System administrators will not exercise their special powers to access any private information other than when necessary to their role as system managers, and then only to the degree necessary to perform that role, while remaining within established site policies.  Regardless of how it was obtained, system administrators will maintain the confidentiality of all private information.

Canon 3:  Communications of system administrators with all whom they may come in contact shall be kept to the highest standards of professional behavior.

System administrators must keep users informed about computing matters that might affect them, such as conditions of acceptable use, sharing and availability of common resources, maintenance of security, occurrence of system monitoring, and any applicable legal obligations.  It is incumbent upon the system administrator to ensure that such information is presented in a manner calculated to ensure user awareness and understanding.
Honesty and timeliness are keys to ensuring accurate communication to users.  A system administrator shall, when advice is sought, give it impartially, accompanied by any necessary statement of the limitations of personal knowledge or bias.  Any potential conflicts of interest must be fully and immediately declared.

Canon 4:  The continuance of professional education is critical to maintaining currency as a system administrator.

Since technology in computing continues to make significant strides, a system administrator must take an appropriate level of action to update and enhance personal technical knowledge.  Reading, study, acquiring training, and sharing knowledge.  Reading, study, acquiring training, and sharing knowledge and experience are requirements to maintaining currency and ensuring the customer base of the advantages and security of advances in the field.

Canon 5:  A system administrator must maintain an exemplary work ethic.

System administrators must be tireless in their effort to maintain high levels of quality in their work.  Day to day operation in the field of system administration requires significant energy and resiliency.  The system administrator is placed in a position of such significant impact upon the business of the organization that the required level of trust can only be maintained by exemplary behavior.

Canon 6:  At all times system administrators must display professionalism in the performance of their duties.

All manner of behavior must reflect highly upon the profession as a whole.  Dealing with recalcitrant users, upper management, vendors, or other system administrators calls for the utmost in patience and care to ensure that mutual respect is never at risk.
Actions that enhance the image of the profession are encouraged.  Actions that enlarge the understanding of the social and legal issues in computing are part of the role.  System administrators are obligated to assist the community at large in areas that are fundamental to the advancement and integrity of local, national, and international computing issues.

User Code of Conduct.  Each organization needs guidelines for the acceptable uses of the organization's computing systems.  Some of the major issues that are likely to be addresses are in the following list.

  • Under what circumstances is personal use of the organization's equipment permitted?
  • What types of personal use are forbidden?
  • What websites are restricted from browsing?
  • How do the rules change if you are using the equipment from home?
  • How do the rules change if you are using the equipment on the road for the organization?
  • What are defined as harassing communications?
    • How should they be reported?
    • How are they processed?
  • How do codes of conduct differ based on the type of organization?
    • E-Commerce
    • ISP
    • University
    • Job Shop
    • whatever

It is almost always very worthwhile to sample and examine codes of conduct in various industries and academic institutions.

Privileged Access Code of Conduct.  Some users need privileged access to do their jobs.  For example, some users may need to install their own software, access and update information in particular databases, and publish webpages.  While this list of the types of permissions can go on and on we need to focus on more  general issues of ethical behavior with respect to these users.  Based on this goal a code of conduct is very likely to need to address the following issues.

  • Require the user to acknowledge that their privileged access comes with a responsibility to use it properly.
  • Limitations about the type of work/play that can be done with these elevated privileges.
  • The company acknowledges that mistakes happen and addresses approaches to ensure that minimal damage results from mistakes.
    • Backups
    • Retain software sources
    • whatever
  • What a privileged user must do with privileged information
  • Warnings about possible penalties for policy violations.
  • Require a signed statement of comprehension preceded by some sort of reading.
  • The sys admins need to make sure they keep track of who has privileged access to what and how it should be implemented.
  • Might want privileged access to expire and require renewals.
  • Levels of monitoring are likely to be different for users that have privileged access.