Copyright Adherence.  This has got to be one of the most difficult aspects of computing ethics to actually enforce.  There are so many users with their own desktops with access to so many programs that their friends and acquaintances have.  How can the system administration staff make certain their users aren't loading their own software without paying for it?  For example, this has gotten better since Microsoft implemented Windows 2000.  Now the central staff can limit user capabilities to load their own software.  No doubt this had significant impact on Microsoft's desire to implement such a feature.  I'm assuming this has been better in UNIX environments for some time.

Just telling end users not to pirate software isn't going to be enough.  Almost no one will acknowledge it if they do it.  They may also plead ignorance or a belief that the organization has a site license.  Thus, an organization needs a well advertised policy and some real efforts at enforcement.  It may also be important for the organization to let it be somehow known that when taken to court for copyright infringements, an organization rarely takes the blame and places it on the individuals who used the software.

One way to out maneuver licenses is to focus on using open source software when it is available.  Another way is to make sure that someone is monitoring demand and making bulk purchases to anticipate future needs.

This can also be a problem for a central computing staff, though it is much less likely to be a problem.  What if you really can't get the budget you need to implement things like they really should be done?

Working with Law Enforcement.  Organizations need to have policies in place for how sys admins should work with law enforcement if they are contacted.  Sys admins might well be contacted by the police when investigating computer related crimes.  It is almost always going to be the case to work with law enforcement along with or through a manager.

Limoncelli outlines one firm's policies for working with law enforcement.

1. Relax, be calm.
2. Be polite.  (Sys admins often have problems with "authorities" and need to be reminded that being rude to such "authorities" is a bad thing.)
3. Refer the issue to your manager.  Suggested words are, "As a policy, we gladly cooperate with law enforcement.  Though I need to refer this matter to my boss.  Can I take your phone number and have her call you?"  (Law enforcement officials should always give a phone number.  Pranksters and scam artists will seldom do this.)
4. If you are a manager, contact the legal department for advice.
5. Keep a log of all requests, all related phone calls, and any commands typed.
6. The sys admin that collects evidence should give it to the legal department, who will give it to law enforcement, unless the manager directs otherwise.
7. If law enforcement is the internal corporate security, then the evidence should be given to the sys admins manager who will give it to corporate security.  They might say, "We always comply with requests from your department.  However, it is our department policy for me to collect this information and give them to my boss, who will give them to you.  This protects all of us."

An organization MUST verify the identity of a person claiming to be from a law enforcement agency before telling this person ANYTHING.  It is best to perform this verification before you even admit you have any sorts of abilities to investigate things on the computer systems.  Real cops and real investigators will provide ways to verify their identities and positions.

These sorts of things hold true for anyone that works for the firm, particularly if they have privileged information.  There always needs to be some sort of verification.  This also demonstrates the importance of doing things like shredding documents and verifying the security of your backup locations.

Privacy and Monitoring.  It is an absolute necessity for an organization to have policies on privacy and monitoring.  It is also an absolute necessity to make certain everyone is aware of these policies.  New employees need to be required to read such policies or learn about them and sign off on them.

It is unfair to put employees into situations where they don't know what is expected of them.

In the financial community, e-mails are regularly monitored for SEC violations such a insider trading.  While this can inhibit such flows of information it can also just provide an impetus for it to move to other communication channels.

Things like e-commerce sites need to be aware of privacy laws from country to country in order to determine what information can be gathered and how it must be protected.

Setting expectations also protects the sys admins because what the yare expected to do is out in the open.

Being Told to Do Something Unethical.  One of the most awkward and challenging of situations is being told by a organizational superior to do something illegal or something you consider to be unethical.  The most important thing to do in this situation is keep logs of your interactions and what you do.  You also need to try and go to someone or another higher up that you feel you can trust.

• Verify the request.  Maybe you didn't hear it right or you can get the person to back off the request by playing confused in a particular way.
• Verify that it is illegal or against organization policy.
• If it is against the law or policy then reject the request, though remember you may well have to have some extra protection from others before you do this.
• Try to find a higher authority or ombudsperson to help.

It is always dangerous to get involved in any illegal activity with someone for any number of reasons.  but you should always remember that the person who knows about this also has a lever they can push in the future by threatening to reveal what you have done.  While you may feel protected because you think they will also have to reveal themselves in order to reveal you, this is not a smart approach.

Sometimes you actually have to change jobs due to such things.