Telling right from wrong

As a result of a lot of people doing wrong — executives at Enron, Adelphia Communications and Tyco International, to name but a few — there are now a lot of people trying to make sure that everyone else is doing right (for example, auditors, regulators and those enforcing the likes of the Sarbanes-Oxley Act). And smack in the middle of it all is the IT department.

A few years ago, your company’s lawyers may not have thought there was much to IT beyond the help desk. Now, as a result of lawsuits, indictments, arrests, convictions and accusations, corporate legal departments have become intimately familiar with how their companies’ IT departments operate. The reason for this is that the information on servers and backup tapes amounts to a chronicle of the company’s activities and those of its employees.

At the same time that IT is trying to figure out how to restore data from many years ago (“Do we have a tape drive that can read this format tape? What software was it created with?”), we have to look forward by creating new records-retention policies and trying to make sure that we comply with the latest regulations.

Many IT staffers must be thinking, “It’s nice to be the centre of attention for a while,” and, “So this is what it’s like when other departments know you exist.”

But in all seriousness, these changes elevate IT’s role in the organization and underline the need for IT professionals to act responsibly and ethically.

Of course, the discussion of ethics goes well beyond corporate fraud and creative accounting. There are plenty of situations that can present ethical challenges for IT professionals, including software licence requirements, vendor selection and procurement procedures, administrative access to servers and tools that monitor user activity.

A lot of the time, it’s easy to tell right from wrong (although apparently those guys that made it to the front pages had some difficulty). But often it’s not so black-and-white.

Consider these scenarios: what do you do when a business manager asks you how to back-date a report or read an e-mail message without triggering the read receipt? Is it OK to duplicate a licensed CD that a user brings to you? When is it appropriate for a systems administrator to examine the contents of an employee’s file or surreptitiously monitor an employee’s Internet activities? What should you do if you know that your company’s customer-privacy policy is out of step with its actual practice? If your documentation is out of date, what do you tell the auditors when they ask if you have systems documentation?

And then there are the issues you read about in the trade press. Should security flaws be made public before the vendor is able to release the patch?

Brian Jaffe is an IT director in New York and co-author of the IT Manager’s Handbook: Getting Your New Job Done (Morgan Kaufmann, 2000)

Join the newsletter!

Error: Please check your email address.

More about EnronTyco

Show Comments

Market Place