As a system administrator, are there things that may not be obvious that should not be done ethically or legally even when instructed to do it? I am more interested in legally, what sort of actions could seriously damage your future carrier or get you in trouble with the law.
For example, is it ever not okay to delete certain types of files even when the Boss requests it?
In particular, I am wondering about the United States. Also, I am not in a situation like this at the moment, another question just got me thinking that this is information I should know.
Really, I am not trying to trigger a discussion of ethics, or complicated scenarios where it would be best to call lawyer. But a checklist, or some literature, or some laws every IT person should know about.
I think if you keep a paper/electronic trail of what's asked of you by your superiors, it should keep you safe from any legal trouble
i.e. don't just delete some records because your boss told you to while chatting at the water cooler because it might end up dragging you into sh*t that you don't know about and your boss can deny ever having told you to do such a thing. If your boss tells you something verbally, go back to your office and send him/her an e-mail "confirming" their request of you.
Ethics is a really tricky thing for a sys admin since we touch so many aspects of the business, but if something smells fishy to you, then get it in writing or print before doing it.
Ethically speaking, you could do a lot worse than follow http://lopsa.org/CodeOfEthics
As an american, if you are responsible for CMS systems that retain financial data, you should familiarise yourself with the Sarbanes-Oxley Act, which places obligations on businesses to retain certain types of financial records for a set period of time.
(Obligatory: IANAL)
I'm no lawyer, so please take the following with a grain of salt.
As far as I know, the only issue with legality is if you are deleting evidence of illegal activities. That could certainly get you in some trouble.
On the other hand, if you have deleted records which do not contain evidence of anything illegal but still get subpoenaed after the fact, it is unlikely you would get in trouble for that.
This is an interesting question. What do we do when asked by an employer to do something clearly immoral and possibly illegal.
It could be accessing personal files or data, publishing material in embargo, deleting data that should be kept or keeping data that should be deleted.
I think the answer to this question must be rather subjective. Employees have varying protection and liabilities under different legal systems. Your position and status within the company may dictate the options available to you. Then, there is a personal factor. How far are you willing to go to keep your job?
Personally, I have refused to help distribute unsolicited mail and and actively prevented illegal publishing of voting results. Both times I was able to find support in the legal department and senior management respectively, but it's a fine line to walk - In both instances, a small misjudgement could have cost me my job even under Norway's protective laws.
The bottom line is, it's up to the individual to consider the situation, weigh responsibilities and loyalties, assess the risk, make a decision - and finally live with the consequences.
Ethics is a wonderfully fluid concept and varies greatly between cultures and places. 'Nuf said on that.
You need to first understand how the local laws apply to the situation, because sometimes it stops right there. I don't believe any of us should follow instructions which we know to violate the law, unless we are also prepared to accept any consequences arising from doing so. Next step is to apply you personal beliefs (ethics, morals, religious, whatever). There will at times be a conflict and you must make that decision yourself.
I've personally refused to do things on a number of occasions because I didn't believe that what I was asked to do was "right", either legally or morally. Sometimes I've won the argument and other times someone else has followed the same instructions because they felt less strongly about it (or feared losing their jobs). While I've never personally been sacked in such a situation I do know of others who have been. If I feel strongly enough I'll run that risk every time.
I had actually written an article called "Managing the Manager" covering this topic, 6 years ago or so. But what it all comes down to is **Cover Your A****
The principle all administrators should live by CYA always. It doesn't matter who is in charge, always do it for that "just in case." That is why a Computer Policy should always be implemented, it covers you from liability provided they sign it or at least pass it out with that intention. The same goes with the Local Security Policy login prompt, use it for that reason as well. As soon as they login to their computers, make it say they agree to the terms of the policy.
I have a personal experience with these types of situations, and guess what happened to me when the FBI arrested our CFO for several charges? Nothing, and because I CYA and all evidence was saved in case something bad happened.
Make sure you have a policy in place based on industry requirements (depending on what the company does these reqs will be different)
If I am ever asked to touch another users email or do some discovery I get something in writing from our HR department with their signature. I outright tell them its a CYA for me. People are willing to accept it when you tell them you do not want to violate any privacy of information and it also helps garner trust that you are that concerned.
The best insurance however is full backups in an offsite storage location. Particularly if you have a running policy of keeping several years worth somewhere secure (At my org we have a safety deposit box at wells fargo, tapes every month go there and stay there indefinantly) If you do delete something that turns out to have been illegal you can point investigators to the backups. If somebody ever wants the backups deleted then there is definitely something illegal going on.
First IANAL, but I have been involved in IT legalities issues. My understanding is that actions of IT come down to what can be reasonably expected for the IT person to know. EG the boss tells you to delete the acounting files. You KNOW that they are under investigation. You do that and you are likely to be charged with obstruction. On the other hand same situation and you did not have any idea that there was any investigation (and the goverment gets to make that determination), and it's reasonable that you would have been asked to delete those files, you would be OK.
as previously indicated there are other regulations that might apply. In biotech 21 cfr part 11 regulations would apply
As an IT staffer you are deemmed to have some understanding of what's reasonable and customary (I believe that's the legalese). It's not however illegal for them to fire you for not performing requested activities, the federal whistleblower statutes would apply. Small comfort as you're likely to be a marked man in many of the smaller states.
Great question. I can't really reference anything to the United States as I don't work there, but ethics / legality has been one of those things that often crops up in the work of anyone with elevated system privileges, but there doesn't seem to be anywhere near enough formalised guidance on. Personally, it makes me wish there was a strong industry body that represented us in the same way that doctors and lawyers do. I do know the (UK specific) British Computer Society having published a code of conduct for members, which made me join to feel breaching that code would be a reasonable relevant defence for turning an unethical request down I'm guessing maybe the ACM may be similar from a US point of view?
Personally, I tend to work to the same rules as others have mentioned. CYA. Document, audit, and log everything as far as is feasible, and if it makes you feel uncomfortable carrying out the request, I trust my moral compass and try to make sure its documented as authorised as high as I can get.