Running head: ETHICS AND CYBERSECURITY 1

ETHICS AND CYBERSECURITY

Justin Seay

WGU

03/15/2022
ETHICS AND CYBERSECURITY 2

ETHICS AND CYBERSECURITY

Ethical guidelines or standards relating to information security that should apply to the

case study.

TechFite has faced many ethical lapses that allowed illegal behavior to occur in the

organization. This was due to the lax culture in information security, and such culture would

benefit by implementing the ethical guidelines and standards. To clear from such bad apples in

the firm, TechFite should be allowed membership in groups such as (ISC)2 or Information

Systems Security Associations. These groups promote practices that ensure organizational

information resources, integrity and confidentiality are available (ISSA, n.d). TechFite failed to

protect the intellectual property and lacked access control in accessing the user accounts. The

guidelines provided in these membership groups would have helped the organization avoid

violation.

The ISO 9001:2015 is another standard that promotes a quality management system. The

standards ensure that policies and procedures are created and put in place. Monitoring ensures

that the respective person enhances compliance. TechFite has documented the policies but has

failed to ensure that quality check is done in adherence to the stated policies. If the firm had

adhered to policies, the misuse of network scanning and attempted penetration attacks would

have been identified. Organizations such as Google have a code of conduct that provides an

ethical responsibility of reporting any unethical practice (Google code of conduct, 2020). If

TechFite had a program like Google, then Ms. Rogers and Mr. Hudson may have filed a report

against their supervisor. Besides, having reporting procedures that ensure auditing is done

frequently helps ensure no acts go unchecked.

ETHICS AND CYBERSECURITY 3

Audits and service control reports are a way of validating services at an organization. The

reports verify that the organization is adhering to the industry's best practices. The SCO reports

focus on maintaining the confidentiality and security of the client. Due to the arguments against

TechFite, the organization should audit to show compliance with the processes in the program.

Also, having the reports completed would assure the client data confidentiality. However, if the

allegations were made, it would have been possible for TechFite to mitigate and respond to the

issues it is facing.

Identify the behaviors, or omission of behaviors, of the people who fostered the unethical

practices.

There are many unethical behaviors demonstrated at TechFite. Reports provided to the

TechFite CISCO and reviewed by the security analyst failed to provide an in-depth analysis of

the internal auditing of the Business Intelligence department. The reports show no issues of

concern that would impact the company. Yet, topics such as network traffic analysis, verification

of user privileges, and account auditing were omitted from the reports. Carl Jasper conducts

another unethical practice when he steals and sells the IP of clients and non-clients. This act is

likely to destroy the organization's reputation and rob the company of the profit that would have

come from marketing the IP. Moreover, installing hacking tools like Metasploit to penetrate

external networks is an unethical practice. The practice resulted in the violation of the ECPA and

the CFAA law and compromised many clients' and non-clients' systems.

Factors at TechFite that led to lax ethical behavior

The unethical behavior displayed by employees in TechFite's BI unit is as a result of fake

friends. Lack of proper security control policies and lack of separation of duties led to the lax
ETHICS AND CYBERSECURITY 4

ethical behavior in TechFite. The BI unit has complete access and privileges to all its user

accounts, while the IT department has not set restrictions on the accounts for the least privilege.

The lack of intellectual property policy and acceptable use policy contributed to the

unethical behavior. The existence of intellectual property would have worked to protect Orange

Leaf Software LLC. It would have created rules to separate important and proprietary data that

prevented the BI team and Jasper from selling data. The lack of an acceptable use policy led

Sarah Miller and Jack Hudson to a violation when they installed the Metaspoilt framework to

penetrate the internet-based companies.

Ways to Mitigate Problems and Build Security Awareness.

B1. Policies that may have reduced or prevented criminal activity

CFAA policy would have helped reduce criminal activity at TechFite. The policy allows

employees to access permission to install tools in their systems. The presence of this policy

would have protected the company from the installation of Metaspoilt, which compromised

external networks. The presence of an ECPA policy would have also worked to prevent the

violation of accessing data that was for human resources, property of legal, and clients data. The

existence of such policies would have prevented the compromise of the intellectual property and

cyber crimes committed.

Applying the least privilege policy allows the users to perform what is required for their

position. The threats to intellectual property were facilitated by having no segregation of data

and creating user accounts with privileges for persons that did not require such rights. The use of

least policy would have prevented Carl Jasper from creating accounts with non-existence

personnel and accessing other departments such as human resources and payroll. The use of
ETHICS AND CYBERSECURITY 5

these policies would have prevented cybercrimes and helped maintain the client and company's

confidentiality.

B2. SATE

SATE sets the stage for the training and reminds the employees of the importance of

security and the consequences of its failure. It also reminds the users of the procedures that

should be followed. SATE has many key components that guide its success in implementation.

User training is a major component that helps comply and engage in the right practices in an

organization. Training of individuals like Nadia would have provided ide on the importance of

data segregation and classification. Users would also have been trained on keeping proprietary

customer information safe. The awareness component would have been used to explain the

importance of keeping data safe.

B2a: Communication of SATE program to employees

The best way to communicate SATE to employees is by signing an AUP upon hire. The

UAP would communicate the laws and regulations guiding cyber security and the consequences

of violations. Implementing Security training programs in the payroll, human resource, supply,

and logistics departments would help protect financial data and personally identifiable

information. The training awareness should be conducted every quarter to allow management to

address any issue identified. Having the program often will help employees be aware of the best

practices and procedures of the organization that will help prevent future incidences.

B2b: Relevance of SATE in mitigating unethical behavior

SATE should be implemented to ensure compliance with account auditing and

monitoring, segregation of intellectual property, least privilege, and granting access

ETHICS AND CYBERSECURITY 6

management. Implementing the program will help address the issue of account creation and lack

of least privilege, which made staff in the BI unit compromise both the internal and external

customers. Training for employees enhances employee participation in their responsibility. After

training employees, they should be monitored for compliance. In addition, auditing should be

done on the user accounts to assist in result validation and compliance to the policies and

procedures of the organization. Finally, integrating AUP with SATE will help employees

understand the consequences of violating the ECPA and CFAA. The fear of such persecution

may promote ethical behavior in the organization.

B2c. Ethical Challenges and Mitigation Strategies

TechFite has been associated with many unethical issues that led to the loss of its

reputation and criminal acts by employees. These acts resulted in the loss of intellectual property

for clients, breaching of security among departments, and penetrating to data of external

companies. However, TechFite can mitigate unethical behavior by maintaining its info sec

practices. TechFite should set guidelines and standards related to ISSA (ISC)2 and ISO

9001:2015 standards. The company can also use the Google code of ethics template to help draft

its policies and procedures. Besides, implementing the SATE program would help prevent the

lax security culture in the organization.

Training of employees will help promote the best practices and standards that help

correct the monitoring and auditing procedure and correct the user creation of accounts. These

measures will help maintain the confidentiality of the data and protect intellectual property.

Therefore, employees need to perform duties and responsibilities with the highest ethical

standards. These will prevent the organization from experiencing any downfall, which will help

create a good reputation that will motivate more clients to visit the premises.
ETHICS AND CYBERSECURITY 7

References

Google Code of Conduct. (2020, Sept 25)

https://abc.xyz/investor/other/google-code-of-conduct/

ISSA code of ethics

https://www.members.issa.org/page/CodeofEthics

ISO 9001:2015

https://www.iso.org/standard/62085.html

The (ISC)2 Code of Ethics: A Binding Requirement for Certification. (n.d.).

https://resources.infosecinstitute.com/certification/the-isc2-code-of-ethics-a-binding-

requirement-for- certification/