C841 Legal Issues in Information Security Task 2 Page 1
C841 Legal Issues in Information Security Task 2
A1: Discussion of Ethical Guidelines or Standards: In regards to the TechFite case study,
there are a number of relevant information security moral principles. First, all sensitive or
proprietary information encountered on the job should be treated with respect and kept
private. Second, professional responsibilities are to be discharged with integrity and
diligence in accordance with all applicable laws. In addition, the professional reputations of
coworkers, employers, and customers should not be intentionally slandered or brought into
question. Moreover, all work should be conducted in a manner consistent with information
security best practices. Finally, employees should not engage in any activities that may
constitute a conflict of interest.
A1a: Justification of Standards or Guidelines: All of these tenets can be found in the
ethics policies of prominent organizations throughout the IT community. For example,
the Information Systems Security Association International (ISSA) Code of Ethics
echoes the sentiment that data privacy must be maintained (ISSA Code of Ethics, 2016).
It also emphasizes the importance of industry best practices and prohibits relationships
that could be construed as a conflict of interest (ISSA Code of Ethics, 2016). The
International Information Systems Security Certification Consortium (ISC)² addresses
professional responsibilities, stating that individuals should “act honorably, honestly,
justly, responsibly, and legally” ((ISC)² Code of Ethics, 1996). The American Society
for Industrial Security (ASIS) speaks to the issue of professional reputations, declaring
that personnel must not “maliciously injure the professional reputation or practice of
colleagues, clients, or employees” (ASIS Certification Code of Professional
, C841 Legal Issues in Information Security Task 2 Page 2
Responsibility, 2018).
A2: Description of Unethical Behaviors: There were a number of individuals and groups
within TechFite whose behavior was unethical. The head of the Applications Division, Carl
Jaspers, failed to safeguard sensitive data, encouraged immoral surveillance techniques and
had a relationship with IT Security Analyst Nadia Johnson that represented a clear conflict
of interest. This relationship was a quid pro quo arrangement where Mr. Jaspers gave Ms.
Johnson gifts and positive reviews in exchange for not reporting the division’s violations
(Jackson, n.d., p. 2). Nadia Johnson accepted these bribes and subsequently produced false
reports that claimed there was no unusual activity within the division (Jackson, n.d., p. 2).
The Business Intelligence (BI) Unit within the Applications Division accessed other
divisions without authorization, viewed private information without permission, mishandled
customer data and performed penetration tests without obtaining consent (Jackson, n.d., p.
3). Specifically, BI Unit employees Sarah Miller, Jack Hudson, and Megan Rogers
performed vulnerability scans of rival company’s networks. In addition, Mr. Hudson
“coordinates efforts by third parties to gather intelligence through surveilling and through
mining companies’ trash” (Jackson, n.d., p. 3). Furthermore, the Marketing/Sales Unit did
not perform proper separation of duties and the Financial Unit neglected to audit their
payment records.
A3: Factors: The most obvious issue is the lack of an established Code of Ethics at
TechFite. Employers often make the mistake of assuming their staff understand what
conduct is considered acceptable and will abide by these precepts without instruction. While
in a perfect world this would be true, in reality this is not the case. A formal policy must be
in place that describes what ethical guidelines employees are expected to follow, and what
C841 Legal Issues in Information Security Task 2
A1: Discussion of Ethical Guidelines or Standards: In regards to the TechFite case study,
there are a number of relevant information security moral principles. First, all sensitive or
proprietary information encountered on the job should be treated with respect and kept
private. Second, professional responsibilities are to be discharged with integrity and
diligence in accordance with all applicable laws. In addition, the professional reputations of
coworkers, employers, and customers should not be intentionally slandered or brought into
question. Moreover, all work should be conducted in a manner consistent with information
security best practices. Finally, employees should not engage in any activities that may
constitute a conflict of interest.
A1a: Justification of Standards or Guidelines: All of these tenets can be found in the
ethics policies of prominent organizations throughout the IT community. For example,
the Information Systems Security Association International (ISSA) Code of Ethics
echoes the sentiment that data privacy must be maintained (ISSA Code of Ethics, 2016).
It also emphasizes the importance of industry best practices and prohibits relationships
that could be construed as a conflict of interest (ISSA Code of Ethics, 2016). The
International Information Systems Security Certification Consortium (ISC)² addresses
professional responsibilities, stating that individuals should “act honorably, honestly,
justly, responsibly, and legally” ((ISC)² Code of Ethics, 1996). The American Society
for Industrial Security (ASIS) speaks to the issue of professional reputations, declaring
that personnel must not “maliciously injure the professional reputation or practice of
colleagues, clients, or employees” (ASIS Certification Code of Professional
, C841 Legal Issues in Information Security Task 2 Page 2
Responsibility, 2018).
A2: Description of Unethical Behaviors: There were a number of individuals and groups
within TechFite whose behavior was unethical. The head of the Applications Division, Carl
Jaspers, failed to safeguard sensitive data, encouraged immoral surveillance techniques and
had a relationship with IT Security Analyst Nadia Johnson that represented a clear conflict
of interest. This relationship was a quid pro quo arrangement where Mr. Jaspers gave Ms.
Johnson gifts and positive reviews in exchange for not reporting the division’s violations
(Jackson, n.d., p. 2). Nadia Johnson accepted these bribes and subsequently produced false
reports that claimed there was no unusual activity within the division (Jackson, n.d., p. 2).
The Business Intelligence (BI) Unit within the Applications Division accessed other
divisions without authorization, viewed private information without permission, mishandled
customer data and performed penetration tests without obtaining consent (Jackson, n.d., p.
3). Specifically, BI Unit employees Sarah Miller, Jack Hudson, and Megan Rogers
performed vulnerability scans of rival company’s networks. In addition, Mr. Hudson
“coordinates efforts by third parties to gather intelligence through surveilling and through
mining companies’ trash” (Jackson, n.d., p. 3). Furthermore, the Marketing/Sales Unit did
not perform proper separation of duties and the Financial Unit neglected to audit their
payment records.
A3: Factors: The most obvious issue is the lack of an established Code of Ethics at
TechFite. Employers often make the mistake of assuming their staff understand what
conduct is considered acceptable and will abide by these precepts without instruction. While
in a perfect world this would be true, in reality this is not the case. A formal policy must be
in place that describes what ethical guidelines employees are expected to follow, and what
