Code of Ethics

Oregon State University Security Club

Having a strong ethical and moral code in the field of information security is very important. You may encounter sensitive information that needs to be treated with care, or develop skills that can be used maliciously. It is important to make sure you operate ethically, legally, and morally with everything you do in information security.

Here is the code of ethics that we, as a club, have and bestow upon all of our members. It is an adaptation of the code of ethics adopted by the Information Security and Assurance Club at Oklahoma State University.

An Adaptation of Codes of Ethics (IEEE, CEH, SANS)

Prepared by Corey McMahon, 2009 – 2010 ISAC CCDC Chairman. Modified by Daniel Reichert for use by the Oregon State University Security Club.

  1. Ensure the confidentiality of any private information attained through day-to-day activities. [3]
  2. Respect the degree of privacy expected by the fellow citizens and not pursue or examine students’ information including data, files, records, or network traffic except as defined by the appointed roles, and/or without the permission of the end user.” Unless given specific authorization by the proper authorities. [2]
  3. “Obtain [specific and detailed] permission before probing systems on a network for vulnerabilities” [2]
  4. “Ensure all penetration testing activities are authorized and within legal limits.” [3]
  5. Report any system weaknesses, holes, or intrusions, to the proper supervisor or authority. [2]
  6. Research and obey current intellectual property laws. [3]
  7. “Use the property of a client, employer, or academic institution only in ways properly authorized, and with the owner’s knowledge and consent.” [3]
  8. Ensure honesty and realism when stating claims or estimates based on available data. [1]
  9. Never knowingly use software that is obtained or retained illegally. [3]
  10. “Not purposefully compromise or cause to be compromised an organization’s systems in the course of your professional dealings” [3]
  11. Not be part of any malicious hacker community for purposes of assisting and expanding illegal or malicious computer activities. [3]
  12. Not injure others, their property, reputation, or employment by malicious computer actions. [2]
  13. Not steal or borrow company time, resources, or property without specific authorization. [2]
  14. Not abuse the power, knowledge, user rights, or privileges, which have been delegated in good faith. [2]
  15. Will seek out specific authorization in any “gray areas” of the IT domain.
  16. Assist and hold accountable other colleagues and co-workers to this Code of Ethics.

[1] “IEEE Code of Ethics,” Feb., 2006. [Online]. Available: http://www.ieee.org/portal/pages/iportals/aboutus/ethics/code.html. [Accessed: Sep. 15, 2009].

[2] “IT Code of Ethics,” Apr. 24, 2004. [Online]. Available: http://www.sans.org/resources/ethics.php. [Accessed: Sep. 15, 2009].

[3] “Code of Ethics,” [Online]. Available: http://www.eccouncil.org/codeofethics.htm. [Accessed: Sep. 15, 2009].