There are a variety of professions where mere strict adherence to the laws is not sufficient for maintaining a professional appearance. Some are subject to explicit professional ethical standards. Others, like Systems Administration, have an implicit ethical code. Sometimes I wish there was an explicit one to follow.
Yes, there is a moral standard I'm held to that is more than just 'don't get arrested'. People need to trust the guardians of their data, and that means meeting expectations for a position of high trust. Since there isn't a commonly accepted codified moral standard for Sysadmins, just exactly what the standard is changes from organization to organization.
This is one job where the mere accusation of wrong-doing can ruin a career. The accusation has to be meaningful in some way, it can't just be an office crank attempting to score points. I'm talking the, "Brought up on embezzlement charges, but the case was dropped due to lack of evidence," kind of accusation. Reputation matters, even to us suit-free IT geeks.
If I'm unlucky enough for something trust-bashing to make it to public-record, and therefore easy pickings for your standard pre-employment background-check, I may as well find a new line of work. While a future landlord wouldn't care that I was brought up on embezzlement charges but the case was thrown out on appeal, future employers care very much about that kind of thing. Such events can be purged from your public records, but... these days negative findings are sticky; it would not surprise me in the least that there are data-gathering firms out there that make sure that all negative findings are never purged from their own databases just so clients can know they happened. Once that kind of thing hits public record, my ability to be employed as a sysadmin in any organization of size is greatly reduced.
Heck, once the charge is laid it is entirely possible that I would be fired for cause. Never mind that the charge was dropped, or overturned on appeal. That's the downside of working in a trust-based industry.
And it's not just crime, it's internal politics as well. I have known IT workers who gleefully look at master contracts their ticket to free software, baybeee! They take home installation media for whatever and the master license key provided by purchasing and install umpty hundred (thousand) dollars worth of software on their home machines. This sort of casual piracy can infect SysAdmins as well, since we're the kind of people who just might have a need for, say, Server 2008 Enterprise or Exchange 2010 in our homes. (why?because we're nuts Continuing education. Yeah, that's it.) This sort of behavior can turn supervisors and peers against a person.
And it isn't just piracy. Getting a reputation for exploiting your godlike access to casually browse other people's emails, or indulging in curiosity and peeking at the Budget Office's internal documents to see what the coming IT budget is likely to look like, can be just as damaging if it gets discovered. Users are, justly, paranoid about their privacy, and finding out that the sysadmin has been browsing their data for their own curiosity rather than as part of their job-duties is a sure-fire way to make enemies. We can obtain official sanction to look at other people's data a variety of ways, but if we exercise this access for purely personal reasons it is a violation.
This is the kind of thing that can trip up new sysadmins. Just because you have access doesn't mean you have authorization. I find navigating our large Shared volumes a bit tricky since I can see everything. Access is having Administrator rights to a whole system. Authorization is being asked by an employees supervisor to go into a specific individual's mailbox to look for mails pertaining to topic X. Access does not directly imply authorization, not everyone gets this.
This kind of thing can have significant consequences. If as part of an illicit information gathering regime (looking to see how a certain high-value IT purchasing contract is progressing without harassing actual people for updates) I discover that a certain individual in the Purchasing office has been doing something illegal, what do I do? I certainly had sufficient access to the data in question, and I am duty bound to report malfeasance whenever I run into it. The BOFH answer here is to shakedown the employee question in some way. Since BOFH is sysadmin dark humor, that's not really an answer. More realistically, what next? If I come forward with the evidence I have to provide some reason for why I was looking there in the first place, some reason other than "because I was snooping." As law enforcement will tell you, information found by way of an illegal activity is not admissible.
Losing the faith of your current employer is hazardous to your job, even if that activity won't splash on you enough to prevent you from finding work elsewhere. Annoy them enough, and they'll 'helpfully tip off' your future employer about your activities, which may cost you your new job before you actually start.
System Administrators are held up to a higher moral standard than ye olde citizen. We don't have the benefit of having a codified professional standard to follow other than, 'keep your nose clean, and don't be evil.' There are some attempts to codify this standard, but they haven't penetrated the entire industry the same way that, say, a Certified Professional Accountant is. But that doesn't stop me from trying to live up to one.
Yes, there is a moral standard I'm held to that is more than just 'don't get arrested'. People need to trust the guardians of their data, and that means meeting expectations for a position of high trust. Since there isn't a commonly accepted codified moral standard for Sysadmins, just exactly what the standard is changes from organization to organization.
This is one job where the mere accusation of wrong-doing can ruin a career. The accusation has to be meaningful in some way, it can't just be an office crank attempting to score points. I'm talking the, "Brought up on embezzlement charges, but the case was dropped due to lack of evidence," kind of accusation. Reputation matters, even to us suit-free IT geeks.
If I'm unlucky enough for something trust-bashing to make it to public-record, and therefore easy pickings for your standard pre-employment background-check, I may as well find a new line of work. While a future landlord wouldn't care that I was brought up on embezzlement charges but the case was thrown out on appeal, future employers care very much about that kind of thing. Such events can be purged from your public records, but... these days negative findings are sticky; it would not surprise me in the least that there are data-gathering firms out there that make sure that all negative findings are never purged from their own databases just so clients can know they happened. Once that kind of thing hits public record, my ability to be employed as a sysadmin in any organization of size is greatly reduced.
Heck, once the charge is laid it is entirely possible that I would be fired for cause. Never mind that the charge was dropped, or overturned on appeal. That's the downside of working in a trust-based industry.
And it's not just crime, it's internal politics as well. I have known IT workers who gleefully look at master contracts their ticket to free software, baybeee! They take home installation media for whatever and the master license key provided by purchasing and install umpty hundred (thousand) dollars worth of software on their home machines. This sort of casual piracy can infect SysAdmins as well, since we're the kind of people who just might have a need for, say, Server 2008 Enterprise or Exchange 2010 in our homes. (why?
And it isn't just piracy. Getting a reputation for exploiting your godlike access to casually browse other people's emails, or indulging in curiosity and peeking at the Budget Office's internal documents to see what the coming IT budget is likely to look like, can be just as damaging if it gets discovered. Users are, justly, paranoid about their privacy, and finding out that the sysadmin has been browsing their data for their own curiosity rather than as part of their job-duties is a sure-fire way to make enemies. We can obtain official sanction to look at other people's data a variety of ways, but if we exercise this access for purely personal reasons it is a violation.
This is the kind of thing that can trip up new sysadmins. Just because you have access doesn't mean you have authorization. I find navigating our large Shared volumes a bit tricky since I can see everything. Access is having Administrator rights to a whole system. Authorization is being asked by an employees supervisor to go into a specific individual's mailbox to look for mails pertaining to topic X. Access does not directly imply authorization, not everyone gets this.
This kind of thing can have significant consequences. If as part of an illicit information gathering regime (looking to see how a certain high-value IT purchasing contract is progressing without harassing actual people for updates) I discover that a certain individual in the Purchasing office has been doing something illegal, what do I do? I certainly had sufficient access to the data in question, and I am duty bound to report malfeasance whenever I run into it. The BOFH answer here is to shakedown the employee question in some way. Since BOFH is sysadmin dark humor, that's not really an answer. More realistically, what next? If I come forward with the evidence I have to provide some reason for why I was looking there in the first place, some reason other than "because I was snooping." As law enforcement will tell you, information found by way of an illegal activity is not admissible.
Losing the faith of your current employer is hazardous to your job, even if that activity won't splash on you enough to prevent you from finding work elsewhere. Annoy them enough, and they'll 'helpfully tip off' your future employer about your activities, which may cost you your new job before you actually start.
System Administrators are held up to a higher moral standard than ye olde citizen. We don't have the benefit of having a codified professional standard to follow other than, 'keep your nose clean, and don't be evil.' There are some attempts to codify this standard, but they haven't penetrated the entire industry the same way that, say, a Certified Professional Accountant is. But that doesn't stop me from trying to live up to one.