BKITETHB.RVW 20041010 "IT Ethics Handbook", Stephen Northcutt, 2004, 1-931836-14-0, U$49.95/C$69.95 %A Stephen Northcutt stephen@sans.org %C 800 Hingham Street, Rockland, MA 02370 %D 2004 %G 1-931836-14-0 %I Syngress Media, Inc. %O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1931836140/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1931836140/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1931836140/robsladesin03-20 %P 604 p. %T "IT Ethics Handbook" This isn't a very good book about ethics, but it is a useful book. It's just got the wrong title. The introduction doesn't provide any proper background to the study of ethics. The brief review of related terms doesn't give much in the way of help: ethics are defined as personal principles, and differentiated from morals only in that the latter are assumed to be accepted from some outside source. (This distinction makes ethics appear to be the base, uneducated, conscience.) Most of the anecdotes listed deal with cultural, rather than ethical, issues. The work contains hundreds of questions or scenarios. These are divided into twenty topical chapters, although the categorization isn't particularly solid. Chapter one, "System Administration and Operations," starts off with a series of items more directly related to development, even though there is a "Programmers and Systems Analysts" chapter later on. Each item is presented with a "conservative" view, a "liberal" perspective, and a summary. (There are also "soapboxes" and anecdotes, bringing personal views and real experiences to the discussion. I'd forgotten that I'd actually submitted one, until I came across it on page 500.) Interesting points are raised, but these are seldom based in ethics, tending to deal more with standards of formal policy as opposed to the messy practicalities of life. It is, in fact, in the field of policy creation and review that this volume should be used. Over and over again it challenges commonly accepted policies and practices in the security field. Is your usage policy flexible enough to cover all cases? Does your monitoring policy run counter to the law? Does your disclosure policy help or hinder the development of secure products? The book raises lots of questions, although it provides few answers. (What advice exists is occasionally contradictory, such as the recommendations regarding email monitoring on page 33 versus 107.) At times the material doesn't even deal with policy issues: chapter five's content on email scams is more relevant to personal security matters such as phishing. Some, although relatively few, of the items can be used for scenarios when discussing ethics. Almost all of the questions can be used during an assessment of the coverage of a corporate security policy. So, yes, the book is useful for those in the security field. (It would have been even more useful if an index had been included.) copyright Robert M. Slade, 2004 BKITETHB.RVW 20041010