The purpose of this paper is to analyze the social and ethical responsibility of Database Administrators (DBAs) in the Information Technology field. Do DBAs have a social or ethical responsibility to the organizations they work for?
What is a Database Administrator (DBA)?
A Database Administrator is the person in charge of managing the relational database and its access rights. Wikipedia defines a database administrator (DBA) as the person who is responsible for the environmental aspects of a database.
In general, these include:
Recoverability - Creating and testing Backups
Integrity - Verifying or helping to verify data integrity
Security - Defining and/or implementing access controls to the data
Availability - Ensuring maximum uptime
Performance - Ensuring maximum performance given budgetary constraints
Development and testing support - Helping programmers and engineers to efficiently utilize the database.
The role of a database administrator has changed according to the technology of database management systems (DBMSs) as well as the needs of the owners of the databases. For example, although logical and physical database designs are traditionally the duties of a database analyst or database designer, a DBA may be tasked to perform those duties.
Issues, why we need one:
System Administrators (SAs) and DBAs generally have high levels of access into computer systems at major corporations, financial institutions, educational facilities and brokerage firms. The IT professionals have access to highly-confidential information, prior to it becoming public knowledge, such as IPOs, stock ratings, debt ratings, test questions and answers just to name a few. Many times high-level executives do not even realize when they are saving a Word document, Excel spreadsheet or information to a database that most likely one or more employees or contractors working within IT have the ability to access this information. So what stops the IT professional with high-level access to systems from reading and acting on this information for their own purposes, even if their not a hedonist who solely seeks pleasure for themselves no matter the cost to others?
ABC News in September 2007 reported a "computer administrator at one of the nation's largest prescription drug management companies admitted Wednesday he planted an electronic "bomb" in the company's computer system." (Source: abcnews.com)
If this "logic bomb" would have executed it would have erased critical patient information causing major problems and financial loss for the healthcare corporation. This is one case where an IT professional took advantage of the high-level system access that was entrusted to him. An example where a DBA took advantage of the trust placed in them was at Fidelity National. In 2007 the company had 2.3 million customer records stolen and sold to a marketing firm. The company "said that this was all orchestrated by one employee, who has thus far only been identified as "a senior-level database administrator who was entrusted with defining and enforcing data access rights." If someone wants to steal a database, that's the perfect job to have." (Source: infosecnews.org)
Existing DBA Code of Ethics:
Doctors take the Hippocratic Oath and are entrusted with patient's well-being and are to preserve life. Part of the oath is to never to do deliberate harm to anyone for anyone else's interest. It is easy to understand why a physician would be required to take such an oath considering the great responsibility they hold in their hands. Engineers also have a code of ethics. Which states "engineers are expected to exhibit the highest standards of honesty and integrity. Engineering has a direct and vital impact on the quality of life for all people." (Source: nspe.org) It is also easy to see why engineers must have a code of ethics as they design airplanes, buildings, automobiles and many other items which people trust our lives with. I believe it would be great for DBAs to also be required to take an oath, or swear to practice by a strict Code of Ethics. While it may be difficult to argue that people trust their lives to a DBA, people and organizations do trust extremely confidential and sometimes very personal information to a Database Administrator. Stephen Wynkoop from SSWUG.org proposes the following elements in a DBA Code of Ethics:
Responsibilities to the Company
Be aware of and up to date on regulations that impact data systems.
Keep the company advised of all issues, honestly, openly and without unneeded drama.
Provide complete information with all facts available.
Provide the best possible security for all data systems.
Provide a recoverable environment, with a recovery plan and awareness of how to execute on that plan.
No silos - avoid segregating knowledge about your systems, techniques.
Responsibilities to One's Self
Stay up to date on industry happenings.
Stay up to date on regulation and other non-technology things that touch data systems.
Continue to learn new techniques, new tools, understand best practices.
Strive to constantly be tuning and improving approaches and procedures to existing processes.
Responsibilities to Co-Workers
Be honest in all dealings with co-workers.
Protect co-workers from data systems.
Share, teach and help grow the collective knowledge base.
What can be made better with these existing code of ethics?
I like how the SSWUG Code of Ethics calls-out the DBAs responsibility to multiple stakeholders. The organization you work for, yourself and your co-workers are all important entities to keep in mind when conducting yourself on a daily basis. What is missing from the SSWUG model is the fiduciary responsibility of a DBA. The model also should call out the responsibility for DBAs to never access information that is not required for doing their job. For example looking up a colleague's salary out of curiosity should be called out as unethical. Also the model should have a more professional tone to set the proper environment for how a DBA should conduct themselves.
My proposed Code of Ethics
Preamble This Code of Ethics sets forth ethical principles for all Database Administrators (DBA). The DBA Code of Ethics is intended to be used as a guide for all involved in the profession of database administration for promoting, and maintaining the highest standards of ethical practice, personal behavior, and professional integrity. The guidelines expressed in the Code are not to be considered all-inclusive of situations that could evolve under a specific principle and are designed to be additive to such other professional codes as may be applicable (such as: psychology, social work, nursing, manufacturing such as cGMP, validated systems, etc.). This code of ethics is primarily based upon the four cardinal virtues as laid down by Aristotle (384-322 bce). As Aristotle said we are all "looking for excellence". As DBAs we should be seeking excellence in our daily practice in the database administration profession. It also has roots in Catholic moral tradition.
This draft Code of Ethics was originally written to be high-level and condense in nature. As I receive feedback I will incorporate this into the code. This is merely a draft to work from and build on with others input. This input does not need to come solely from fellow DBAs. It would have more impact and a far reaching effect if input was obtained from other fields.
Principle 1 (Prudence)
Prudence is defined as the ability to know the good end and the rights means to get there. To be sure a DBA is being prudent they must seek counsel, look at facts and consider the general norms of society. When in doubt regarding a questionable situation the DBA should consider the facts, without jumping to conclusions; seek the advice of another DBA; and/or consider what society would consider being the prudent and proper decision for the common good of all. "The common good concerns the life of all. It calls for prudence from each, and even more from those who exercise the office of authority." (Source: http://thesocialagenda.org/article4.htm#10) Certainly DBAs hold an office of authority when one considers the trust placed in them and the high-level access a DBA possesses to many, if not, all the databases within an organization.
Principle 2 (Justice)
Justice is defined as giving each their rightful due. The Member accepts responsibility for the exercise of sound judgment and professional competence. The DBA respects the rights and dignity of all individuals and promotes well-being for all involved. Be honest in all dealings with co-workers. Protect co-workers from data systems.
Principle 3 (Temperance)
Temperance is defined as knowing when to hold back. The DBA must show temperance before viewing or acting on information considerable by a reasonable person to be confidential. "Usurping another's property against the reasonable will of the owner" is considered theft. (Source: Catechism of the Catholic Church)
Principle 4 (Courage)
Courage is defined as knowing when to take a risk. The Member honors all professional and volunteer commitments. Keep the company advised of all issues, honestly, openly and without unneeded drama. Provide complete information with all facts available.
Principle 5 (Responsibility)
Responsibility is having control over and accountability for appropriate events which happen in your domain. For the DBA this involves being responsible and accountable for the databases they are trusted to control.
Principle 6 (Trustworthiness)
Trustworthiness is being creditable and worthy of trust. When you are trustworthy people can count on you to do your best, to keep your word and to follow through on your commitments. You do what you say you will do.
Creating a Database Administration Code of Ethics is not a task to be taken on by a single person. A large collective input must be taken; a cross-functional team must be brought together with the goal of creating a universal Code of Ethics for the Database Administrations Professional. The Code of Ethics would likely never be enforced, other than what is considered to be unlawful, however the code is about striving to be a more cohesive profession when it comes to what we do and how we do it.