InstantForum.NET v2.9.0SQLServerCentralhttp://www.sqlservercentral.com/Forums/notifications@sqlservercentral.comWed, 19 Jun 2013 07:29:36 GMT20http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote][b]Steve Jones - Editor (2/6/2009)[/b][hr]Wow, quiet a debate going on!Brad, thanks for the break and a nice job on the editorial.We all need to get "reset" at times, to have ourselves grounded back in our reality. It happens again and again in many situations that we spiral our thoughts and emotions about some situation. As an example, the unlicensed server. You might do one for Dev, which is allowed, it might get moved temporarily to prod, which happens, you hem and haw, "bend the line", it's only natural over time that you miht stray further than you want.However if you had a grounded set of ethics, maybe something that was online with AITP, or even IEEE, that we published once a year to re-ground you back with something you agree, that might help some of us be sure we're acting as we want.A code of ethics doesn't indicate failure. It provides a structured outline of how to deal with some of the "it depends" situations. I think most people have the basic "do not lie, do not steal" morals, but there are plenty of gray areas that you might not be sure about. We have obligations not just to the company, but to the people whose data we hold. We can't force unethical people to follow a code, as Jeff Moden mentioned, but it's not for them. We can report them when we see it, and perhaps have some level of follow through. A code hosted by someone like AITP would also need a place where people can ask questions of their situation and get guidance on how far to press things.Above all, we can agree that we do follow a code. If we police ourselves, at some point it will become fashionable to hire someone that adheres to the code. Maybe not for 20 years, but it will be a marketable item like "green" is today.[/quote]In that vein, wouldn't it be wonderful if DBA's (and other folks) could go through an agency, background check and all, to become both "bondable" and "certifiably ethical". It would have to be a strict process and a non-profit agency so that the certifications actually mean something. Think about what that would do to your resume.Fri, 06 Feb 2009 17:17:34 GMTJeff Modenhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxNo sooner had I posted the baby blurb that I posted that I then read Steve Jones response. Having a place to hang your hat, when being asked to do something unethical can be useful.To be able to refer to that set of guidelines as an appeal to authority, for those asking you to step out of an ethical postion can be powerful.I had a manger who did that when asked to do some shaky things back in the early 80's. She used the guidelines or ethics from the DPMA group.Fri, 06 Feb 2009 15:15:41 GMTmark johnson-152566http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxI believe that a DBA set of guidelines could be useful. It would need to be handled by a vendor neutral group. SOX, HIPPA touch on data access and control and really are more to help the DBA and IT maintain ethical behaviour of others that the DBA works with. I get lost on these type of discussions, as I do not tend to think about people abusing data. With being said, I have had people in position ask about things that they had no need to know and therefor they did not get that information from me. Example dialogueQuestion "Hey what does the vp who is on my level who works over in accounting make for salary or benefits? Response "Don't know."Question "You could find out?"Response "I could, but I won't"Question "What if I ..."Response "If you give me a request in writing with (ceo, cfo etc) signiture, stating you need that information, then I'll pull a report"Their final answer "Oh, just kidding"As far as daily duties, we all have a responsibilty to perform our jobs. Backups, design, performance to the best of our ability. Is it unethical to not have a backup? No, not if the cost of that exposure has been explained to the owner of the data. Not very smart but not unethical.Selling data as an individual, to an outside enitity. Unethical, and should be criminal, it is not always criminal but probably should be.Fri, 06 Feb 2009 15:07:27 GMTmark johnson-152566http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxWow, quiet a debate going on!Brad, thanks for the break and a nice job on the editorial.We all need to get "reset" at times, to have ourselves grounded back in our reality. It happens again and again in many situations that we spiral our thoughts and emotions about some situation. As an example, the unlicensed server. You might do one for Dev, which is allowed, it might get moved temporarily to prod, which happens, you hem and haw, "bend the line", it's only natural over time that you miht stray further than you want.However if you had a grounded set of ethics, maybe something that was online with AITP, or even IEEE, that we published once a year to re-ground you back with something you agree, that might help some of us be sure we're acting as we want.A code of ethics doesn't indicate failure. It provides a structured outline of how to deal with some of the "it depends" situations. I think most people have the basic "do not lie, do not steal" morals, but there are plenty of gray areas that you might not be sure about. We have obligations not just to the company, but to the people whose data we hold. We can't force unethical people to follow a code, as Jeff Moden mentioned, but it's not for them. We can report them when we see it, and perhaps have some level of follow through. A code hosted by someone like AITP would also need a place where people can ask questions of their situation and get guidance on how far to press things.Above all, we can agree that we do follow a code. If we police ourselves, at some point it will become fashionable to hire someone that adheres to the code. Maybe not for 20 years, but it will be a marketable item like "green" is today.Fri, 06 Feb 2009 08:46:38 GMTSteve Jones - SSC Editorhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxSome idle & disjointed ranting on my partA code of ethics...are things that bad? Do DBAs ever play dirty?:hehe:In the event that such a thing comes to pass, I vote an absolute NO to the vendor setting the code of ethics, we all watch & follow the news...Just asking ,do Presidents (of countries,that is) have a code of ethics too?Thu, 05 Feb 2009 21:40:44 GMTDangerMouseKaBoomhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxPros and Cons... I may have missed these few in someone's post, but I see a two edged sword:Pros:- Historically, any regulation elevates cost, pricing, pay levels, etc. Adding governmental backing usually hikes the price on both sides a great deal.Cons:- Things get more expensive, and the cost is shunted to the consumer.- Historically, any regulation stifles growth, invention, and entry. Take model rocketry for example. They started with a code. The code got codified into municipal fire code, from there into consumer protection code. Now stands as a major staple in Federal code. NONE of this ever passed a law making body... it was upheld by governmental units taking power to enforce accepted standards, to the point of being able to impound and/or imprison non-compliers. It is far more complicated to get into that hobby now, but that very hobby is what drove numberless souls into taking jobs in some aspect of the space race. Now only those with great amounts of money play with anything bigger than baseball bat.Don't get off track here - the similarity is exactly how SOX and HIPPA came into being, and neither one actually solves anything close to the pain, cost, and chaos they incur.Honesty and integrity are good. Preaching honesty and integrity is good. Enforcing it in all but the most profanely bad situations is usually a bigger cause of bad things.I think the AITP code suits well enough, as ethics is not about the technology, but the honor of the individual.(edited incoherent phrase)Thu, 05 Feb 2009 16:34:22 GMTDPhillips-731960http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxBrad's comment about a mission statement, even one worded as a code of ethics, or vice versa, would definitely be of use to people new to the profession. Would definitely have been useful to me when I started out, at least if it were well put together.For example, an SQL Dev might be perfectly able to write code that "gets the job done", but what if it's written at the cost of potential data corruption? I've seen that kind of thing in any number of discussions about "home brewed identity columns". If a new DBA/Dev had a "Code" or "Mission Statement" that made it clear that the first duty is protecting the data, that kind of solution might not be considered, and that would be a good thing.My first priority when I started out was simply "can I get the data into the form, and get it back again when I need it next time". Didn't even consider the importance of table integrity checks, locks, etc. Maybe with something that outlined a few key basics of "the DBA Code" would have been useful. Instead, I've either come up with my own Code or borrowed from others as it became clear that they had something that was worth borrowing. (Kind of like borrowing code, but slightly different.)In that respect, yeah, a codified or at least outlined DBA Code would be a good thing. Not so much for blame and punishment, but for education and clarification.Of course, such codes always eventually mutate into rituals and traditions, and then somewhere down the line, someone has to make a movie where the hero wins by breaking all the rules and being either really cool or really hot or both at the same time. :)Thu, 05 Feb 2009 14:56:02 GMTGSquaredhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote][b]rudy komacsar (2/5/2009)[/b][hr]Not to throw a wet towel on things but if that is the case why do SOX and HIPPA exist ?[/quote]At the risk of being overly cynical they exist solely because politicians needed to be seen to be "doing something" about a scandal, without, of course, actually doing anything construcive. There are those who argue these acts are actually harmful rather than helpful.And whoever spoke of irony in this thread nailed it. You can't enforce ethics--unless you have a large club with sharp metal spikes sticking out of it and spies hiding under the bed.I'm all for checks and balances, audit logs and the like. I'd even go for a list of what's expected of a DBA in general terms for newcomers. But that isn't a set of ethical guidelines, it's a job description. :)Thu, 05 Feb 2009 13:38:33 GMTroger.plowmanhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxNot to throw a wet towel on things but if that is the case why do SOX and HIPPA exist ?They do, at least in part, to govern the tasks and responsibilities, not to mention, the ethics, of DBAs ...now we are back to: http://en.wikipedia.org/wiki/Association_of_Information_Technology_ProfessionalsThu, 05 Feb 2009 12:58:44 GMTrudy - Doctor "X"http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote][b]Ewan Hampson (2/5/2009)[/b][hr][quote][b]Jeff Moden (2/5/2009)[/b][hr]The ironic part about this whole discussion is that a code of ethics would only be followed by ethical people. ;)[/quote]Not the point. Having and briefing about a code of ethics should raise awareness - it's not an on or off thing, and you can become more aware of the ethical implications of a given situation, and realise you can do better. And having people signed up to a code makes it easier to show when they failed to observe it.[/quote]Understood and I agree... just want everyone to understand that a code of ethics will not make anyone more ethical. Most true DBA's follow a personal code of ethics that would make anything written down pale in comparsion.Thu, 05 Feb 2009 12:32:17 GMTJeff Modenhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxThis has been an interesting discussion so far. After reading all of the postings, it seems that the majority of the DBAs in this discussion aren't interested in a DBA Code of Ethics, with only a few people in the "maybe" and "yes" categories. This is a good indication why this topic has never "caught on" within the DBA community.One thing I have noticed about the "experienced, professional" DBAs I personally know, is that they take their job and DBA responsibilities very seriously, and because of this, a DBA Code of Ethics is redundant for them. I think most of those in this discussion fall into this category.But as Andy Warren suggested, a Code of Ethics might be useful for those new to the profession. I agree. A DBA Code of Ethics (and a very general one at that), might be useful as a guide for those starting out. Also, as Andy has suggested, a DBA Code of Ethics might something DBAs might be able to reference if they are stuck in an ethical dilemma and need support for their position.While I did briefly mention "enforcement" in my editorial, I debated if I should use that term at all. I went ahead and included it to see what comments it would provoke. But, in my opinion, I don't think enforcement of any DBA code of ethics could be practical.Instead, a DBA Code of Ethics should be a "guiding light," not an absolute set of rules. Perhaps instead of a DBA Code of Ethics, maybe we need a DBA Mission Statement that outlines what it means to be a good DBA. Again, this would not be designed for experienced DBAs, but for those who are entering the profession.In any event, I am glad to see an active discussion of the topic.Thu, 05 Feb 2009 12:19:42 GMTbradmcgehee@hotmail.comhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxUnfortunately, no matter how you approach the term "ethics", you must deal with the 800 pound gorilla which is what defines right and wrong? Who says? On what basis? When these questions can be answered, then we begin to approach the discussion of ethics. Otherwise we are simply making noises that no one can rationally interpret. This is why I suggest continuing such a discussion with emphasis on SLAs which are simply the establishment of performance goals which are what we are really discussing here.Thu, 05 Feb 2009 11:51:26 GMTjshowalterhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxHere's an extract from that GISCI Code I referred to earlier. PLEASE NOTE that this is just a summary. In the actual code at [u][url]http://www.gisci.org/code_of_ethics.aspx[/url][/u] each of the numbered items below the topics has several bullet points that fully explain each one in detail. There is also a discussion before the actual code about how it was developed and the goals.Just substitute "DBA" for "GIS Pro" below, and see how it reads:[b]I. Obligations to Society[/b]The GIS professional recognizes the impact of his or her work on society as a whole, on subgroups of society including geographic or demographic minorities, on future generations, and inclusive of social, economic, environmental, or technical fields of endeavor. Obligations to society shall be paramount when there is conflict with other obligations. Therefore, the GIS professional will:1. Do the Best Work Possible.2. Contribute to the Community to the Extent Possible, Feasible, and Advisable.3. Speak Out About Issues.[b]II. Obligations to Employers and Funders[/b]The GIS professional recognizes that he or she has been hired to deliver needed products and services. The employer (or funder) expects quality work and professional conduct. Therefore the GIS professional will:1. Deliver Quality Work.2. Have a Professional Relationship.3. Be Honest in Representations.[b]III. Obligations to Colleagues and the Profession[/b]The GIS professional recognizes the value of being part of a community of other professionals. Together, we support each other and add to the stature of the field. Therefore, the GIS professional will:1. Respect the Work of Others.2. Contribute to the Discipline to the Extent Possible.[b]IV. Obligations to Individuals in Society[/b]The GIS professional recognizes the impact of his or her work on individual people and will strive to avoid harm to them. Therefore, the GIS professional will:1. Respect Privacy.2. Respect Individuals.Ray Montgomery, GISPSandy City, UtahThu, 05 Feb 2009 11:48:12 GMTrmontgomhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxI don't think SLA for SQL is the right approach, but maybe it's not pure ethics either. I guess one question I have is "who benefits from having a written set of ethics for a SQL DBA?"- I think new DBA's might find it pretty useful to know what is expected of them ethically beyond dont lie & steal- If you're a strongly ethical person you don't "need" the list, but in most cases wouldn't your standrds be higher and so doesn't hurt (but doesnt help)- I think it's useful (if wimpy at times) to point to an external source (like a consultant!) and say, NO - because blah blah is written hereRather than be abstract, here's an first cut with not much forethought!- I will notify my employer of any potential security gaps that directly relate to SQL Server and their perceived severity- I will not sell, trade, etc, data that I have access to as a DBA- I will notify my employer if I believe them to not be in compliance with SQL Server licensing- In the event that privacy data has been breached, I will notify my employer and if no corrective action is taken within X, notify authorities- I will advise my employer of 'best practices', but I understnad that my employer may choose whatever practices are deemd appropriate (too loose??)And then supplement that with some cases/guidance. SQL injection. Not using encryption with privacy data. Etc?Thu, 05 Feb 2009 11:26:24 GMTAndy Warrenhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote][b]Jeff Moden (2/5/2009)[/b][hr]The ironic part about this whole discussion is that a code of ethics would only be followed by ethical people. ;)[/quote]True.And even professions with published ethics rules can have huge problems with it. You can be disbarred for a large number of things as a lawyer, but is there anyone left in the world who actually believes lawyers are highly ethical? (If so, I have this bridge, and there's a deposed African ruler who wants to buy it, but he needs a bank account to transfer the money through, and you are his choice for that.)And most people understand that doctors, while often ethical, are equally often more motivated by money than by a desire to help people have better, healthier lives. Depends on who you get.Thu, 05 Feb 2009 11:03:43 GMTGSquaredhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxThe supposed issue of a code of ethics for Database Managers is a non sequitur of unbelievable proportions because:1. Ethics imply metaphysical benchmarks from which an agreement of all parties can be established as to what specifically differentiates good DBA philosophy from bad.2. DBAs being essentially rational and logically oriented in their prioritization of duties can immediately discern the nature of issue 1 above being unanswerable and pointless to pursue given our post-modern culture which denies the existence of metaphysical standards on the basis that they are essentially byproducts of cultural and tradition and have no foundation in the classical understanding of truth, thus no code of DBA ethics has been nor will be established.3. The professions of physician, attorney, accountant, engineer, realtor, et al, which were made example of for their codes of ethics are today better recognized for their collective violations of said codes than they are for their promotions of and adherence to those codes.4. Most of the references provided in the editorial speak of Service Level Agreement goals not ethical standards of performance.I would suggest that the topic be reframed around the title of SLAs for DBAsThu, 05 Feb 2009 10:47:32 GMTjshowalterhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxAbout 4 years ago, a group of computer professionals specializing in a different discipline had a similar problem that might be beneficial to look at. I'm speaking of GIS (Geographic Information System) professionals. There was a strong feeling for the need for some sort of certification program, but it needed to [b]not[/b] focus on any one software vendor. The solution was that several professional organizations (not vendors) formed an independent body, called the GISCI (GIS Certification Institute). It now offers a program to become certified as a GISP based on points earned through education, work experience, contributions to the profession, and signing a [u]code of conduct[/u] statement.Please check out their information at [url]www.gisci.org[/url]. There is a link to their Code of Ethics, which could be easily adapted to DBAs. Or perhaps an entire DBA certification could be modeled after theirs, with an eye towards not making it vendor specific.Ray Montgomery, GISPSandy City, UtahThu, 05 Feb 2009 10:08:24 GMTrmontgomhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote][b]Andy Warren (2/5/2009)[/b][hr]I don't think ethics is that easy, and I'd rate myself pretty high on the ethic-meter. Don't lie/dont' steal are fine, but what about gray areas?- As mentioned, a SQL injection vulnerability that you know could expose privacy/credit card data? Do you quit? Call the FBI? How long do you give them to fix?- What if an employer wants you to provision a new SQL Server, but wait to pay for the SQL license when SQL 10/11 ships. Technically stealing, do you say no? Quit? Report them? - How about if your CIO asks for a spreadsheet of all customers with a credit line of more more than $25k (name, address, account #). Do you provide it? Ask him to state he's not going to mis-use it?- Or you discover that your offsite backup plan consists of the network guy taking the unecrypted tape home with him every night, he's a drunk, getting divorced, and has money problems - what is your role in heading off possible data loss?Maybe it does come down to don't lie/don't steal. I think the problem with very fixed rules is that they actually give us a way to avoid the gray areas, and that's where the pain often is.I'm just arguing my view, but it's a good discussion.[/quote]It comes down to what you agreed to do for your paycheck. Your gray areas don't seem all that gray to me. I'm not meaning to sound argumentative or draconian, this is truly how I see it.SQL Vulnerability: Are you the one responsible for data integrity? If so, FIX IT. If you aren't, report it to the person who can fix it, or their boss. Keep an eye on it, and escalate to their boss's boss if it doesn't get fixed. If you aren't responsible for data integrity you aren't really a DBA, right?At that point (as a non-DBA who stumbled across it) you should report it as a good Samaritan, but that's all.Provision an unlicensed server: Refuse. I've been in this position, I refused. They bought the license. :) This is not gray. (I never said I was [i]flexible[/i]. :) ) If they push it, don't back down. If they fire you, and you feel like causing trouble report your company. If they go around you and don't fire you, you should probably look for another job anyway, as your boss is clearly not to be trusted.CIO request: Honor it. He "owns" the data, or is an agent for the owner. It is his data to request.Offsite backup: If you have the authority make other arrangements immediately. Failing that, notify your boss and his boss. This *is* a data breach and if your immediate boss(s) won't act escalate to someone who will. I've had to stress to the president of our company on occassion how vulnerable we would be to ruinous lawsuits if a data breech occurs. On a regular basis I am urged by well-meaning but clueless users to include sensitive data in systems where it has no business being. I refuse and start educating them about how dangerous that data really is. So far I've been successful and avoiding including social security numbers and driver's license numbers and the like.It all comes down to what you and your employer agreed to in the beginning, and what areas you're responsible for. By keeping your word even when it's hard your employer knows he can trust you to honor your agreement. And [i]that[/i] makes you solid gold in this world of ours.As I said, my view may be too black and white for some people's taste, but it works for me.Thu, 05 Feb 2009 09:19:44 GMTroger.plowmanhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote][b]Jeff Moden (2/5/2009)[/b][hr]The ironic part about this whole discussion is that a code of ethics would only be followed by ethical people. ;)[/quote]Not the point. Having and briefing about a code of ethics should raise awareness - it's not an on or off thing, and you can become more aware of the ethical implications of a given situation, and realise you can do better. And having people signed up to a code makes it easier to show when they failed to observe it.Thu, 05 Feb 2009 09:17:10 GMTEwan Hampsonhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxThe ironic part about this whole discussion is that a code of ethics would only be followed by ethical people. ;)Thu, 05 Feb 2009 09:12:45 GMTJeff Modenhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxAs I've read through the responses a common theme has been that people already know what is right and wrong or moral or ethical, yet can someone provide a definition and where that definition comes from?The issue, as I see it, is that, when placed in a situation where we have to choose, we too often fall back on "It depends" instead of having a clear standard. I won't lie, unless it is to spare someone's feelings. I won't steal, unless I need to feed my family.I think having a defined Code of Ethics is a good idea just so there is a standard to point to when a new person enters the field or when questioned about why we can't provide that information. Sure it can't be enforced like in a licensed profession like the medical field, but we can, as a community, use it to try to weed out unethical people and point to it when hiring as a condition of employment.Thu, 05 Feb 2009 09:00:13 GMT Jack Corbetthttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxFormulating a set of ethical guidelines is a good thing. Yes, common sense needs to dictate basics, like "don't deliberately sabotage your employer because you're annoyed at your boss". But published standards are easier to comply to than "everybody knows that!" standards. That applies to ethics just as much as it does to coding.Thu, 05 Feb 2009 08:58:49 GMTGSquaredhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxAs one of the previous posters pointed out, there are many positions that have access to confidential data. A DBA position should not be singled out.I think a better way of ensuring ethics are not violated are by division of responsibilities, security procedures, and auditing.An example of division of responsibilities is that DBAs and Developers are different roles. An example of security is giving individuals the least amount of authority to do their job. Also, encryption of confidential data is a good security measure. An example of auditing is logging logins and activity of users.When ethics violations are encountered and documented, such as stealing, the employer most likely has a section in the company handbook that states how to proceed with such violations.Creating some kind of federal bureaucracy or “governing body” is unnecessary, because real ethics violations are already prosecutable by law.As far as any “grey areas”, as a senior DBA, I make recommendations to the company. They can either take my recommendations, come up with another solution, or ignore them. I have never been asked to deliberately do something wrong. However, if that situation ever presented itself, I would explain my position, and try to come up with an alternative. If no satisfactory alternative could be found, I would document our conversation in an email as an audit, and send it to them, I would hold my position, sleep well at night, and wait for the employer’s decision.Thu, 05 Feb 2009 08:55:39 GMTBill Richards-377350http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxWe all SHOULD have an imbedded code already, given to us by our parents. As we can see in today’s world even a well written code of ethics can and will be broken by those of us that don't have this “Thou shalt not steal” part already there. NOT stealing the data is what it’s all about for us DBA’s.Thu, 05 Feb 2009 08:27:44 GMTdonald.ronemushttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxRudy, William, I will take a look at both links - good to see what others are doing and try to learn from that.And that's a really interesting point about PASS (or SSC or ...) being too small an umbrella. I see the challenge if you're in a job where you do Oracle/mySQL/SQL Server and having 3 different sets of ethics! At the same time, going back to the idea of the AMA opinions, maybe there is a place for some SQL Server specific guidance/opinions that layer on top of more broad reaching ones?Thu, 05 Feb 2009 08:21:46 GMTAndy Warrenhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote- As mentioned, a SQL injection vulnerability that you know could expose privacy/credit card data? Do you quit? Call the FBI? How long do you give them to fix?[b]Lack of action on your manager's part isn't a lack of action on your part. And I imagine most managers would want this fixed fairly quickly. Don't quit, just do the best you can to fix the issue[/b]- What if an employer wants you to provision a new SQL Server, but wait to pay for the SQL license when SQL 10/11 ships. Technically stealing, do you say no? Quit? Report them? [b]The DBA isn't (usually) in charge of licensing compliance. It's against the licence agreement and it's breaking the law to install it. Legal issue.[/b]- How about if your CIO asks for a spreadsheet of all customers with a credit line of more more than $25k (name, address, account #). Do you provide it? Ask him to state he's not going to mis-use it?[b]Is it a DBA's business what data a company pulls from it's database? no. If he loses the file on a train it'll be his fault, not yours. The CIO more than anyone knows the value of that data.[/b]- Or you discover that your offsite backup plan consists of the network guy taking the unecrypted tape home with him every night, he's a drunk, getting divorced, and has money problems - what is your role in heading off possible data loss?[b]As DBA, you make sure the data gets safely transported to an offsite location. Giving it to a drunk guy is not a good idea. Find another employee. Or better yet, DIY! and it should be encrypted, of course, but who makes it happen. If it's not you then approach the person who is in charge of it.[/b][/quote]I personally don't take responsibility without taking control. I would never point at someone and try to pass the blame for the same reason.If you're at a company where things aren't right, all you can do is your best to make them so. That's your moral obligation as a conscientious employee.TomThu, 05 Feb 2009 08:15:14 GMTtrhhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxAs Andy said, ethics has a lot of gray areas. If you look at the American Medical Association's code of ethics, there are 200 opinions attached that relate to specific situations, and can change over the course of time in response to society.IMHO the best statements related to integrity are found at the American Institute of Certified Public Accountants, Code of Professional Conduct:[url]http://www.aicpa.org/about/code/et_54.html[/url]Thu, 05 Feb 2009 08:15:03 GMTWILLIAM MITCHELLhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxI will not belabor the points mentioned. For taking leadership on ethics my responses are:- Microsoft - NO, NO, a thousand times NO !!! (nor Oracle, nor Sybase or any other software vendor for that matter)- PASS - NO - it is too dedicated to SQL Server and Microsoft - SQL ServerCentral - no - even though the community has depth and breadth, it is still not diverse enoughThere already is a professional organization that crosses all platforms, vendors and boundaries that has been in existence since 1951 - that's 58 years. It is the Association of Information Technology Professionals - http://www.aitp.org/As for a statement of ethics, they have had one in force for quite a while. It is straight-forward and pretty encompassing of all of the issues mentioned. http://www.aitp.org/organization/about/ethics/ethics.jspAnd a version suitable for printing: http://www.aitp.org/join/SCOH17CodeEthicsStdsCdt.pdfFor something that has been around for so long the ethics espoused are quite eloquent.Thu, 05 Feb 2009 08:10:36 GMTrudy - Doctor "X"http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxDoctors have a code of ethics yet know of them quit their job when insurance tells them they can't perform the surgery that saves the life of a patient. :w00t:Thu, 05 Feb 2009 08:04:20 GMTFFalcon1961http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote][b]roger.plowman (2/5/2009)[/b][hr]A written code of ethics is an admission of failure… Those who are ethical do not require a written code… [/quote]I wholeheartedly agree! Codes of conduct are born out of abuse and/or failure of a particular system. Just look at the current financial mess the country is in. The only hope of curtailing this behavior is to hold people accountable for their actions (different from regulation), which usually means some sort of punishment. Most DBAs know what is at stake and what will happen if they conduct themselves incorrectly.Thu, 05 Feb 2009 07:50:44 GMTcy-dbahttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxI don't think ethics is that easy, and I'd rate myself pretty high on the ethic-meter. Don't lie/dont' steal are fine, but what about gray areas?- As mentioned, a SQL injection vulnerability that you know could expose privacy/credit card data? Do you quit? Call the FBI? How long do you give them to fix?- What if an employer wants you to provision a new SQL Server, but wait to pay for the SQL license when SQL 10/11 ships. Technically stealing, do you say no? Quit? Report them? - How about if your CIO asks for a spreadsheet of all customers with a credit line of more more than $25k (name, address, account #). Do you provide it? Ask him to state he's not going to mis-use it?- Or you discover that your offsite backup plan consists of the network guy taking the unecrypted tape home with him every night, he's a drunk, getting divorced, and has money problems - what is your role in heading off possible data loss?Maybe it does come down to don't lie/don't steal. I think the problem with very fixed rules is that they actually give us a way to avoid the gray areas, and that's where the pain often is.I'm just arguing my view, but it's a good discussion.Thu, 05 Feb 2009 07:50:41 GMTAndy Warrenhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote]This sounds more like some narcissistic, self-important, "oh look at me, I'm ethical" monkey business - a complete waste of time serving no purpose and surely not being enforceable. What are we going to do? Send unethical DBAs to a prison on some island like say, Cuba?[/quote]I agree with this. The writer of the piece I read sounded like they had disappeared up their own backside and started comparing themselves with a doctor of medicine. Yes a DBA could potentially do a lot of damage but so could a lot of much less qualified people, in much less 'important' jobs.As DBAs we make technical decisions, not ethical ones. There is actually a right and a wrong solution to each problem we face. Granted, we have to work around things from time to time but it's a case of 'how do I...' not 'should I...'If your manager asks you to break the law, then they're breaking the law,If you steal data, look at confidential information for no reason, edit information for your own purposes etc etc then you are breaking your conditions of employment and probably the law. If you find your self wondering if what you're doing is morally right or wrong then see your manager.TomJust as a point, and I think the term 'ethical' has been taken to mean a number of things now, can anyone give me an example of a moral/ethical/code of conduct related dilema they've faced?I think all things to do with the management of a database will be covered by law or terms of employment.Thu, 05 Feb 2009 07:40:39 GMTtrhhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxI agree with you completely. This will be a double edge sword. The problem I see with this a person of ethics will stay ethical. If I become a part of a group that support a code of ethics that I am to follow. What support does the Code of Ethics give me? If my employer interprets it one way and it is ok and my next manager comes back and uses the Code of Ethics set by the DBAs Code of Ethics and terminates me. What good is the Code. If someone doesn't have this already then a code isn't going to change things.Thu, 05 Feb 2009 07:25:58 GMTFFalcon1961http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxAs has been discussed by a few different posters, there are certain professional groups that require membership in a larger organization (i.e. Medical Personnel) that enforces ethical practices.I would argue that, in modern society, the only reason to have a written code of ethics is to enforce it. Every individual has a pretty good idea of right and wrong; they're going to make their own choices regardless of what's written. Having a well-defined code of ethics allows an oversight entity to point to it and say "this is why you're disbarred."Until and unless there is some overarching DBA professional organization that everyone belongs to (and that has power to enforce ethical policy) there is no point in creating a DBA code of ethics.Thu, 05 Feb 2009 07:25:25 GMTAndy Lennonhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote][b]FFalcon1961 (2/5/2009)[/b][hr]Question is this ethics board going to be willing to stand up for a member that has been asked to do something unethical and they are terminated for not [b]compiling[/b]?[/quote]Sounds like developer ethics to me . . . not sure if that was a joke or not, on the one hand it's a very good point (if read as "complying"), on the other hand, it's funny as all get out.Thu, 05 Feb 2009 07:20:52 GMTjcrawf02http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspx[quote][b]Ewan Hampson (2/5/2009)[/b][hr]Well said, Andy Warren.[quote][b]roger.plowman (2/5/2009)[/b][hr]Everyone knows what ethical behavior is.[/quote]If only.Ethics comes from an individual considering their moral position, and can be assisted but not defined by a "Code". It is about being aware of the wider context and the implications for other people of what you do, [i]in addition to[/i] anything that laws, regulations and employers' terms say.[/quote]Sorry to be blunt, but this is not rocket science. There are only two guiding principles.1. Do not lie.2. Do not steal.Even #1 can be subsumed into #2 (theft of truth). After that, it becomes a matter of determining who owns what. And while that can be tricky, the underlying principle never changes. Ever. For any reason.You are paid to safeguard the integrity and confidentiality of the data. Translated: If you violate your agreement you are stealing from your employer. Yes, deliberate intent is required, and due diligence covers issues like some bad guy making it past your best efforts.But anything else? Do not steal. Did I just create a written code of ethics in spite of myself? :)Thu, 05 Feb 2009 07:17:31 GMTroger.plowmanhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxWell said, Andy Warren.[quote][b]roger.plowman (2/5/2009)[/b][hr]Everyone knows what ethical behavior is.[/quote]If only.Ethics comes from an individual considering their moral position, and can be assisted but not defined by a "Code". It is about being aware of the wider context and the implications for other people of what you do, [i]in addition to[/i] anything that laws, regulations and employers' terms say.If, to become a member of a professional body, you have to be informed about and to reflect on the ethical dimensions of your work, you can be expected to notice and avoid or query ethically questionable behaviour, and be challenged where you have failed to do so. This is not about enforcing a set of rules, it makes it possible to debate whether you should have acted differently despite rules, or the lack of them.An employer may set a "code of ethics", but the idea is that the individual see things from a perspective far wider than their current job, and get better at doing the "right" thing. It's all very fuzzy and grey, and yes, we learn it from childhood but get better by continued learning, considering and reflecting.Thu, 05 Feb 2009 07:00:33 GMTEwan Hampsonhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxQuestion is this ethics board going to be willing to stand up for a member that has been asked to do something unethical and they are terminated for not compiling?Thu, 05 Feb 2009 06:58:05 GMTFFalcon1961http://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxA written code of ethics is an admission of failure.Everyone knows what ethical behavior is. Having written guidelines are nothing more than a feel good measure to sooth the conscious of those who feel they must do "something", no matter how ineffectual.Those who are ethical do not require a written code, those who are not would not adhere to it. So in the end, what is the point?Put another way, the underlying assumptions behind a written code are:1. No one knows what the rules (ethics) are.2. Writing them down will (magically) make everyone follow them.Both assumptions are false.I understand this post is very strongly worded, because this is for me a core belief. Those who need a written code of ethics have no business being trusted--at all, in any capacity. You learn ethics in kindergarten. Just because you're in a position of power the rules don't change.Frankly, it's disturbing that anyone (in any profession) ever felt the need to produce a written guideline for ethical behavior. Maybe for first graders as a remedial course. But not for adults.Thu, 05 Feb 2009 06:54:37 GMTroger.plowmanhttp://www.sqlservercentral.com/Forums/Topic650586-263-1.aspxSpeaking both as a member of the PASS Board of Directors and as a concerned DBA, it's an interesting and tricky subject. I do believe it has value for our profession if it can be done right,and my definition of right is:- It has to be strictly ethics, not anything tied to any "best practice". If a business wants to use RAID 0 or a consumer grade PC for a server or deploy shoddy code, in general that is their right and shouldn't challenge our ethics- We have to realize that these are guidelines with no power to enforce other than our own conscious. Are you willing to resign a position if they would ask you to violate one of the ethics rules?- It can actually be used to support us by pointing to an industry standard definition of ethical behavior, in many cases I think employers might go "hey, there is guidance out there"- It needs to include some add-on coaching. Let's say you work in banking and are pretty sure there is a sql injection vulnerability and you notify the business - does that complete your obligation, or are you in a position to have be a whistle blower?Which may or may not be the right definition. I guess I see it having a lot of value for inexperienced DBA's that see something bad happening, just helping them understand how bad and how much responsibility/liability would be a useful thing.Thu, 05 Feb 2009 06:53:13 GMTAndy Warren