The SANS Institute has published several information security policy templates describing best data security practices in template format. This largely means that you can ‘fill in the blanks’ when developing a security policy (although some modification will be in order for your specific circumstances).

In this post we’ll look at the SANS template for a company ethics policy.

A corporate ethics policy is different from the other, more objective SANS data policies. An ethics policy is not solely information systems/information technology (IS/IT) related (although IS/IT use and activities are covered in a blanket ethics policy as a matter of course). Instead, corporate ethics policy covers all activities by the company or its representatives and sets expectations for what is considered ethical behavior in that regard.

The overview, purpose and scope of the ethics policy are closely related. The overview exists to state that the company believes in voluntarily limiting its activities to a policy which is ethically beyond reproach. Purpose and scope indicate who is bound by the policy (all corporate officers, employees and contractors for example), and that corporate officers are expected to set the ethical example in their behavior. The ethics policy also exists to demonstrate a company position in the sense that the ethics policy is more than a paper the employee signs off on and forgets; rather ethical behavior is part of what defines company culture.

Policy specifics may cover such issues as conflicts of interest, how to identify them, and what to do about them if they come about; whether activities are legal (all ethics policy elements should at minimum limit themselves to following the letter of the law and become more restrictive from there as company needs suggest); whether behavior reflects credit on the company or disapprobation, and how behaviors or activities would be interpreted if they were exposed to public or media scrutiny.

Ethics policy compliance is twofold. Foremost, compliance with ethics policy is a function of the behavior of all officers, employees, and contractors. Doing the right thing every time needs to be a matter of company culture. Formally, a written ethics policy needs a mechanism for reporting violations, to set expectations for ethical use of company information and systems, and to define those practices which in arguably fall outside of the company definition of ethical behavior. Last, Section 5.2 of the template policy is worthy of quoting in its entirety and should be part of every ethics policy across the board. Section 5.2 simply reads “Exceptions: None.”

For more information on policy consulting and development, please contact us.