Accounting information systems 11e romney steinbart chapter 08

• The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: – Manag

Trang 1

C HAPTER 8

Information Systems Controls

for System Reliability Part 2: Confidentiality, Privacy,

Processing Integrity, and

Availability

Trang 2

• Questions to be addressed in this chapter

include:

– What controls are used to protect the

confidentiality of sensitive information?

– What controls are designed to protect privacy of

customers’ personal information?

– What controls ensure processing integrity?

– How are information systems changes controlled

to ensure that the new system satisfies all five principles of systems reliability?

Trang 3

– Processing integrity – Availability

Trang 4

• Reliable systems maintain the

confidentiality of sensitive information.

Trang 5

• Maintaining confidentiality requires that

management identify which information is

sensitive.

• Each organization will develop its own

definitions of what information needs to be

protected.

• Most definitions will include:

– Business plans – Pricing strategies – Client and customer lists – Legal documents

• COBIT control objective PO 2.3 specifies the need to identify and to properly label potentially sensitive information, to assign responsibility for its protection, and to implement appropriate controls.

Trang 6

• Table 8-1 in your textbook summaries key controls

to protect confidentiality of information:

in proper work practices

Trang 7

• Encryption is a fundamental control

procedure for protecting the confidentiality

of sensitive information.

• Confidential information should be

encrypted:

– While stored – Whenever transmitted

Trang 8

• The Internet provides inexpensive

transmission, but data is easily intercepted.

• Encryption solves the interception issue.

• If data is encrypted before sending it, a

virtual private network (VPN) is created.

– Provides the functionality of a privately owned

network

– But uses the Internet

Trang 9

• Use of VPN software creates private

communication channels, often referred to as

tunnels.

– The tunnels are accessible only to parties who

have the appropriate encryption and decryption keys.

– Cost of the VPN software is much less than costs

of leasing or buying a privately-owned, secure communications network.

– Also, makes it much easier to add or remove sites

from the “network.”

• In accordance with C OBI T DS 5.11, VPNs include controls to authenticate the parties exchanging information and to create an audit trail of the exchange

Trang 10

• It is critical to encrypt any sensitive

information stored in devices that are easily

lost or stolen, such as laptops, PDAs, cell

phones, and other portable devices.

– Many organizations have policies against storing

sensitive information on these devices.

– 81% of users admit they do so anyway.

Trang 11

• Encryption alone is not sufficient to protect

confidentiality Given enough time, many encryption

schemes can be broken.

• Access controls are also needed:

– To prevent unauthorized parties from obtaining the encrypted data; and

– Because not all confidential information can be encrypted

in storage.

• Strong authentication techniques are necessary.

• Strong authorization controls should be used to limit

the actions (read, write, change, delete, copy, etc.)

that authorized users can perform when accessing

confidential information.

Trang 12

• Access to system outputs should also be controlled:

– Do not allow visitors to roam through buildings unsupervised.

– Require employees to log out of any application before

leaving their workstation unattended, so other employees

do not have unauthorized access.

– Workstations should use password-protected screen

savers that automatically engage when there is no activity for a specified period.

– Access should be restricted to rooms housing printers and

fax machines.

– Reports should be coded to reflect the importance of the

information therein, and employees should be trained not to leave reports with sensitive information laying in plain view.

Trang 13

• It is especially important to control

disposal of information resources.

• Printed reports and microfilm with

sensitive information should be

shredded • COBIT control objective DS 11.4 addresses the need to define and implement procedures

governing the disposal of sensitive data and any hardware on which that data was stored.

Trang 14

• Special procedures are needed for information

stored on magnet and optical media.

– Using built-in operating system commands to delete the information does not truly delete it, and utility programs will often be able to recover these files.

– De-fragmenting a disk may actually create multiple copies

of a “deleted” document.

– Consequently, special software should be used to “wipe”

the media clean by repeatedly overwriting the disk with random patterns of data (sometimes referred to as

Trang 15

• Controls to protect confidentiality must be

continuously reviewed and modified to

respond to new threats created by

technological advances.

• Many organizations now prohibit visitors

from using cell phones while touring their

facilities because of the threat caused by

cameras in these phones.

• Because these devices are easy to hide,

some organizations use jamming devices to

deactivate their imaging systems while on

company premises.

Trang 16

• Phone conversations have also been affected

by technology.

• The use of voice-over-the-Internet (VoIP)

technology means that phone conversations

are routed in packets over the Internet.

– Because this technology makes wiretapping much

easier, conversations about sensitive topics should be encrypted.

Trang 17

• Employee use of email and instant

messaging (IM) probably represents two of

the greatest threats to the confidentiality of

sensitive information.

– It is virtually impossible to control its distribution

once held by the recipient.

– Organizations need to develop comprehensive

policies governing the appropriate and allowable use of these technologies for business purposes.

– Employees need to be trained on what type of

information they can and cannot share, especially with IM.

Trang 18

• Many organizations are taking steps to

address the confidentiality threats created by email and IM.

– One response is to mandate encryption of all

email with sensitive information.

– Some organizations prohibit use of freeware IM

products and purchase commercial products with security features, including encryption.

– Users sending emails must be trained to be very

careful about the identity of their addressee.

• EXAMPLE: The organization may have two employees

named Allen Smith It’s critical that sensitive information

Trang 19

• In the Trust Services

framework, the privacy principle is closely related to the confidentiality principle.

• Primary difference is that

privacy focuses on protecting personal information about customers rather than organizational

data.

• Key controls for privacy are

the same that were previously listed for confidentiality.

Trang 20

• C OBI T section DS 11 addresses the

management of data and specifies the need

to comply with regulatory requirements.

• A number of regulations, including the Health

Insurance Portability and Accountability Act

(HIPAA) and the Financial Services

Modernization Act (aka, Gramm-Leach-Billey

Act) require organizations to protect the

privacy of customer information.

Trang 21

• The Trust Services privacy framework of the AICPA

and CICA lists ten internationally recognized best

practices for protecting the privacy of customers’

personal information:

– Management

• The organization establishes a set of procedures and policies for protecting privacy of personal information it collects.

• Assigns responsibility and accountability for those policies to a specific person or group.

Trang 22

Trang 23

– Management – Notice

– Choice and consent

• Describes the choices available to

individuals and obtains their consent

to the collection and use of their personal information.

• Choices may differ across countries.

– United States—The default is “opt

out,” i.e., organizations can collect personal information about

customers unless the customer explicitly objects.

– Europe—The default is “opt in,”

i.e., they can’t collect the information unless customers explicitly give them permission.

• Collection

– The organization collects only that

information needed to fulfill the purposes stated in its privacy

Trang 24

– Choice and consent

– Collection

• The organization collects only that information needed to fulfill the purposes stated in its privacy policies.

Trang 25

– Choice and consent – Collection

– Use and retention

• The organization uses its customers’

personal information only according

to stated policy and retains that

Trang 26

– Use and retention

– Access • The organization provides individuals with the ability to access, review,

correct, and delete the personal information stored about them.

Trang 27

– Use and retention – Access

– Disclosure to Third Parties

• The organization discloses customers’ personal information to third parties only per stated policy and only to third parties who provide equivalent

protection.

Trang 28

– Disclosure to Third Parties

– Security

• The organization takes reasonable steps to protect customers’

personal information from loss or unauthorized disclosure.

• Issues that are sometimes overlooked:

– Disposal of computer equipment

• Should follow the suggestions presented on section regarding

protection of confidentiality.

– Email

• If you send emails to a list of recipients, each recipient

typically knows who the other recipients are.

• If the email regards a private issue, e.g., perhaps it pertains to

their AIDS treatment, then the privacy of all recipients has been violated.

• One remedy might be to address the recipients on the “bcc”

line of the email, rather than as original addresses.

– Release of electronic documents.

• When physical documents are exchanged, sometimes

portions are blacked out (redacted) to protect privacy.

• Similar procedures are needed for the exchange of electronic

Trang 29

• The Trust Services privacy framework of the AICPA and

CICA lists ten internationally recognized best practices

for protecting the privacy of customers’ personal

information:

– Disclosure to Third Parties – Security

• The organization maintains the integrity of its customers’ personal information.

Trang 30

• The Trust Services privacy framework of the AICPA and

CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:

– Choice and consent

– Collection – Use and retention – Access

– Disclosure to Third Parties

resolution processes.

Trang 31

• As with confidentiality, encryption and access

controls are the two basic mechanisms for

protecting consumers’ personal information.

– It is common practice to use SSL to encrypt all

personal information transmitted between individuals and the organization’s Website.

– However, SSL only protects the information in

transit.

– Consequently, strong authentication controls are

needed to restrict Website visitors’ access to individual accounts.

Trang 32

encrypting customers’ personal

information in storage.

– May be economically justified, because some state laws

require companies to notify all customers of security incidents.

– The notification process is costly but may be waived if the

information was encrypted while in storage.

• California SB 1386 effectively requires companies

to notify all their customers whenever a security incident may have led to the compromise of

personally identifiable information.

Trang 33

• Organizations need to train employees on

how to manage personal information

collected from customers.

– Especially important for medical and financial

information.

– Intentional misuse or unauthorized disclosure can

have serious economic consequences, including:

• Drop in stock price

• Significant lawsuits

• Government suspension of the organization’s business

activity

Trang 34

• One topic of concern is cookies used on Web

sites.

– A cookie is a text file created by a Website and

stored on a visitor’s hard drive It records what the visitor has done on the site.

– Most Websites create multiple cookies per visit to

make it easier for visitors to navigate the site.

– Browsers can be configured to refuse cookies,

but it may make the Website inaccessible.

– Cookies are text files and cannot “do” anything

other store information, but many people worry that they violate privacy rights.

Trang 35

• Another privacy-related issue that is of

growing concern is identity theft.

– Organizations have an ethical and moral

obligation to implement controls to protect databases that contain their customers’ personal information.

Trang 36

• Steps that individuals can take to minimize the risk

of becoming a victim of identity theft include:

– Shred all documents that contain personal information,

especially unsolicited credit card offers Cross-cut shredders are more effective.

– Never send personally identifying information in

unencrypted email.

– Beware of email, phone, and print requests to “verify”

personal information that the requesting party should already possess.

• Credit card companies won’t ask for your security code.

• The IRS won’t email you for identifying information in response to an audit.

Trang 37

– Do not carry your social security card with you or

comply with requests to reveal the last 4 digits.

– Limit the amount of identifying information preprinted

on checks and consider eliminating it.

– Do not place outgoing mail with checks or personal

information in your mailbox for pickup.

– Don’t carry more than a few blank checks with you.

– Use special software to thoroughly clean any digital

media before disposal, or physically destroy the media It is especially important to thoroughly erase or destroy hard drives before donating or disposing of equipment.

Trang 38

– Monitor your credit reports regularly.

– File a police report as soon as you discover that your

purse or wallet was stolen.

– Make photocopies of driver’s licenses, passports, and

credit cards Store them with phone numbers for all the credit cards in a safe location to facilitate notifying authorities if they are stolen.

– Immediately cancel any lost or stolen credit cards.

Trang 39

• A related concern involves the

overwhelming volume of spam.

– Spam is unsolicited email that contains either advertising or

offensive content.

• Reduces the efficiency benefits of email.

• Is a source of many viruses, worms, spyware, and

other malicious content.

Trang 40

• In 2003, the U.S Congress passed the

Controlling the Assault of Non-Solicited

Pornography and Marketing (CAN-SPAM) Act.

– Provides criminal and civil penalties for violation

of the law.

– Applies to commercial email, which is any email

with a primary purpose of advertising or promotion.

– Covers most legitimate email sent by

organizations to customers, suppliers, or donors

to non-profits.

Định dạng
Số trang	136
Dung lượng	0,94 MB