Information Systems Controls for System Reliability Part 2: Confidentiality, Privacy, Processing Integrity, and Availability Chapter 8 SECURITY CONFIDENTIALITY

FOSTER School of Business Acctg. 320

1

Information Systems Controls for System ReliabilityPart 2: Confidentiality, Privacy, Processing Integrity, and AvailabilityChapter 8

SECURITY

CO

NFI

DEN

TIA

LITY

PR

IVA

CY

PR

OC

ES

SIN

G IN

TE

GR

ITY

AVA

ILA

BIL

ITY

SYSTEMSRELIABILITY


2

Learning ObjectivesAfter studying this chapter, you should

be able to answer the following questions:◦ What controls are used to protect the

confidentiality of sensitive information?◦ What controls are designed to protect

privacy of customers’ personal information?

◦ What controls ensure processing integrity?◦ How are information systems changes

controlled to ensure that the new system satisfies all five principles of systems reliability?


3

Reliable SystemsReliable systems satisfy five principles:

◦ Information Security (discussed in Chapter 7)◦ Confidentiality◦ Privacy◦ Processing integrity◦ Availability

We study the last four principles in chapter 8


4

1. ConfidentialityTable 8-1 in your textbook summaries

key controls to protect confidentiality of information:Situation Controls

Storage Encryption and access controls

Transmission Encryption

Disposal Shredding, thorough erasure, physical destruction

Overall Categorization to reflect value and training in proper work practices


5

1. ConfidentialityThe Internet provides inexpensive

transmission, but data is easily intercepted.

Encryption solves the interception issue.

If data is encrypted before sending it, a virtual private network (VPN) is created.◦ Provides the functionality of a privately

owned network◦ But uses the Internet


6

1. ConfidentialityIt is critical to encrypt any sensitive

information stored in devices that are easily lost or stolen, such as laptops, PDAs, cell phones, and other portable devices.◦ Many organizations have policies against

storing sensitive information on these devices.

◦ 81% of users admit they do so anyway.


7

1. ConfidentialityEncryption alone is not sufficient to protect

confidentiality. Given enough time, many encryption schemes can be broken.

Access controls are also needed:◦ To prevent unauthorized parties from obtaining the

encrypted data; and◦ Because not all confidential information can be encrypted

in storage.Strong authentication techniques are necessary.Strong authorization controls should be used to

limit the actions (read, write, change, delete, copy, etc.) that authorized users can perform when accessing confidential information.


8

1. Confidentiality Controls on visitors, badges at the workplace to prevent

unauthorized entry Require employees not to leave PC’s or Workstations

without logging out Automatically log-out on PC’s and require passwords for

re-entry into system Don’t leave sensitive information out and available. Careful disposal of sensitive information Hard drives often contain sensitive information—need

controls to protect and to dispose of. Labeling documents as confidential, private, etc. Email and instant messaging: once sent there is no way

to retrieve it, so these represent significant exposures (even CEOs have lost jobs)


9

2. Privacy

In the Trust Services framework, the privacy principle is closely related to the confidentiality principle.

Primary difference is that privacy focuses on protecting personal information about customers rather than organizational data.

Key controls for privacy are the same that were previously listed for confidentiality.


10

2. Privacy: LegalCOBIT section DS 11 addresses the

management of data and specifies the need to comply with regulatory requirements.

A number of regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Services Modernization Act (aka, Gramm-Leach-Billey Act) require organizations to protect the privacy of customer information.


11

2. Privacy: Best PracticesThe Trust Services privacy framework of the AICPA and

CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information:1. Management: policies and procedures to protect privacy

of information. Also assign responsibility and accountability.

2. Notice: before collecting info. tell customers about your Privacy Policies.

3. Choice and consent: Give consumers the right to “opt-out (opt-in).

4. Collection: Collect only information if needed to fulfill purposes stated in privacy policies.

5. Use and retention: use only as promised and keep information only as long as needed.


12

2. Privacy: Best Practices (contin.)

6. Access: Organizations should provide individuals with the right and ability to access, review, correct and delete personal information.

7. Disclosure to Third Parties: Provide information only as described in privacy policies, and only to parties that have comparable privacy policies.

8. Security: take reasonable steps to protect loss or unauthorized disclosure.

9. Quality: maintain integrity of personal information. There should be a low error rate.

10. Monitoring and enforcement: employees assigned to assure compliance with policies. Make sure you have procedures to respond to problems.


13

2. Privacy: CookiesOne topic of concern is cookies used on

Web sites.◦ A cookie is a text file created by a Website and

stored on a visitor’s hard drive. It records what the visitor has done on the site.

◦ Most Websites create multiple cookies per visit to make it easier for visitors to navigate the site.

◦ Browsers can be configured to refuse cookies, but it may make the Website inaccessible.

◦ Cookies are text files and cannot “do” anything other than store information, but many people worry that they violate privacy rights.


14

2. Privacy: Identity TheftAnother privacy-related issue that is of growing

concern is identity theft.◦ Organizations have an ethical and moral

obligation to implement controls to protect databases that contain their customers’ personal information.

◦ Individuals have to be proactive in this growing threat. See 8-1 Focus pg. 299 in your text.


15

2. Privacy: SPAMA related concern involves the

overwhelming volume of spam.◦Spam is unsolicited email that contains

either advertising or offensive content. Reduces the efficiency benefits of email. Is a source of many viruses, worms, spyware,

and other malicious content.


16

2. Privacy: SPAMIn 2003, the U.S. Congress passed the

Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act.◦ Provides criminal and civil penalties for violation

of the law.◦ Applies to commercial email, which is any email

with a primary purpose of advertising or promotion.

◦ Covers most legitimate email sent by organizations to customers, suppliers, or donors to non-profits.


17

2. Privacy: SPAMOrganizations must carefully follow the CAN-SPAM

guidelines. Key provisions are:◦ The sender’s identity must be clearly displayed in the

message header.

◦ The subject field in the header must clearly identify the message as an advertisement or solicitation.

◦ The body must provide recipients with a working link that can be used to “opt out” of future email.

◦ The body must include the sender’s valid postal address.

◦ Organizations should not: Send email to randomly generated addresses. Set up Websites designed to harvest email addresses of

potential customers.


18

3. PROCESSING INTEGRITYCOBIT control objective DS 11.1

addresses the need for controls over the input, processing, and output of data.

Identifies six categories of controls that can be used to satisfy that objective.

Six categories are grouped into three for discussion.


19

3. PROCESSING INTEGRITYThree categories/groups of integrity

controls are designed to meet the preceding objectives:◦Input controls◦Processing controls◦Output controls


20

3. PROCESSING INTEGRITY The following input controls regulate integrity of input:

◦ Forms design: design forms to minimize errors.◦ Pre-numbered forms sequence test: verify that sequence does

not include gaps.◦ Turnaround documents: to pay bills.◦ Cancellation and storage of documents: e.g, mark as paid.◦ Authorization and segregation of duties: check who created the

form.◦ Visual scanning: scan for reasonableness before entering the

data. Are the numbers reasonable? Sniff test.◦ Check digit verification: an added digit that is computed from

other digits.◦ RFID security: RFID slowly replacing bar codes (although this

is debatable). RFID tags should be write-protected, so customers cannot change information, such as prices.


21

3. PROCESSING INTEGRITYData Entry Controls:Field checks: is the information of the proper type

(don’t expect letters in a zip code field).Sign checks: +/-, number ordered should only be

positive numbers, for example.Limit checks: can’t exceed a certain limit, say

40/hours per week.Range checks: a lower limit, and an upper limitSize check: if eight figures are required, don’t

accept nine. For example, accept a zip code of five digits, or nine digits only.


22

3. PROCESSING INTEGRITYData Entry Controls: (continued)

Completeness check: all the needed data is entered.

Validity check: check if it is a valid account number, for example.

Reasonableness check: tests the logical relationship between two numbers.


23

3. PROCESSING INTEGRITYProcessing Controls

Processing controls to ensure that data is processed correctly include: Data matching: two or more pieces of data that

have to be matched (such as vendor invoice and purchase order). Some companies have programs that automatically match these items so they are not manually matched.

File labels: ensure correct and more recent files are being updated.

Recalculation of batch totals: to make sure all transactions are processed.


24

3. PROCESSING INTEGRITYProcessing Controls (continued)

Cross-footing balance test: making sure that figures add correctly vertically and horizontally.

Write-protection mechanisms: prevents you from overwriting data that should not be changed.

Database processing integrity procedures: database administrators, data dictionaries, concurrent update controls.


25

3. PROCESSING INTEGRITY

Output Controls:Careful checking of system output provides

additional control over processing integrity.◦ Output controls include:

User review of output: carefully examine output for reasonableness and completeness.

Reconciliation procedures: e.g., balances in inventory database should equal general ledger inventory acct. bal.

External data reconciliation: e.g., compare payroll files with HR files.


26

3. PROCESSING INTEGRITYOutput Controls: Protecting transmission of data

◦ In addition to using encryption to protect the confidentiality of information being transmitted, organizations need controls to minimize the risk of data transmission errors.

◦ Two basic types of data transmission controls: Parity checking Message acknowledgment techniques


27

3. PROCESSING INTEGRITYParity checking

◦ Computers represent characters as a set of binary digits (bits).

◦ For example, “5” is represented by the seven-bit pattern 0000101.

◦ When data are transmitted some bits may be lost or received incorrectly.

◦ Two basic schemes to detect these events are referred to as even parity and odd parity.

◦ In either case, an additional bit is added to the digit being transmitted.


28

3. PROCESSING INTEGRITYMessage Acknowledgment Techniques

◦ A number of message acknowledgment techniques can be used to let the sender of an electronic message know that a message was received: Echo check: the sender and receiver each count

the number of bits, to make sure none are lost. Trailer record: the sending unit includes in a

trailer record a total, and the receiver uses the trailer record to verify all are received.

Numbered batches: large messages have to be sent in small packets, each is numbered so that the receiving unit can reassemble the packets.


29

4. AVAILABILITYReliable systems are available for use

whenever needed.Threats to system availability originate from

many sources, including:◦ Hardware and software failures◦ Natural and man-made disasters◦ Human error◦ Worms and viruses◦ Denial-of-service attacks and other sabotageHow might you reduce the risk of system downtime?


30

4. AVAILABILITY

Disaster Recovery and Business Continuity Planning

The objectives of a disaster recovery and business continuity plan are to:◦Minimize the extent of the disruption,

damage, and loss.◦Temporarily establish an alternative

means of processing information.◦Resume normal operations as soon as

possible.◦Train and familiarize personnel with

emergency operations.


31

4. AVAILABILITYData backup terms:

A backup is an exact copy of most recent database. A full backup is a copy of the entire system. Partial backups can be either: (1) incremental (data items that changed since last backup, done daily) or (2) differential (cumulative effect of all changes since last full backup, takes longer than incremental).

Restoration is process of installing the backup.

Restore with incremental backup by running in proper order. Restore with differential is faster.

Recovery point objective (RPO) is the maximum length of time willing to risk loss of transaction data.


32

4. AVAILABILITYReal-time mirroring almost eliminates risk of losing

any data. Data is recorded at two data centers at the same time. Expensive. Used by financial companies.

Checkpoint is when (time) a copy of the database is made.

An archive is a copy of a program, file or database that will be retained indefinitely, often for legal or regulatory purposes.


33

4. AVAILABILITY

Infrastructure ReplacementProvisions for replacing the necessary computing

infrastructure: computers, networking equipment, telephone lines, office equipment and supplies.

(1) Reciprocal agreement, least expensive, contract with another organization to have temporary access to another’s information system resources

(2) Cold site, purchase or lease, empty building, prewired, contract with others to provide equipment.

(3) Hot site, ready to go, expensive, provides real-time mirroring opportunity.


34

4. AVAILABILITYDocumentation: disaster recovery

◦An important and often overlooked component. Should include: The disaster recovery plan itself, including

instructions for notifying appropriate staff and the steps to resume operation, needs to be well documented.

Assignment of responsibility for the various activities. Vendor documentation of hardware and software. Documentation of modifications made to the default

configuration (so replacement will have the same functionality).

Detailed operating instructions.◦Copies of all documentation should be stored

both on-site and off-site.


35

4. AVAILABILITYTesting

◦Periodic testing and revision is probably the most important component of effective disaster recovery and business continuity plans. Most plans fail their initial test, because it’s

impossible to anticipate everything that could go wrong.

The time to discover these problems is before the actual emergency and in a setting where the weaknesses can be carefully analyzed and appropriate changes made.


36

4. AVAILABILITYInsurance

◦Organizations should acquire adequate insurance coverage to defray part or all of the expenses associated with implementing their disaster recovery and business continuity plans.


37

CHANGE MANAGEMENT CONTROLSBusinesses frequently change information

systems. Controls are necessary to make sure changes do not impact system reliability.

Document all changes.Make sure changes are approved by the

appropriate parties.Changes need to be thoroughly tested.Develop “backout” plans to undo change if

necessary.Adequate monitoring and review by senior

management (most important). Usually done by the IT steering committee.

Documents

Information Systems Controls for System Reliability Part 2: Confidentiality, Privacy, Processing Integrity, and Availability Chapter 8 SECURITY CONFIDENTIALITY