CN08

advertisement
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
SYSTEMS
RELIABILITY
CONFIDENTIALITY
Information
Systems
Controls for
System
Reliability
Part 2:
Confidentiality,
Privacy,
Processing
Integrity, and
Availability
Chapter 8
SECURITY
FOSTER School of Business
Acctg. 320
1
Learning Objectives

After studying this chapter, you should be able
to answer the following questions:
◦ What controls are used to protect the confidentiality
of sensitive information?
◦ What controls are designed to protect privacy of
customers’ personal information?
◦ What controls ensure processing integrity?
◦ How are information systems changes controlled to
ensure that the new system satisfies all five principles
of systems reliability?
FOSTER School of Business
Acctg. 320
2
Reliable Systems

Reliable systems satisfy five principles:
◦
◦
◦
◦
◦
Information Security (discussed in Chapter 7)
Confidentiality
Privacy
Processing integrity
Availability
We study the last four principles in chapter 8
FOSTER School of Business
Acctg. 320
3
1. Confidentiality
Table 8-1 in your textbook summaries key
controls to protect confidentiality of
information:
Situation
Storage
Controls
Encryption and access controls
Transmission
Disposal
Encryption
Shredding, thorough erasure,
physical destruction
Overall
Categorization to reflect value
and training in proper work
practices
FOSTER School of Business
Acctg. 320
4
1. Confidentiality
The Internet provides inexpensive transmission,
but data is easily intercepted.
 Encryption solves the interception issue.
 If data is encrypted before sending it, a virtual
private network (VPN) is created.

◦ Provides the functionality of a privately owned
network
◦ But uses the Internet
FOSTER School of Business
Acctg. 320
5
1. Confidentiality

It is critical to encrypt any sensitive information
stored in devices that are easily lost or stolen,
such as laptops, PDAs, cell phones, and other
portable devices.
◦ Many organizations have policies against storing
sensitive information on these devices.
◦ 81% of users admit they do so anyway.
FOSTER School of Business
Acctg. 320
6
1. Confidentiality


Encryption alone is not sufficient to protect
confidentiality. Given enough time, many
encryption schemes can be broken.
Access controls are also needed:
◦ To prevent unauthorized parties from obtaining the
encrypted data; and
◦ Because not all confidential information can be encrypted
in storage.


Strong authentication techniques are necessary.
Strong authorization controls should be used to
limit the actions (read, write, change, delete, copy,
etc.) that authorized users can perform when
accessing confidential information.
FOSTER School of Business
Acctg. 320
7
1. Confidentiality








Controls on visitors, badges at the workplace to prevent
unauthorized entry
Require employees not to leave PC’s or Workstations
without logging out
Automatically log-out on PC’s and require passwords
for re-entry into system
Don’t leave sensitive information out and available.
Careful disposal of sensitive information
Hard drives often contain sensitive information—need
controls to protect and to dispose of.
Labeling documents as confidential, private, etc.
Email and instant messaging: once sent there is no
way to retrieve it, so these represent significant
exposures (even CEOs have lost jobs)
FOSTER School of Business
Acctg. 320
8
2. Privacy
In the Trust Services framework, the
privacy principle is closely related to the
confidentiality principle.
 Primary difference is that privacy focuses
on protecting personal information about
customers rather than organizational
data.
 Key controls for privacy are the same that
were previously listed for confidentiality.

FOSTER School of Business
Acctg. 320
9
2. Privacy: Legal


COBIT section DS 11 addresses the
management of data and specifies the need
to comply with regulatory requirements.
A number of regulations, including the
Health Insurance Portability and
Accountability Act (HIPAA) and the Financial
Services Modernization Act (aka, GrammLeach-Billey Act) require organizations to
protect the privacy of customer information.
FOSTER School of Business
Acctg. 320
10
2. Privacy: Best Practices
The Trust Services privacy framework of the AICPA
and CICA lists ten internationally recognized best
practices for protecting the privacy of customers’
personal information:
1. Management: policies and procedures to protect
privacy of information. Also assign responsibility
and accountability.
2. Notice: before collecting info. tell customers about
your Privacy Policies.
3. Choice and consent: Give consumers the right to
“opt-out (opt-in).
4. Collection: Collect only information if needed to
fulfill purposes stated in privacy policies.
5. Use and retention: use only as promised and keep
information only as long as needed.
FOSTER School of Business
Acctg. 320
11
2. Privacy: Best Practices (contin.)
6. Access: Organizations should provide individuals
with the right and ability to access, review, correct
and delete personal information.
7. Disclosure to Third Parties: Provide information only
as described in privacy policies, and only to parties
that have comparable privacy policies.
8. Security: take reasonable steps to protect loss or
unauthorized disclosure.
9. Quality: maintain integrity of personal information.
There should be a low error rate.
10. Monitoring and enforcement: employees assigned
to assure compliance with policies. Make sure you
have procedures to respond to problems.
FOSTER School of Business
Acctg. 320
12
2. Privacy: Cookies

One topic of concern is cookies used on
Web sites.
◦ A cookie is a text file created by a Website and
stored on a visitor’s hard drive. It records what
the visitor has done on the site.
◦ Most Websites create multiple cookies per visit to
make it easier for visitors to navigate the site.
◦ Browsers can be configured to refuse cookies,
but it may make the Website inaccessible.
◦ Cookies are text files and cannot “do” anything
other than store information, but many people
worry that they violate privacy rights.
FOSTER School of Business
Acctg. 320
13
2. Privacy: Identity Theft
Another privacy-related issue that is of growing
concern is identity theft.
◦ Organizations have an ethical and moral
obligation to implement controls to protect
databases that contain their customers’ personal
information.
◦ Individuals have to be proactive in this growing
threat. See 8-1 Focus pg. 299 in your text.
FOSTER School of Business
Acctg. 320
14
2. Privacy: SPAM

A related concern involves the
overwhelming volume of spam.
◦ Spam is unsolicited email that contains
either advertising or offensive content.
 Reduces the efficiency benefits of email.
 Is a source of many viruses, worms, spyware,
and other malicious content.
FOSTER School of Business
Acctg. 320
15
2. Privacy: SPAM

In 2003, the U.S. Congress passed the
Controlling the Assault of Non-Solicited
Pornography and Marketing (CANSPAM) Act.
◦ Provides criminal and civil penalties for violation
of the law.
◦ Applies to commercial email, which is any email
with a primary purpose of advertising or
promotion.
◦ Covers most legitimate email sent by
organizations to customers, suppliers, or donors
to non-profits.
FOSTER School of Business
Acctg. 320
16
2. Privacy: SPAM

Organizations must carefully follow the CAN-SPAM
guidelines. Key provisions are:
◦ The sender’s identity must be clearly displayed in the
message header.
◦ The subject field in the header must clearly identify the
message as an advertisement or solicitation.
◦ The body must provide recipients with a working link that
can be used to “opt out” of future email.
◦ The body must include the sender’s valid postal address.
◦ Organizations should not:
 Send email to randomly generated addresses.
 Set up Websites designed to harvest email addresses of
potential customers.
FOSTER School of Business
Acctg. 320
17
3. PROCESSING INTEGRITY
COBIT control objective DS 11.1
addresses the need for controls over
the input, processing, and output of
data.
 Identifies six categories of controls
that can be used to satisfy that
objective.
 Six categories are grouped into three
for discussion.

FOSTER School of Business
Acctg. 320
18
3. PROCESSING INTEGRITY

Three categories/groups of integrity
controls are designed to meet the
preceding objectives:
◦ Input controls
◦ Processing controls
◦ Output controls
FOSTER School of Business
Acctg. 320
19
3. PROCESSING INTEGRITY

The following input controls regulate integrity of
input:
◦ Forms design: design forms to minimize errors.
◦ Pre-numbered forms sequence test: verify that sequence
does not include gaps.
◦ Turnaround documents: to pay bills.
◦ Cancellation and storage of documents: e.g, mark as paid.
◦ Authorization and segregation of duties: check who created
the form.
◦ Visual scanning: scan for reasonableness before entering
the data. Are the numbers reasonable? Sniff test.
◦ Check digit verification: an added digit that is computed
from other digits.
◦ RFID security: RFID slowly replacing bar codes (although
this is debatable). RFID tags should be write-protected, so
customers cannot change information, such as prices.
FOSTER School of Business
Acctg. 320
20
3. PROCESSING INTEGRITY
Data Entry Controls:





Field checks: is the information of the proper type
(don’t expect letters in a zip code field).
Sign checks: +/-, number ordered should only be
positive numbers, for example.
Limit checks: can’t exceed a certain limit, say
40/hours per week.
Range checks: a lower limit, and an upper limit
Size check: if eight figures are required, don’t
accept nine. For example, accept a zip code of five
digits, or nine digits only.
FOSTER School of Business
Acctg. 320
21
3. PROCESSING INTEGRITY
Data Entry Controls: (continued)



Completeness check: all the needed data is
entered.
Validity check: check if it is a valid account
number, for example.
Reasonableness check: tests the logical
relationship between two numbers.
FOSTER School of Business
Acctg. 320
22
3. PROCESSING INTEGRITY
Processing Controls
Processing controls to ensure that data is
processed correctly include:
 Data matching: two or more pieces of data that
have to be matched (such as vendor invoice
and purchase order). Some companies have
programs that automatically match these items
so they are not manually matched.
 File labels: ensure correct and more recent files
are being updated.
 Recalculation of batch totals: to make sure all
transactions are processed.
FOSTER School of Business
Acctg. 320
23
3. PROCESSING INTEGRITY
Processing Controls (continued)
 Cross-footing balance test: making sure that
figures add correctly vertically and horizontally.
 Write-protection mechanisms: prevents you
from overwriting data that should not be
changed.
 Database processing integrity procedures:
database administrators, data dictionaries,
concurrent update controls.
FOSTER School of Business
Acctg. 320
24
3. PROCESSING INTEGRITY
Output Controls:
Careful checking of system output provides
additional control over processing integrity.
◦ Output controls include:
 User review of output: carefully examine output
for reasonableness and completeness.
 Reconciliation procedures: e.g., balances in
inventory database should equal general
ledger inventory acct. bal.
 External data reconciliation: e.g., compare
payroll files with HR files.
FOSTER School of Business
Acctg. 320
25
3. PROCESSING INTEGRITY
Output Controls: Protecting transmission of data
◦ In addition to using encryption to protect the
confidentiality of information being transmitted,
organizations need controls to minimize the risk
of data transmission errors.
◦ Two basic types of data transmission controls:
 Parity checking
 Message acknowledgment techniques
FOSTER School of Business
Acctg. 320
26
3. PROCESSING INTEGRITY

Parity checking
◦ Computers represent characters as a set of binary
digits (bits).
◦ For example, “5” is represented by the seven-bit
pattern 0000101.
◦ When data are transmitted some bits may be lost or
received incorrectly.
◦ Two basic schemes to detect these events are
referred to as even parity and odd parity.
◦ In either case, an additional bit is added to the digit
being transmitted.
FOSTER School of Business
Acctg. 320
27
3. PROCESSING INTEGRITY
Message Acknowledgment Techniques
◦ A number of message acknowledgment
techniques can be used to let the sender of an
electronic message know that a message was
received:
 Echo check: the sender and receiver each
count the number of bits, to make sure none
are lost.
 Trailer record: the sending unit includes in a
trailer record a total, and the receiver uses the
trailer record to verify all are received.
 Numbered batches: large messages have to
be sent in small packets, each is numbered so
that the receiving unit can reassemble the
packets.
FOSTER School of Business
Acctg. 320
28
4. AVAILABILITY
Reliable systems are available for use
whenever needed.
 Threats to system availability originate from
many sources, including:

◦
◦
◦
◦
◦
Hardware and software failures
Natural and man-made disasters
Human error
Worms and viruses
Denial-of-service attacks and other sabotage
How might you reduce the risk of system downtime?
FOSTER School of Business
Acctg. 320
29
4. AVAILABILITY
Disaster Recovery and Business
Continuity Planning
 The objectives of a disaster recovery and
business continuity plan are to:
◦ Minimize the extent of the disruption, damage,
and loss.
◦ Temporarily establish an alternative means of
processing information.
◦ Resume normal operations as soon as possible.
◦ Train and familiarize personnel with emergency
operations.
FOSTER School of Business
Acctg. 320
30
4. AVAILABILITY
Data backup terms:
A backup is an exact copy of most recent
database. A full backup is a copy of the entire
system. Partial backups can be either: (1)
incremental (data items that changed since last
backup, done daily) or (2) differential (cumulative
effect of all changes since last full backup, takes
longer than incremental).
Restoration is process of installing the backup.
Restore with incremental backup by running in
proper order. Restore with differential is faster.
Recovery point objective (RPO) is the maximum
length of time willing to risk loss of transaction data.
FOSTER School of Business
Acctg. 320
31
4. AVAILABILITY
Real-time mirroring almost eliminates risk of losing
any data. Data is recorded at two data centers at
the same time. Expensive. Used by financial
companies.
Checkpoint is when (time) a copy of the database is
made.
An archive is a copy of a program, file or database
that will be retained indefinitely, often for legal or
regulatory purposes.
FOSTER School of Business
Acctg. 320
32
4. AVAILABILITY
Infrastructure Replacement
Provisions for replacing the necessary computing
infrastructure: computers, networking equipment,
telephone lines, office equipment and supplies.
(1) Reciprocal agreement, least expensive, contract
with another organization to have temporary
access to another’s information system resources
(2) Cold site, purchase or lease, empty building,
prewired, contract with others to provide
equipment.
(3) Hot site, ready to go, expensive, provides realtime mirroring opportunity.
FOSTER School of Business
Acctg. 320
33
4. AVAILABILITY

Documentation: disaster recovery
◦ An important and often overlooked
component. Should include:
 The disaster recovery plan itself, including
instructions for notifying appropriate staff and the
steps to resume operation, needs to be well
documented.
 Assignment of responsibility for the various
activities.
 Vendor documentation of hardware and software.
 Documentation of modifications made to the default
configuration (so replacement will have the same
functionality).
 Detailed operating instructions.
◦ Copies of all documentation should be stored
both on-site and off-site.
FOSTER School of Business
Acctg. 320
34
4. AVAILABILITY

Testing
◦ Periodic testing and revision is probably
the most important component of effective
disaster recovery and business continuity
plans.
 Most plans fail their initial test, because it’s
impossible to anticipate everything that could
go wrong.
 The time to discover these problems is before
the actual emergency and in a setting where
the weaknesses can be carefully analyzed and
appropriate changes made.
FOSTER School of Business
Acctg. 320
35
4. AVAILABILITY

Insurance
◦ Organizations should acquire adequate
insurance coverage to defray part or all of
the expenses associated with
implementing their disaster recovery and
business continuity plans.
FOSTER School of Business
Acctg. 320
36
CHANGE MANAGEMENT
CONTROLS
Businesses frequently change information
systems. Controls are necessary to make sure
changes do not impact system reliability.





Document all changes.
Make sure changes are approved by the
appropriate parties.
Changes need to be thoroughly tested.
Develop “backout” plans to undo change if
necessary.
Adequate monitoring and review by senior
management (most important). Usually done by
the IT steering committee.
FOSTER School of Business
Acctg. 320
37
Download