AVAILABILITY PROCESSING INTEGRITY PRIVACY SYSTEMS RELIABILITY CONFIDENTIALITY Information Systems Controls for System Reliability Part 2: Confidentiality, Privacy, Processing Integrity, and Availability Chapter 8 SECURITY FOSTER School of Business Acctg. 320 1 Learning Objectives After studying this chapter, you should be able to answer the following questions: ◦ What controls are used to protect the confidentiality of sensitive information? ◦ What controls are designed to protect privacy of customers’ personal information? ◦ What controls ensure processing integrity? ◦ How are information systems changes controlled to ensure that the new system satisfies all five principles of systems reliability? FOSTER School of Business Acctg. 320 2 Reliable Systems Reliable systems satisfy five principles: ◦ ◦ ◦ ◦ ◦ Information Security (discussed in Chapter 7) Confidentiality Privacy Processing integrity Availability We study the last four principles in chapter 8 FOSTER School of Business Acctg. 320 3 1. Confidentiality Table 8-1 in your textbook summaries key controls to protect confidentiality of information: Situation Storage Controls Encryption and access controls Transmission Disposal Encryption Shredding, thorough erasure, physical destruction Overall Categorization to reflect value and training in proper work practices FOSTER School of Business Acctg. 320 4 1. Confidentiality The Internet provides inexpensive transmission, but data is easily intercepted. Encryption solves the interception issue. If data is encrypted before sending it, a virtual private network (VPN) is created. ◦ Provides the functionality of a privately owned network ◦ But uses the Internet FOSTER School of Business Acctg. 320 5 1. Confidentiality It is critical to encrypt any sensitive information stored in devices that are easily lost or stolen, such as laptops, PDAs, cell phones, and other portable devices. ◦ Many organizations have policies against storing sensitive information on these devices. ◦ 81% of users admit they do so anyway. FOSTER School of Business Acctg. 320 6 1. Confidentiality Encryption alone is not sufficient to protect confidentiality. Given enough time, many encryption schemes can be broken. Access controls are also needed: ◦ To prevent unauthorized parties from obtaining the encrypted data; and ◦ Because not all confidential information can be encrypted in storage. Strong authentication techniques are necessary. Strong authorization controls should be used to limit the actions (read, write, change, delete, copy, etc.) that authorized users can perform when accessing confidential information. FOSTER School of Business Acctg. 320 7 1. Confidentiality Controls on visitors, badges at the workplace to prevent unauthorized entry Require employees not to leave PC’s or Workstations without logging out Automatically log-out on PC’s and require passwords for re-entry into system Don’t leave sensitive information out and available. Careful disposal of sensitive information Hard drives often contain sensitive information—need controls to protect and to dispose of. Labeling documents as confidential, private, etc. Email and instant messaging: once sent there is no way to retrieve it, so these represent significant exposures (even CEOs have lost jobs) FOSTER School of Business Acctg. 320 8 2. Privacy In the Trust Services framework, the privacy principle is closely related to the confidentiality principle. Primary difference is that privacy focuses on protecting personal information about customers rather than organizational data. Key controls for privacy are the same that were previously listed for confidentiality. FOSTER School of Business Acctg. 320 9 2. Privacy: Legal COBIT section DS 11 addresses the management of data and specifies the need to comply with regulatory requirements. A number of regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Services Modernization Act (aka, GrammLeach-Billey Act) require organizations to protect the privacy of customer information. FOSTER School of Business Acctg. 320 10 2. Privacy: Best Practices The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: 1. Management: policies and procedures to protect privacy of information. Also assign responsibility and accountability. 2. Notice: before collecting info. tell customers about your Privacy Policies. 3. Choice and consent: Give consumers the right to “opt-out (opt-in). 4. Collection: Collect only information if needed to fulfill purposes stated in privacy policies. 5. Use and retention: use only as promised and keep information only as long as needed. FOSTER School of Business Acctg. 320 11 2. Privacy: Best Practices (contin.) 6. Access: Organizations should provide individuals with the right and ability to access, review, correct and delete personal information. 7. Disclosure to Third Parties: Provide information only as described in privacy policies, and only to parties that have comparable privacy policies. 8. Security: take reasonable steps to protect loss or unauthorized disclosure. 9. Quality: maintain integrity of personal information. There should be a low error rate. 10. Monitoring and enforcement: employees assigned to assure compliance with policies. Make sure you have procedures to respond to problems. FOSTER School of Business Acctg. 320 12 2. Privacy: Cookies One topic of concern is cookies used on Web sites. ◦ A cookie is a text file created by a Website and stored on a visitor’s hard drive. It records what the visitor has done on the site. ◦ Most Websites create multiple cookies per visit to make it easier for visitors to navigate the site. ◦ Browsers can be configured to refuse cookies, but it may make the Website inaccessible. ◦ Cookies are text files and cannot “do” anything other than store information, but many people worry that they violate privacy rights. FOSTER School of Business Acctg. 320 13 2. Privacy: Identity Theft Another privacy-related issue that is of growing concern is identity theft. ◦ Organizations have an ethical and moral obligation to implement controls to protect databases that contain their customers’ personal information. ◦ Individuals have to be proactive in this growing threat. See 8-1 Focus pg. 299 in your text. FOSTER School of Business Acctg. 320 14 2. Privacy: SPAM A related concern involves the overwhelming volume of spam. ◦ Spam is unsolicited email that contains either advertising or offensive content. Reduces the efficiency benefits of email. Is a source of many viruses, worms, spyware, and other malicious content. FOSTER School of Business Acctg. 320 15 2. Privacy: SPAM In 2003, the U.S. Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CANSPAM) Act. ◦ Provides criminal and civil penalties for violation of the law. ◦ Applies to commercial email, which is any email with a primary purpose of advertising or promotion. ◦ Covers most legitimate email sent by organizations to customers, suppliers, or donors to non-profits. FOSTER School of Business Acctg. 320 16 2. Privacy: SPAM Organizations must carefully follow the CAN-SPAM guidelines. Key provisions are: ◦ The sender’s identity must be clearly displayed in the message header. ◦ The subject field in the header must clearly identify the message as an advertisement or solicitation. ◦ The body must provide recipients with a working link that can be used to “opt out” of future email. ◦ The body must include the sender’s valid postal address. ◦ Organizations should not: Send email to randomly generated addresses. Set up Websites designed to harvest email addresses of potential customers. FOSTER School of Business Acctg. 320 17 3. PROCESSING INTEGRITY COBIT control objective DS 11.1 addresses the need for controls over the input, processing, and output of data. Identifies six categories of controls that can be used to satisfy that objective. Six categories are grouped into three for discussion. FOSTER School of Business Acctg. 320 18 3. PROCESSING INTEGRITY Three categories/groups of integrity controls are designed to meet the preceding objectives: ◦ Input controls ◦ Processing controls ◦ Output controls FOSTER School of Business Acctg. 320 19 3. PROCESSING INTEGRITY The following input controls regulate integrity of input: ◦ Forms design: design forms to minimize errors. ◦ Pre-numbered forms sequence test: verify that sequence does not include gaps. ◦ Turnaround documents: to pay bills. ◦ Cancellation and storage of documents: e.g, mark as paid. ◦ Authorization and segregation of duties: check who created the form. ◦ Visual scanning: scan for reasonableness before entering the data. Are the numbers reasonable? Sniff test. ◦ Check digit verification: an added digit that is computed from other digits. ◦ RFID security: RFID slowly replacing bar codes (although this is debatable). RFID tags should be write-protected, so customers cannot change information, such as prices. FOSTER School of Business Acctg. 320 20 3. PROCESSING INTEGRITY Data Entry Controls: Field checks: is the information of the proper type (don’t expect letters in a zip code field). Sign checks: +/-, number ordered should only be positive numbers, for example. Limit checks: can’t exceed a certain limit, say 40/hours per week. Range checks: a lower limit, and an upper limit Size check: if eight figures are required, don’t accept nine. For example, accept a zip code of five digits, or nine digits only. FOSTER School of Business Acctg. 320 21 3. PROCESSING INTEGRITY Data Entry Controls: (continued) Completeness check: all the needed data is entered. Validity check: check if it is a valid account number, for example. Reasonableness check: tests the logical relationship between two numbers. FOSTER School of Business Acctg. 320 22 3. PROCESSING INTEGRITY Processing Controls Processing controls to ensure that data is processed correctly include: Data matching: two or more pieces of data that have to be matched (such as vendor invoice and purchase order). Some companies have programs that automatically match these items so they are not manually matched. File labels: ensure correct and more recent files are being updated. Recalculation of batch totals: to make sure all transactions are processed. FOSTER School of Business Acctg. 320 23 3. PROCESSING INTEGRITY Processing Controls (continued) Cross-footing balance test: making sure that figures add correctly vertically and horizontally. Write-protection mechanisms: prevents you from overwriting data that should not be changed. Database processing integrity procedures: database administrators, data dictionaries, concurrent update controls. FOSTER School of Business Acctg. 320 24 3. PROCESSING INTEGRITY Output Controls: Careful checking of system output provides additional control over processing integrity. ◦ Output controls include: User review of output: carefully examine output for reasonableness and completeness. Reconciliation procedures: e.g., balances in inventory database should equal general ledger inventory acct. bal. External data reconciliation: e.g., compare payroll files with HR files. FOSTER School of Business Acctg. 320 25 3. PROCESSING INTEGRITY Output Controls: Protecting transmission of data ◦ In addition to using encryption to protect the confidentiality of information being transmitted, organizations need controls to minimize the risk of data transmission errors. ◦ Two basic types of data transmission controls: Parity checking Message acknowledgment techniques FOSTER School of Business Acctg. 320 26 3. PROCESSING INTEGRITY Parity checking ◦ Computers represent characters as a set of binary digits (bits). ◦ For example, “5” is represented by the seven-bit pattern 0000101. ◦ When data are transmitted some bits may be lost or received incorrectly. ◦ Two basic schemes to detect these events are referred to as even parity and odd parity. ◦ In either case, an additional bit is added to the digit being transmitted. FOSTER School of Business Acctg. 320 27 3. PROCESSING INTEGRITY Message Acknowledgment Techniques ◦ A number of message acknowledgment techniques can be used to let the sender of an electronic message know that a message was received: Echo check: the sender and receiver each count the number of bits, to make sure none are lost. Trailer record: the sending unit includes in a trailer record a total, and the receiver uses the trailer record to verify all are received. Numbered batches: large messages have to be sent in small packets, each is numbered so that the receiving unit can reassemble the packets. FOSTER School of Business Acctg. 320 28 4. AVAILABILITY Reliable systems are available for use whenever needed. Threats to system availability originate from many sources, including: ◦ ◦ ◦ ◦ ◦ Hardware and software failures Natural and man-made disasters Human error Worms and viruses Denial-of-service attacks and other sabotage How might you reduce the risk of system downtime? FOSTER School of Business Acctg. 320 29 4. AVAILABILITY Disaster Recovery and Business Continuity Planning The objectives of a disaster recovery and business continuity plan are to: ◦ Minimize the extent of the disruption, damage, and loss. ◦ Temporarily establish an alternative means of processing information. ◦ Resume normal operations as soon as possible. ◦ Train and familiarize personnel with emergency operations. FOSTER School of Business Acctg. 320 30 4. AVAILABILITY Data backup terms: A backup is an exact copy of most recent database. A full backup is a copy of the entire system. Partial backups can be either: (1) incremental (data items that changed since last backup, done daily) or (2) differential (cumulative effect of all changes since last full backup, takes longer than incremental). Restoration is process of installing the backup. Restore with incremental backup by running in proper order. Restore with differential is faster. Recovery point objective (RPO) is the maximum length of time willing to risk loss of transaction data. FOSTER School of Business Acctg. 320 31 4. AVAILABILITY Real-time mirroring almost eliminates risk of losing any data. Data is recorded at two data centers at the same time. Expensive. Used by financial companies. Checkpoint is when (time) a copy of the database is made. An archive is a copy of a program, file or database that will be retained indefinitely, often for legal or regulatory purposes. FOSTER School of Business Acctg. 320 32 4. AVAILABILITY Infrastructure Replacement Provisions for replacing the necessary computing infrastructure: computers, networking equipment, telephone lines, office equipment and supplies. (1) Reciprocal agreement, least expensive, contract with another organization to have temporary access to another’s information system resources (2) Cold site, purchase or lease, empty building, prewired, contract with others to provide equipment. (3) Hot site, ready to go, expensive, provides realtime mirroring opportunity. FOSTER School of Business Acctg. 320 33 4. AVAILABILITY Documentation: disaster recovery ◦ An important and often overlooked component. Should include: The disaster recovery plan itself, including instructions for notifying appropriate staff and the steps to resume operation, needs to be well documented. Assignment of responsibility for the various activities. Vendor documentation of hardware and software. Documentation of modifications made to the default configuration (so replacement will have the same functionality). Detailed operating instructions. ◦ Copies of all documentation should be stored both on-site and off-site. FOSTER School of Business Acctg. 320 34 4. AVAILABILITY Testing ◦ Periodic testing and revision is probably the most important component of effective disaster recovery and business continuity plans. Most plans fail their initial test, because it’s impossible to anticipate everything that could go wrong. The time to discover these problems is before the actual emergency and in a setting where the weaknesses can be carefully analyzed and appropriate changes made. FOSTER School of Business Acctg. 320 35 4. AVAILABILITY Insurance ◦ Organizations should acquire adequate insurance coverage to defray part or all of the expenses associated with implementing their disaster recovery and business continuity plans. FOSTER School of Business Acctg. 320 36 CHANGE MANAGEMENT CONTROLS Businesses frequently change information systems. Controls are necessary to make sure changes do not impact system reliability. Document all changes. Make sure changes are approved by the appropriate parties. Changes need to be thoroughly tested. Develop “backout” plans to undo change if necessary. Adequate monitoring and review by senior management (most important). Usually done by the IT steering committee. FOSTER School of Business Acctg. 320 37