Sia Sesi 6

2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 1 of 136
C
Sesi - 6

Information Systems Controls
for System Reliability
Part 2: Confidentiality, Privacy,
Processing Integrity, and
Availability
INTRODUCTION
Reliable systems satisfy
five principles:
Information Security
(discussed in Chapter 7)
Confidentiality
Privacy
Processing integrity
Availability
SECURITY
C
O
N
F
I
D
E
N
T
I
A
L
I
T
Y

P
R
I
V
A
C
Y

P
R
O
C
E
S
S
I
N
G

I
N
T
E
G
R
I
T
Y

A
V
A
I
L
A
B
I
L
I
T
Y

SYSTEMS
RELIABILITY
CONFIDENTIALITY
Reliable systems
maintain the
confidentiality of
sensitive information.
SECURITY
C
O
N
F
I
D
E
N
T
I
A
L
I
T
Y

P
R
I
V
A
C
Y

P
R
O
C
E
S
S
I
N
G

I
N
T
E
G
R
I
T
Y

A
V
A
I
L
A
B
I
L
I
T
Y

SYSTEMS
RELIABILITY
CONFIDENTIALITY
Maintaining confidentiality requires that
management identify which information is
sensitive.
Each organization will develop its own
definitions of what information needs to be
protected.
Most definitions will include:
Business plans
Pricing strategies
Client and customer lists
Legal documents
COBIT control objective PO 2.3 specifies the
need to identify and to properly label potentially
sensitive information, to assign responsibility for
its protection, and to implement appropriate
controls.
CONFIDENTIALITY
Table 8-1 in your textbook summaries key
controls to protect confidentiality of information:
Situation Controls
Storage Encryption and access controls
Transmission Encryption
Disposal Shredding, thorough erasure, physical
destruction
Overall Categorization to reflect value and training
in proper work practices
CONFIDENTIALITY
Encryption is a fundamental control procedure
for protecting the confidentiality of sensitive
information.
Confidential information should be encrypted:
While stored
Whenever transmitted
CONFIDENTIALITY
The Internet provides inexpensive transmission,
but data is easily intercepted.
Encryption solves the interception issue.
If data is encrypted before sending it, a virtual
private network (VPN) is created.
Provides the functionality of a privately owned
network
But uses the Internet
CONFIDENTIALITY
Use of VPN software creates private
communication channels, often referred to as
tunnels.
The tunnels are accessible only to parties who have
the appropriate encryption and decryption keys.
Cost of the VPN software is much less than costs of
leasing or buying a privately-owned, secure
communications network.
Also, makes it much easier to add or remove sites
from the network.
In accordance with COBIT DS 5.11, VPNs include
controls to authenticate the parties exchanging
information and to create an audit trail of the
exchange.
CONFIDENTIALITY
It is critical to encrypt any sensitive information
stored in devices that are easily lost or stolen,
such as laptops, PDAs, cell phones, and other
portable devices.
Many organizations have policies against storing
sensitive information on these devices.
81% of users admit they do so anyway.
CONFIDENTIALITY
Encryption alone is not sufficient to protect
confidentiality. Given enough time, many encryption
schemes can be broken.
Access controls are also needed:
To prevent unauthorized parties from obtaining the encrypted
data; and
Because not all confidential information can be encrypted in
storage.
Strong authentication techniques are necessary.
Strong authorization controls should be used to limit the
actions (read, write, change, delete, copy, etc.) that
authorized users can perform when accessing
confidential information.
CONFIDENTIALITY
Access to system outputs should also be controlled:
Do not allow visitors to roam through buildings unsupervised.
Require employees to log out of any application before leaving
their workstation unattended, so other employees do not have
unauthorized access.
Workstations should use password-protected screen savers that
automatically engage when there is no activity for a specified
period.
Access should be restricted to rooms housing printers and fax
machines.
Reports should be coded to reflect the importance of the
information therein, and employees should be trained not to
leave reports with sensitive information laying in plain view.
CONFIDENTIALITY
It is especially important to control
disposal of information resources.
Printed reports and microfilm with
sensitive information should be shredded.
COBIT control objective DS 11.4 addresses the
need to define and implement procedures
governing the disposal of sensitive data and any
hardware on which that data was stored.
CONFIDENTIALITY
Controls to protect confidentiality must be
continuously reviewed and modified to respond
to new threats created by technological
advances.
Many organizations now prohibit visitors from
using cell phones while touring their facilities
because of the threat caused by cameras in
these phones.
Because these devices are easy to hide, some
organizations use jamming devices to deactivate
their imaging systems while on company
premises.
CONFIDENTIALITY
Phone conversations have also been affected by
technology.
The use of voice-over-the-Internet (VoIP)
technology means that phone conversations are
routed in packets over the Internet.
Because this technology makes wiretapping much
easier, conversations about sensitive topics should be
encrypted.
CONFIDENTIALITY
Employee use of email and instant messaging
(IM) probably represents two of the greatest
threats to the confidentiality of sensitive
information.
It is virtually impossible to control its distribution once
held by the recipient.
Organizations need to develop comprehensive
policies governing the appropriate and allowable use
of these technologies for business purposes.
Employees need to be trained on what type of
information they can and cannot share, especially
with IM.
PRIVACY
In the Trust Services
framework, the privacy
principle is closely related to
the confidentiality principle.
Primary difference is that
privacy focuses on protecting
personal information about
customers rather than
organizational data.
Key controls for privacy are
the same that were
previously listed for
confidentiality.
SECURITY
C
O
N
F
I
D
E
N
T
I
A
L
I
T
Y

P
R
I
V
A
C
Y

P
R
O
C
E
S
S
I
N
G

I
N
T
E
G
R
I
T
Y

A
V
A
I
L
A
B
I
L
I
T
Y

SYSTEMS
RELIABILITY
PRIVACY
COBIT section DS 11 addresses the
management of data and specifies the need to
comply with regulatory requirements.
A number of regulations, including the Health
Insurance Portability and Accountability Act
(HIPAA) and the Financial Services
Modernization Act (aka, Gramm-Leach-Billey
Act) require organizations to protect the privacy
of customer information.
PRIVACY
The Trust Services privacy framework of the AICPA and CICA
lists ten internationally recognized best practices for
protecting the privacy of customers personal information:
Management
Notice
Choice and consent
Collection
Use and retention
Access
Disclosure to Third Parties
Security
Quality
Monitoring and enforcement
PRIVACY
As with confidentiality, encryption and access
controls are the two basic mechanisms for
protecting consumers personal information.
It is common practice to use SSL to encrypt all
personal information transmitted between individuals
and the organizations Website.
However, SSL only protects the information in transit.
Consequently, strong authentication controls are
needed to restrict Website visitors access to
individual accounts.

PRIVACY
Organizations should consider encrypting
customers personal information in
storage.
May be economically justified, because some
state laws require companies to notify all
customers of security incidents.
The notification process is costly but may be
waived if the information was encrypted while
in storage.
PRIVACY
Organizations need to train employees on how
to manage personal information collected from
customers.
Especially important for medical and financial
information.
Intentional misuse or unauthorized disclosure can
have serious economic consequences, including:
Drop in stock price
Significant lawsuits
Government suspension of the organizations business
activity

PRIVACY
A related concern involves the
overwhelming volume of spam.
Spam is unsolicited email that contains either
advertising or offensive content.
Reduces the efficiency benefits of email.
Is a source of many viruses, worms, spyware, and
other malicious content.
PRIVACY
In 2003, the U.S. Congress passed the
Controlling the Assault of Non-Solicited
Pornography and Marketing (CAN-SPAM)
Act.
Provides criminal and civil penalties for violation of
the law.
Applies to commercial email, which is any email with
a primary purpose of advertising or promotion.
Covers most legitimate email sent by organizations to
customers, suppliers, or donors to non-profits.
PRIVACY
Consequently, organizations must carefully follow the
CAN-SPAM guidelines, which include:
The senders identity must be clearly displayed in the message
header.
The subject field in the header must clearly identify the message
as an advertisement or solicitation.
The body must provide recipients with a working link that can be
used to opt out of future email.
The body must include the senders valid postal address.
Organizations should not:
Send email to randomly generated addresses.
Set up Websites designed to harvest email addresses of
potential customers.
ENCRYPTION
Encryption
Key elements of encryption systems
Encryption algorithm
Encryption keys
Key length
Private Key Cryptographic Systems
Public Key Cryptographic Systems
Elliptical Curve Cryptosystem (ECC)
Quantum Cryptography
Advanced Encryption Standard (AES)
Digital Signatures
Data integrity
Authentication
Nonrepudiation
Replay protection
Digital Envelope
25/09/2013 25
ENCRYPTION

Encryption and Decryption

Public Key Infrastructure (PKI)
25/09/2013 26
Encryption
Encryption
The process of disguising a message (plaintext) to
make it unreadable by humans (ciphertext)

Decryption
The reverse process, which takes an encrypted (or
ciphertext) message and restores it to the
originalplaintext.

25/09/2013 27
Encryption
Elements of an encryption system
(cryptosystem):
Plaintext
The cryptographic algorithm (cipher)
The key and
The ciphertext

25/09/2013 28
Encryption
Cryptanalysis
The science of cracking codes, decoding secrets,
violating authentication schemes, and in general,
breaking cryptographic protocols.
Techniques in cryptanalysis (attacks on a
cryptosystem):
Ciphertext-only
Plaintext
Brute force

25/09/2013 29
Encryption
Types of encryption
Symmetric encryption (secret key encryption)
Asymmetric encryption (public key encryption)

25/09/2013 30
Symetric Encryption
Both parties must possess a single secret key
to communication

Limitations
key distribution (require a different key to everyone
they intended to communicate with)
Does not support non-repudiation
not practical for Web commerce which can involve
communicating with thousands of customers

Advantage:
Speed

25/09/2013 31
Symetric Encryption
25/09/2013 32
Asymetric Encryption
Introduced by Whitfield Diffie and Martin
Hellman [1976]

Requires a pair of keys
public key: known to public (published and widely
disseminated)
private key (secret key) : know to the owner of the
key

Disadvantage :
Slow

25/09/2013 33
Public Key Encryption
25/09/2013 34
Whats a Public Key Infrastructure (PKI)

A system that establishes and maintains
trustworthy e-business environments
through the generation and distribution of
keys and certificates.

25/09/2013 35
Value-Add of PKI

Authentication Allows your e-business to
engage trusted customers, partners and
employees

Authorization Allows business rules to
dictate who uses what resources, under what
conditions

Confidentiality Protects confidentiality of
sensitive information, while stored or in transit

25/09/2013 36
Value-Add of PKI

Integrity Prevents any transaction from being
tampered with

Non-repudiation Prevents any party from
denying an e-business transaction after the fact

Audit controls Provides audit trails and
recourse for e-business transactions

25/09/2013 37
Leading Players Market Share
25/09/2013 38

Digital Certificates
25/09/2013 39

Parties Involved

Certificate Authority (CA) grant and issue
certificate (sign it with its private key)

Registration Authority (RA) the critical point for
PKI which maintains directory of certificates and
CRLs list maintenance and publication

Certification Revocation Lists (CRLs) highly
controlled database contains

Certification practice statement (CPS) detailed
set of rules governing CA operations

25/09/2013 40
PKI Value in Action: Online Car Loan
25/09/2013 41
Internet Security Models
25/09/2013 42

How Does SSL Work?
25/09/2013 43
Checking the Servers Certificate
25/09/2013 44
Secure Socket Layer - SSL
25/09/2013 45

Root CAs in Browsers
25/09/2013 46

Impact of Root CA Expiration
25/09/2013 47

Impact of Root CA Expiration
25/09/2013 48

What Will Alice See?
25/09/2013 49

PROCESSING INTEGRITY
COBIT control objective
DS 11.1 addresses the
need for controls over the
input, processing, and
output of data.
Identifies six categories of
controls that can be used
to satisfy that objective.
Six categories are grouped
into three for discussion.
SECURITY
C
O
N
F
I
D
E
N
T
I
A
L
I
T
Y

P
R
I
V
A
C
Y

P
R
O
C
E
S
S
I
N
G

I
N
T
E
G
R
I
T
Y

A
V
A
I
L
A
B
I
L
I
T
Y

SYSTEMS
RELIABILITY
Three categories/groups of integrity
controls are designed to meet the
preceding objectives:
Input controls
Processing controls
Output controls

Three categories of integrity controls are
designed to meet the preceding
objectives:
Input Controls
Processing controls
Output controls

Input Controls
If the data entered into a system is inaccurate or
incomplete, the output will be, too. (Garbage in
garbage out.)
Companies must establish control procedures to
ensure that all source documents are authorized,
accurate, complete, properly accounted for, and
entered into the system or sent to their intended
destination in a timely manner.
The following input controls regulate integrity of
input:
Forms design
Pre-numbered forms sequence test
Turnaround documents
Cancellation and storage of documents
Authorization and segregation of duties
Visual scanning
Check digit verification
RFID security
Five categories of integrity controls are
objectives:
Input controls
Data entry controls
Processing controls
Output controls

Once data is collected, data entry control procedures are
needed to ensure that its entered correctly. Common
tests to validate input include:
Field check
Sign check
Limit check
Range check
Size (or capacity) check
Completeness check
Validity check
Reasonableness test
Check digit verification
The preceding tests are used for batch
processing and online real-time
processing.
Both processing approaches also have
some additional controls that are unique to
each approach.
Additional online data entry controls
Online processing data entry controls include:
Automatic entry of data
Prompting
Pre-formatting
Closed-loop verification
Transaction logs
Error messages
objectives:
input controls
Processing controls
Output controls

Processing Controls
Processing controls to ensure that data is
processed correctly include:
Data matching
File labels
Recalculation of batch totals
Cross-footing balance test
Write-protection mechanisms
Database processing integrity procedures
(Concurent Update Control)
objectives:
Input controls
Processing controls
Output controls

Output Controls
Careful checking of system output
provides additional control over
processing integrity.
Output controls include:
User review of output
Reconciliation procedures
External data reconciliation
Output Controls
In addition to using encryption to protect the confidentiality of
information being transmitted, organizations need controls to
minimize the risk of data transmission errors.
When the receiving unit detects a data transmission error, it asks
the sending unit to re-send. Usually done automatically.
Sometimes, the system may not be able to accomplish automatic
resubmission and will ask the sender to re-transmit the data.
Two basic types of data transmission controls:
Parity checking
Message acknowledgment techniques
Output Controls
Parity checking
Message acknowledgment techniques
Parity checking
Computers represent characters as a set of binary
digits (bits).
For example, 5 is represented by the seven-bit
pattern 0000101.
When data are transmitted some bits may be lost or
received incorrectly.
Two basic schemes to detect these events are
referred to as even parity and odd parity.
In either case, an additional bit is added to the digit
being transmitted.
In even parity, the parity bit is set so that each character has an
even number of bits with the value 1.
In odd parity, the objective is that an odd number of bits should
have the value 1.
The pattern for 5 is 0000101. This pattern has two bits (an even
number) with a value of 1. Therefore, the parity bit that is added
would be zero if we were using even parity and 1 if we were
using odd parity.
The receiving device performs parity checking to verify that the
proper number of bits set to one in each character received.
Additional accuracy can be achieved with more complex parity
schemes.
Output Controls
Parity checking
Message acknowledgment techniques (Checksums)
Message Acknowledgment Techniques
A number of message acknowledgment
techniques can be used to let the sender of
an electronic message know that a message
was received:
Echo check
When data are transmitted, the system calculates a
summary statistic such as the number of bits in the
message.
The receiving unit performs the same calculation (an
echo check) and sends the result to the sending unit.
If the counts match, the transmission is presumed
accurate.

was received:
Echo check
Trailer record
The sending unit stores control totals in a trailer record.
The receiving unit uses the information in those totals to
verify the entire message was received.
was received:
Echo check
Trailer record
Numbered batches
If a large message is transmitted in segments, each can
be numbered sequentially.
The receiving unit uses those numbers to properly
assemble the segments.
AVAILABILITY
Reliable systems are available
for use whenever needed.
Threats to system availability
originate from many sources,
including:
Hardware and software failures
Natural and man-made disasters
Human error
Worms and viruses
Denial-of-service attacks and
other sabotage
SECURITY
C
O
N
F
I
D
E
N
T
I
A
L
I
T
Y

P
R
I
V
A
C
Y

P
R
O
C
E
S
S
I
N
G

I
N
T
E
G
R
I
T
Y

A
V
A
I
L
A
B
I
L
I
T
Y

SYSTEMS
RELIABILITY
AVAILABILITY
Proper controls can minimize the risk of
significant system downtime caused by the
preceding threats.
It is impossible to totally eliminate all
threats.
Consequently, organizations must develop
disaster recovery and business continuity
plans to enable them to quickly resume
normal operations after such an event.
AVAILABILITY
Minimizing Risk of System Downtime
Loss of system availability can cause
significant financial losses, especially if the
system affected is essential to e-commerce.
Organizations can take a variety of steps to
minimize the risk of system downtime.
Physical and logical access controls (Chapter 7)
can reduce the risk of successful denial-of-service
attacks.
Good information security reduces risk of theft or
sabotage of IS resources.
AVAILABILITY
COBIT control objective DS 13.5 identifies the
need for preventive maintenance. Examples:
Cleaning disk drivers
Properly storing magnetic and optical media
Use of redundant components can provide
fault tolerance, which enables the system to
continue functioning despite failure of a
component. Examples of redundant
components:
Dual processors
Arrays of multiple hard drives.
Surge protection devices provide protection
against temporary power fluctuations.
AVAILABILITY
COBIT control objectives DS 12.1 and 12.4
address the importance of proper location and
design of rooms housing mission-critical servers
and databases.
Raised floors protect from flood damage.
Fire protection and suppression devices reduce
likelihood of fire damage.
Adequate air conditioning reduces likelihood of
damage from over-heating or humidity.
Cables with special plugs that cannot be easily
removed reduce risk of damage due to accidentally
unplugging.
AVAILABILITY
An uninterruptible power supply (UPS)
provides protection from a prolonged power
outage and buys the system enough time to
back up critical data and shut down safely.
AVAILABILITY
Training is especially important.
Well-trained operators are less likely to make
mistakes and more able to recover if they do.
Security awareness training, particularly concerning
safe email and Web-browsing practices, can reduce
risk of virus and worm infection.
Anti-virus software should be installed, run, and
kept current.
Email should be scanned for viruses at both the
server and desktop levels.
Newly acquired software and disks, CDs, or
DVDs should be scanned and tested first on a
machine that is isolated from the main network.
COBIT control objective DS 13.1 stresses the
importance of defining and documenting
operational procedures and ensuring that
operations staff understand their
responsibilities.
AVAILABILITY
Disaster Recovery and Business
Continuity Planning
Disaster recovery and business continuity
plans are essential if an organization hopes to
survive a major catastrophe.
Being without an IS for even a short period of
time can be quite costlysome report as high
as half a million dollars per hour.
Yet many large U.S. companies do not have
adequate disaster recovery and business
continuity plans.
Experience suggests that companies which
experience a major disaster resulting in loss of
use of their information system for more than a
few days have a greater than 50% chance of
going out of business.
AVAILABILITY
The objectives of a disaster recovery and
business continuity plan are to:
Minimize the extent of the disruption, damage,
and loss
Temporarily establish an alternative means of
processing information
Resume normal operations as soon as
possible
Train and familiarize personnel with
emergency operations
AVAILABILITY
Key components of effective disaster
recovery and business continuity plans
include:
Data backup procedures
Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
Thorough documentation
Periodic testing
Adequate insurance
CHANGE MANAGEMENT CONTROLS
Organizations constantly modify their information
systems to reflect new business practices and to take
advantage of advances in IT.
Controls are needed to ensure such changes dont
negatively impact reliability.
Existing controls related to security, confidentiality,
privacy, processing integrity, and availability should be
modified to maintain their effectiveness after the change.
Change management controls need to ensure adequate
segregation of duties is maintained in light of the
modifications to the organizational structure and
adoption of new software.
Important change management controls include:
All change requests should be documented in a
standard format that identifies:
Nature of the change
Reason for the change
Date of the request
All changes should be approved by appropriate levels
of management.
Approvals should be clearly documented to provide an audit
trail.
Management should consult with the CSO and other IT
managers about impact of the change on reliability.
Changes should be thoroughly tested prior to
implementation.
Includes assessing effect of change on all five principles of
systems reliability.
Should occur in a separate, non-production environment.
All documentation (program instructions, system
descriptions, backup and disaster recovery plans)
should be updated to reflect authorized changes to
the system.
Emergency changes or deviations from policy must
be documented and subjected to a formal review and
approval process as soon after implementation as
practicable. All such actions should be logged to
provide an audit trail.
When changing systems, data from old files and
databases are entered into new data structures.
Conversion controls help ensure that the new data
storage media are free of errors.
Old and new systems should be run in parallel at
least once and results compared to identify
discrepancies.
Internal auditors should review data conversion
processes for accuracy.
Backout plans should be developed for
reverting to the previous configuration if the
approved changes need to be interrupted or
aborted.
User rights and privileges should be carefully
monitored during the change process to
ensure proper segregation of duties.
The most important change management control
is adequate monitoring and review by top
management to ensure that the changes are
consistent with the entitys multiyear strategic
plan.
Objective: Be sure the system continues to
effectively support the organizations strategy.
Steering committees are often created to
perform this function.
SUMMARY
In this chapter, youve learned about the
controls used to protect the confidentiality
of sensitive information and the controls
used to protect the privacy of customer
information.
Youve also learned about controls that
help ensure processing integrity.
Finally, youve learned about controls to
ensure that the system is available when
needed.

Sia Sesi 6

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Sia Sesi 6

Uploaded by

Copyright:

Available Formats

2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 1 of 136

You might also like