Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Which of the following actions can you perform?
1. Open the file
2. Copy the file to a USB drive.
3. Move the file to a USB drive.
4. Rename the file.
5. Delete the file
Tell students to save the encrypted file in a shared directory that is accessible to all users
who log onto that system. That way, even a standard user will be able to see the files.
b. TrueCrypt is one of several free software programs that can be used to encrypt
files stored on a USB drive. Download and install a copy of TrueCrypt (or
another program recommended by your professor). Use it to encrypt some files
on a USB drive. Compare its functionality to that of the built-in encryption
functionality provided by your computer’s operating system.
c. Write a brief report that compares the third-party encryption software’s
functionality to that of the built-in encryption functionality provided by your
computer’s operating system. Which is easier to use? Why? What are the limits (in
terms of performing the five tasks) of each?
9.9 Explore and test various browser privacy settings.
a. Open your favorite browser and print a screenshot of your current settings.
b. Go to www.cisecurity.org and obtain the recommended best practices for
privacy settings for your browser. Change your existing settings to those
best practices. Use your browser to perform these tasks: (1) search for
information about identity theft protection products, (2) open and read your
personal e-mail account, (3) open and read your university or work-related
e-mail account, (4) attempt to purchase something from amazon.com or any
other site (you need not actually make the purchase, just try to at least get to
the point in the shopping cart where you are asked to enter your credit card
number, and (5) login to your favorite social networking site. What was the
effect, if any, of changing your privacy settings?
c. Repeat step b above for another browser. Which browser makes it easier to
configure privacy settings? Are there any differences between the browsers
in terms of using them after you have changed the privacy settings to those
recommended by the cisecurity.org benchmark documents?
Students should report that the more secure configuration creates some problems, but the
details will vary depending upon browser and device.
9.10 Certificate authorities are an important part of a public key infrastructure (PKI).
Research at least two certificate authorities and write a report that explains the different
types of digital certificates that they offer.
These certificate authorities (CAs) issue several types of certificates. For example, the Verisign
site has a white paper called “Beginners Guide to SSL certificates” that includes the following
explanation:
DIFFERENT TYPES OF SSL CERTIFICATE
There are a number of different SSL Certificates on the market today.
All VeriSign® brand SSL Certificates are fully authenticated.
5. A domain name is often used with a number of different host suffixes. For this
6. Similar to a Wildcard Certificate, but a little more versatile, the SAN (Subject
7. Code Signing Certificates are specifically designed to ensure that the software you
have downloaded was not tampered with while en route. There are many cyber
9.11 Explore the power of the :bcc feature to protect privacy.
a. Write a message and send it to yourself plus use the :cc feature to send it to a set
of people, including one of your other email accounts in the :cc list.
b. Repeat step a, but this time send the email only to yourself and then list
everyone in the :bcc field.
c. Use your other email account (the one you included in the :cc an :bcc fields) to
open the two email messages. Use all available options (e.g., view full header,
etc.) to see what you can learn about the recipient lists for both emails. What
is the power of the :bcc field?
Students should see that the :bcc feature hides the identity of other recipients and that this
protection is not easily defeated.
SUGGESTED SOLUTIONS TO THE CASES
Case 9-1 Protecting Privacy of Tax Returns
The department of taxation in your state is developing a new computer system for
processing individual and corporate income-tax returns. The new system features direct
data input and inquiry capabilities. Identification of taxpayers is provided by using the
Social Security number for individuals and federal tax identification number for
corporations. The new system should be fully implemented in time for the next tax season.
The new system will serve three primary purposes:
1 Tax return data will either be automatically input directly into the system if the
taxpayer files electronically or by a clerk at central headquarters scanning a
paper return received in the mail.
2 The returns will be processed using the main computer facilities at central
headquarters. Processing will include four steps:
a. Verifying mathematical accuracy
b. Auditing the reasonableness of deductions, tax due, and so on, through the
use of edit routines, which also include a comparison of current and prior
years’ data.
c. Identifying returns that should be considered for audit by department
revenue agents
d. Issuing refund checks to taxpayers
3 Inquiry services. A taxpayer will be allowed to determine the status of his or her
return or get information from the last three years’ returns by calling or visiting
one of the department’s regional offices, or by accessing the department’s web
site and entering their social security number.
The state commissioner of taxation and the state attorney general are concerned about
protecting the privacy of personal information submitted by taxpayers. They want to have
potential problems identified before the system is fully developed and implemented so that
the proper controls can be incorporated into the new system.
Required
Describe the potential privacy problems that could arise in each of the following three
areas of processing, and recommend the corrective action(s) to solve each problem
identified:
a. Data input
b. Processing of returns
c. Data inquiry
[CMA examination, adapted]
a. Privacy problems that could arise in the processing of input data, and recommended
corrective actions, are as follows:
Problem
Controls
Unauthorized employee
accessing paper returns
submitted by mail.
Restrict physical access to room used to house
paper returns and scanning equipment by
• Using ID badges or biometric controls
• Logging all people who enter.
Unauthorized employee
accessing the electronic files.
Multi-factor authentication of all employees
attempting to access tax files.
Interception of tax information
submitted electronically.
Encrypt all information submitted to the tax
website.
b. Privacy problems that could arise in the processing of returns, and recommended
corrective actions, are as follows:
Problem
Controls
Operator intervention to
input data or to gain
output from files.
Limit operator access to only that part of the documentation
needed for equipment operation.
Prohibit operators from writing programs and designing the
system.
Daily review of console log messages and/or run times.
Encryption of data by the application program.
Attempts to screen
individual returns on the
basis of surname, sex,
race, etc., rather than
tax liability.
Training about proper procedures
Multi-factor authentication to limit access to system.
Encrypt of tax return data stored in system
c. Privacy problems that could arise in the inquiry of data, and recommended corrective
actions, are as follows:
Problem
Controls
Unauthorized access
to taxpayer
information on web
site
Strong authentication of all people making inquiries via the
web site using something other than social security numbers
– preferably multi-factor, not just passwords.
Encryption of all tax return data while in storage
Encryption of all traffic to/from the web site
Unauthorized release
of information in
response to telephone
inquiry
Training on how to properly authenticate taxpayers who
make telephone inquiries
Strong authentication of taxpayers making telephone
inquiries
Disclosure of
taxpayer information
through improper
disposal of old files
Training on how to shred paper documents prior to disposal
Training on how to wipe or erase media that contained tax
return information prior to disposal
(CMA Examination, adapted)
Case 9-2 Generally Accepted Privacy Principles
Obtain a copy of Generally Accepted Privacy Principles from the AICPA’s web site
(www.aicpa.org). (You will find it by following this path: Under Interest Areas choose
Information Management and Technology Assurance then in the upper left portion of
that page in the box titled Resources select Privacy and scroll down the list until you
find GAPP). Use the GAPP document to answer the following questions:
1. What is the difference between confidentiality and privacy?
2. How many categories of personal information exist? Why?
3. In terms of the principle of choice and consent, what does GAPP recommend
concerning opt-in versus opt-out?
4. Can organizations outsource their responsibility for privacy?
5. What does principle 1 state concerning top management’s and the Board of
Directors’ responsibility for privacy?
6. What does principle 1 state concerning the use of customers’ personal information
when testing new applications?
It must be rendered anonymous (all personally identified information removed).
7. Obtain a copy of your university’s privacy policy statement. Does it satisfy GAPP
criterion 2.2.3? Why?
8. What does GAPP principle 3 say about the use of cookies?
9. What are some examples of practices that violate management criterion 4.2.2?
10. What does management criterion 5.2.2 state concerning retention of customers’
personal information? How can organizations satisfy this criterion?
11. What does management criterion 5.2.3 state concerning the disposal of personal
information? How can organizations satisfy this criterion?
12. What does management criterion 6.2.2 state concerning access? What controls
should organizations use to achieve this objective?
13. According to GAPP principle 7, what should organizations do if they wish to share
personal information they collect with a third party?
14. What does GAPP principle 8 state concerning the use of encryption?
15. What is the relationship between GAPP principles 9 and 10?
