978-0134474021 Chapter 9 Solutions Manual Part 1

Unlock access to all the studying documents.

View Full Document

CHAPTER 9

CONFIDENTIALITY AND PRIVACY CONTROLS

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

9.1 From the viewpoint of the customer, what are the advantages and

disadvantages to the opt-in versus the opt-out approaches to collecting personal

information? From the viewpoint of the organization desiring to collect such

information?

For the consumer, opt-out represents many disadvantages because the consumer is

responsible for explicitly notifying every company that might be collecting the

For the organization collecting the data, opt-out is an advantage for the same reasons it is

a disadvantage to the consumer, the organization is free to collect all the information they

For the consumer, opt-in provides more control to protect privacy, because the consumer

9.2 What risks, if any, does offshore outsourcing of various information systems

functions pose to satisfying the principles of confidentiality and privacy?

Outsourcing is and will likely continue to be a topic of interest. One question that may

Data security and data protection are rated in the top ten risks of offshore outsourcing by

Since offshore companies are not required to comply with HIPAA, companies that

9.3 Upon your request (with proper verification of your identity) should organizations

9-1

Ch. 9: Confidentiality and Privacy Controls

be required to delete personal information about you that they possess?

This question addresses the issue of the “right to be forgotten”. Responses are likely to vary,

but you may want to make sure to cover the following points

oIf a company collects information about you in exchange for providing you a service,

oTo make the issue more relevant, consider using the example of a college student

oThe previous bullet point addressed probably the easiest issue – involving

oThe most debatable issue concerns personal information that someone else posts

9.4 What privacy concerns might arise from the use of biometric authentication

techniques? What about the embedding of RFID tags in products such as clothing?

What other technologies might create privacy concerns?

Many people may view biometric authentication as invasive. That is, in order to gain access

to a work related location or data, they must provide a very personal image of part of their

9-2

Accounting Information Systems

Social networking sites are another technology that creates privacy concerns. The personal

information that people post on social networking sites may facilitate identity theft.

9.5 What do you think an organization’s duty or responsibility should be to protect the

privacy of its customers’ personal information? Why?

Some students will argue that managers have an ethical duty to “do no harm” and, therefore,

should take reasonable steps to protect the personal information their company collects from

customers.

9.6 Assume you have interviewed for a job online and now receive an offer of employment.

The job requires you to move across the country. The company sends you a digital

signature along with the contract. How does this provide you with enough assurance to

trust the offer so that you are willing to make the move?

A digital signature provides the evidence needed for non-repudiation, which means you can

enforce the contract in court, if necessary. The reason is that the digital signature provides

9-3

Ch. 9: Confidentiality and Privacy Controls

SUGGESTED SOLUTIONS TO THE PROBLEMS

9.1 Match the terms with their definitions:

1. _d__ Virtual Private

Network (VPN)

a. A hash encrypted with the creator’s private key

across the Internet.

r. Software that limits what actions (read, copy, print, etc.) users

granted access to a file or document can perform.

9-4

Accounting Information Systems

9.2 Cost-effective controls to provide confidentiality require valuing the information that is

to be protected. This involves classifying information into discrete categories. Propose

a minimal classification scheme that could be used by any business, and provide

examples of the type of information that would fall into each of those categories.

There is no single correct solution for this problem. Student responses will vary depending

Highly Confidential

(Top Secret)

Confidential

(Internal) Public

Research Data Payroll Financial Statements

9.3 Download a hash calculator that can create hashes for both files and text input. Use it

to create SHA-256 (or any other hash algorithm your instructor assigns) hashes for the

following:

a. A document that contains this text: “Congratulations! You earned an A+”

b. A document that contains this text: “Congratulations! You earned an A-”

c. A document that contains this text: “Congratulations! You earned an a-”

d. A document that contains this text: “Congratulations! You earned an A+”

(this message contains two spaces between the exclamation point and the capital

letter Y).

e. Make a copy of the document used in step a, and calculate its hash value.

9-5

Ch. 9: Confidentiality and Privacy Controls

To use it, simply open the program and then point to the file that you wish to hash:

Part a: 866af63d78f6546b95e48919e9007309b1cd646da384035c5e6f4790b90cbf24

And here are the SHA-256 hash values of the same files created in NotePad:

Part a: 414b6e3799ccd6ff1fe7fb5c0b720b22995e8f28a0e0eedf00feaf54ed541490

9-6

Accounting Information Systems

Notice how any change, no matter how small results in a different hash value:

changing a “+” to a “-“ sign (compare hashes for parts a and part b)

changing from uppercase “A” to lowercase “a” (compare hashes for parts b

and c)

inserting a space (compare hashes for parts a and d)

This is the reason that hashes are so important – they provide a way to test the “integrity” of

a file. If two files are supposed to be identical, but they have different hash values, then one

of them has been changed.

The solution to part e depends upon whether you are using a simple text editor like NotePad

or a more powerful word processing program like Word. If you are using NotePad, then

simply opening the file for part a and saving it with the name part e generates an exact copy

of the original file, as evidenced by the identical hash values:

NotePad file for part a:

414b6e3799ccd6ff1fe7fb5c0b720b22995e8f28a0e0eedf00feaf54ed541490

NotePad file for part e:

414b6e3799ccd6ff1fe7fb5c0b720b22995e8f28a0e0eedf00feaf54ed541490

If you are using Word, then the “Save As” command will generate a document that has the

same text, but a different hash value because Word incorporates system data when saving

the file:

Word document for part a:

866af63d78f6546b95e48919e9007309b1cd646da384035c5e6f4790b90cbf24

Word document for part e:

03f77774bfab4cbb1b1660cb3cd7fc978818506e0ed17aca70daa146b54c06c1

But, if you right-click on the original document, select “Copy” and then paste it into the

same directory, you get a file that is marked as a copy: “Problem 9-3 part a –Copy.docx” –

which has the same SHA-256 value as the original:

866af63d78f6546b95e48919e9007309b1cd646da384035c5e6f4790b90cbf24

The point of this exercise is to show the power of using simple utilities like Notepad – you

can play with a document and restore it. In contrast, playing with a document using more

powerful programs like Word will leave tell-tale traces that the document was altered.

NOTE: simply opening a Word document to read it and then closing it or saving it (not Save

As) will not alter the hash value.

f. Hash any multiple-page text file on your computer.

No matter how large the file, the hash will be the same length as the hashes for parts a-e.

9-7

Ch. 9: Confidentiality and Privacy Controls

9.4 Accountants often need to print financial statements with the words

“CONFIDENTIAL” or “DRAFT” appearing in light type in the background.

a. Create a watermark with the word “CONFIDENTIAL” in a Word document.

Print out a document that displays that watermark.

In Word 2016, the Design tab contains an option to create a watermark.

When you click on the Watermark choice, a drop-down menu presents an array of built-in

options for using the word “Confidential” as a watermark.

9-8

Accounting Information Systems

b. Create the same watermark in Excel and print out a spreadsheet page that

displays that watermark.

Excel 2016 does not have a built-in watermark facility. However, if you search for

information about watermarks in Excel’s help function, you learn that you have multiple options:

c. Can you make your watermark “invisible” so that it can be used to detect

whether a document containing sensitive information has been copied to an

unauthorized location? How? How could you use that “invisible” watermark to

detect violation of copying policy?

If you make the text of the watermark white, then it will not display on the screen. To

make the watermark visible in Word, on the Page Layout menu select the “Page

Color” option and set the color to something dark to reveal the “invisible” white

9-9

Accounting Information Systems

watermark. In Excel, you would select all cells and then change the fill color to

something dark to reveal the “invisible” white watermark.

9-10

Ch. 9: Confidentiality and Privacy Controls

9.5 Create a spreadsheet to compare current monthly mortgage payments versus the new monthly payments if the loan

were refinanced, as shown (you will need to enter formulas into the two cells with solid borders like a box: D9 and D14)

a. Restrict access to the spreadsheet by encrypting it.

In Excel 2007, choose Prepare and then Encrypt Document.

Then select a password, and be sure to remember it:

9-11

Ch. 9: Confidentiality and Privacy Controls

9-12

Accounting Information Systems

Further protect the spreadsheet by limiting users to only being able to select and enter data in the six cells without borders.

To protect the two cells that contain the formula (shown below with red boxed borders):

a. Select the cells that users are allowed to change (cells D6:D8 and D11:D13)

b. Under the Format drop-down menu, select format cells

9-13