Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Ch. 9: Confidentiality and Privacy Controls
9.10 Certificate authorities are an important part of a public key infrastructure (PKI).
Research at least two certificate authorities and write a report that explains the
different types of digital certificates that they offer.
Solutions will vary depending upon the specific certificate authorities the student
DIFFERENT TYPES OF SSL CERTIFICATE
There are a number of different SSL Certificates on the market today.
1. The first type of SSL Certificate is a self-signed certificate. As the name implies, this
2. A Domain Validated (DV) SSL Certificate is considered an entry-level SSL
3. A fully authenticated SSL Certificate is the first step to true online security and
4. Code Signing Certificates are specifically designed to ensure that the software you
5. Extended Validation (EV) SSL Certificates offer the highest industry standard for
9-1
©2018 Pearson Education, Inc.
Accounting Information Systems
9.11 Explore the power of the :bcc feature to protect privacy.
a. Write a message and send it to yourself plus use the :cc feature to send it to a set of
people, including one of your other email accounts in the :cc list.
b. Repeat step a, but this time send the email only to yourself and then list everyone
in the :bcc field.
c. Use your other email account (the one you included in the :cc an :bcc fields) to
open the two email messages. Use all available options (e.g., view full header, etc.)
to see what you can learn about the recipient lists for both emails. What is the
power of the :bcc field?
9.12 Answer all of the following multiple-choice questions:
1. Websites often provide a link to the organization’s privacy policy. Doing so most
directly satisfies the requirements of the section of GAPP referred to as _____.
a. management
b. notice
c. quality
d. collection
2. Which of the following factors increase the strength of an encryption solution?
a. Securely storing encryption keys somewhere other than in the browser.
b. Keeping the encryption algorithm secret.
c. Using a 24-bit encryption key.
d. All three options increase the strength of an encryption solution.
e. None of the three factors increase the strength of an encryption solution.
9-2
©2018 Pearson Education, Inc.
Accounting Information Systems
3. Able wants to send an encrypted document to Baker as an email attachment. If Able
wants to securely send Baker the key to decrypt the document, Able should
a. Encrypt the key using Able's public asymmetric key.
b. Encrypt the key using Able's private asymmetric key.
c. Encrypt the key using Baker's public asymmetric key.
d. Encrypt the key using Baker's private asymmetric key.
4. Which type of VPN is more secure?
a. SSL.
b. IPSEC.
c. SSL and IPSEC VPNs are both secure.
d. Neither SSL nor IPSEC VPNs are secure.
5. GAPP stresses the importance of obtaining consent when collecting, using, and
sharing information about customers. If a company’s policy is to ask customers for
permission to collect sensitive personal information and then only asks questions
about sensitive matters (such as political beliefs or sexual orientation) after the
customer agrees to answer such questions, it is following the process referred to as
_____.
a. explicit consent (opt-out)
b. explicit consent (opt-in)
c. implicit consent (opt-out)
d. implicit consent (opt-in)
6. Which of the following statements is true?
a. A file encrypted with X's private key can only be decrypted by using X's
private key.
b. A file encrypted with X's private key can only be decrypted using X's public
key.
c. A file encrypted with X's private key can only be decrypted by using Y's
private key.
d. A file encrypted with X's private key can only be decrypted using Y's public
key.
9-3
©2018 Pearson Education, Inc.
Accounting Information Systems
7. To decrypt a digital signature _____.
a. the recipient uses the sender's private key.
b. the recipient uses the sender's public key.
c. the recipient uses the recipient's private key.
d. the recipient uses the recipient's public key.
8. Encryption is least effective in protecting the confidentiality of sensitive data when
_____.
a. it is at rest
b. it is being processed
c. it is being transmitted over the Internet
d. encryption is equally effective in protecting confidentiality at all stages of the
data processing cycle
9. Nonrepudiation of a digital contract is achieved by creating and using a _____.
a. digital signature
b. digital certificate
9-4
©2018 Pearson Education, Inc.
Accounting Information Systems
SUGGESTED SOLUTIONS TO THE CASES
Case 9-1 Protecting Privacy of Tax Returns
The department of taxation in your state is developing a new computer system for
processing individual and corporate income-tax returns. The new system features direct
data input and inquiry capabilities. Identification of taxpayers is provided by using the
Social Security number for individuals and federal tax identification number for
corporations. The new system should be fully implemented in time for the next tax season.
The new system will serve three primary purposes:
1Tax return data will either be automatically input directly into the system if the
taxpayer files electronically or by a clerk at central headquarters scanning a
paper return received in the mail.
2The returns will be processed using the main computer facilities at central
headquarters. Processing will include four steps:
a. Verifying mathematical accuracy
b. Auditing the reasonableness of deductions, tax due, and so on, through the
use of edit routines, which also include a comparison of current and prior
years’ data.
c. Identifying returns that should be considered for audit by department
revenue agents
d. Issuing refund checks to taxpayers
3Inquiry services. A taxpayer will be allowed to determine the status of his or her
return or get information from the last three years’ returns by calling or visiting
one of the department’s regional offices, or by accessing the department’s web
site and entering their social security number.
The state commissioner of taxation and the state attorney general are concerned about
protecting the privacy of personal information submitted by taxpayers. They want to have
potential problems identified before the system is fully developed and implemented so that
the proper controls can be incorporated into the new system.
Required
Describe the potential privacy problems that could arise in each of the following three
areas of processing, and recommend the corrective action(s) to solve each problem
identified:
a. Data input
b. Processing of returns
c. Data inquiry
[CMA examination, adapted]
9-5
©2018 Pearson Education, Inc.
Accounting Information Systems
a. Privacy problems that could arise in the processing of input data, and recommended
corrective actions, are as follows:
Problem Controls
b. Privacy problems that could arise in the processing of returns, and recommended
corrective actions, are as follows:
Problem Controls
tax liability.
9-6
©2018 Pearson Education, Inc.
Accounting Information Systems
c. Privacy problems that could arise in the inquiry of data, and recommended corrective
actions, are as follows:
Problem Controls
Unauthorized access
to taxpayer
information on web
site
Strong authentication of all people making inquiries via the
web site using something other than social security numbers
– preferably multi-factor, not just passwords.
disposal of old files
(CMA Examination, adapted)
9-7
©2018 Pearson Education, Inc.
Accounting Information Systems
Case 9-2 Generally Accepted Privacy Principles
Obtain a copy of Generally Accepted Privacy Principles from the AICPA’s web site
(www.aicpa.org). (You will find it by following this path: Under Interest Areas choose
Information Management and Technology Assurance then in the upper left portion of
that page in the box titled Resources select Security and Privacy and scroll down the list
until you find GAPP). Use the GAPP document to answer the following questions:
1. What is the difference between confidentiality and privacy?
Privacy relates to information collected about identifiable individuals.
2. How many categories of personal information exist? Why?
Two: personal information and sensitive personal information. Examples are provided on
page 4 of the GAPP document (which is reproduced below and highlighted in yellow):
Personal Information
Some personal information is considered sensitive. Some laws and regulations define the
following to be sensitive personal information:
• Information on medical or health conditions
9-8
©2018 Pearson Education, Inc.
Accounting Information Systems
Some information about or related to people cannot be associated with specific
individuals. Such information is referred to as nonpersonal information. This includes
statistical or summarized personal information for which the identity of the individual is
unknown or linkage to the individual has been removed. In such cases, the individual’s
The difference is that sensitive personal information can, if misused, cause significant
harm or embarrassment to the individual.
3. In terms of the principle of choice and consent, what does GAPP recommend concerning
opt-in versus opt-out?
4. Can organizations outsource their responsibility for privacy?
No. The section on “Outsourcing and Privacy” on page 3 specifically states that
5. What does principle 1 state concerning top management’s and the Board of Directors’
responsibility for privacy?
It is top management’s responsibility to assign privacy management to a specific
6. What does principle 1 state concerning the use of customers’ personal information when
testing new applications?
7. Obtain a copy of your university’s privacy policy statement. Does it satisfy GAPP criterion
2.2.3? Why?
9-9
©2018 Pearson Education, Inc.
Accounting Information Systems
8. What does GAPP principle 3 say about the use of cookies?
9. What are some examples of practices that violate management criterion 4.2.2?
Surreptitious collection of data via secret cookies or web beacons
10. What does management criterion 5.2.2 state concerning retention of customers’
personal information? How can organizations satisfy this criterion?
11. What does management criterion 5.2.3 state concerning the disposal of personal
information? How can organizations satisfy this criterion?
Organizations need to destroy media with sensitive information. Note that sometimes
12. What does management criterion 6.2.2 state concerning access? What controls
should organizations use to achieve this objective?
13. According to GAPP principle 7, what should organizations do if they wish to share
personal information they collect with a third party?
Organizations should
Disclose that they intend to share information with third parties (management
criterion 7.1.1)
9-10
©2018 Pearson Education, Inc.
Accounting Information Systems
14. What does GAPP principle 8 state concerning the use of encryption?
15. What is the relationship between GAPP principles 9 and 10?
Principle 9 stresses the importance of maintaining accurate records.
9-11
©2018 Pearson Education, Inc.
