978-0134474021 Chapter 9 Solutions Manual Part 3

Unlock access to all the studying documents.

View Full Document

Ch. 9: Confidentiality and Privacy Controls

9.10 Certificate authorities are an important part of a public key infrastructure (PKI).

Research at least two certificate authorities and write a report that explains the

different types of digital certificates that they offer.

Solutions will vary depending upon the specific certificate authorities the student

DIFFERENT TYPES OF SSL CERTIFICATE

There are a number of different SSL Certificates on the market today.

1. The first type of SSL Certificate is a self-signed certificate. As the name implies, this

2. A Domain Validated (DV) SSL Certificate is considered an entry-level SSL

3. A fully authenticated SSL Certificate is the first step to true online security and

4. Code Signing Certificates are specifically designed to ensure that the software you

5. Extended Validation (EV) SSL Certificates offer the highest industry standard for

9-1

Accounting Information Systems

9.11 Explore the power of the :bcc feature to protect privacy.

a. Write a message and send it to yourself plus use the :cc feature to send it to a set of

people, including one of your other email accounts in the :cc list.

b. Repeat step a, but this time send the email only to yourself and then list everyone

in the :bcc field.

c. Use your other email account (the one you included in the :cc an :bcc fields) to

open the two email messages. Use all available options (e.g., view full header, etc.)

to see what you can learn about the recipient lists for both emails. What is the

power of the :bcc field?

9.12 Answer all of the following multiple-choice questions:

1. Websites often provide a link to the organization’s privacy policy. Doing so most

directly satisfies the requirements of the section of GAPP referred to as _____.

a. management

b. notice

c. quality

d. collection

2. Which of the following factors increase the strength of an encryption solution?

a. Securely storing encryption keys somewhere other than in the browser.

b. Keeping the encryption algorithm secret.

c. Using a 24-bit encryption key.

d. All three options increase the strength of an encryption solution.

e. None of the three factors increase the strength of an encryption solution.

9-2

Accounting Information Systems

3. Able wants to send an encrypted document to Baker as an email attachment. If Able

wants to securely send Baker the key to decrypt the document, Able should

a. Encrypt the key using Able’s public asymmetric key.

b. Encrypt the key using Able’s private asymmetric key.

c. Encrypt the key using Baker’s public asymmetric key.

d. Encrypt the key using Baker’s private asymmetric key.

4. Which type of VPN is more secure?

a. SSL.

b. IPSEC.

c. SSL and IPSEC VPNs are both secure.

d. Neither SSL nor IPSEC VPNs are secure.

5. GAPP stresses the importance of obtaining consent when collecting, using, and

sharing information about customers. If a company’s policy is to ask customers for

permission to collect sensitive personal information and then only asks questions

about sensitive matters (such as political beliefs or sexual orientation) after the

customer agrees to answer such questions, it is following the process referred to as

_____.

a. explicit consent (opt-out)

b. explicit consent (opt-in)

c. implicit consent (opt-out)

d. implicit consent (opt-in)

6. Which of the following statements is true?

a. A file encrypted with X’s private key can only be decrypted by using X’s

private key.

b. A file encrypted with X’s private key can only be decrypted using X’s public

key.

c. A file encrypted with X’s private key can only be decrypted by using Y’s

private key.

d. A file encrypted with X’s private key can only be decrypted using Y’s public

key.

9-3

Accounting Information Systems

7. To decrypt a digital signature _____.

a. the recipient uses the sender’s private key.

b. the recipient uses the sender’s public key.

c. the recipient uses the recipient’s private key.

d. the recipient uses the recipient’s public key.

8. Encryption is least effective in protecting the confidentiality of sensitive data when

_____.

a. it is at rest

b. it is being processed

c. it is being transmitted over the Internet

d. encryption is equally effective in protecting confidentiality at all stages of the

data processing cycle

9. Nonrepudiation of a digital contract is achieved by creating and using a _____.

a. digital signature

b. digital certificate

9-4

Accounting Information Systems

SUGGESTED SOLUTIONS TO THE CASES

Case 9-1 Protecting Privacy of Tax Returns

The department of taxation in your state is developing a new computer system for

processing individual and corporate income-tax returns. The new system features direct

data input and inquiry capabilities. Identification of taxpayers is provided by using the

Social Security number for individuals and federal tax identification number for

corporations. The new system should be fully implemented in time for the next tax season.

The new system will serve three primary purposes:

1Tax return data will either be automatically input directly into the system if the

taxpayer files electronically or by a clerk at central headquarters scanning a

paper return received in the mail.

2The returns will be processed using the main computer facilities at central

headquarters. Processing will include four steps:

a. Verifying mathematical accuracy

b. Auditing the reasonableness of deductions, tax due, and so on, through the

use of edit routines, which also include a comparison of current and prior

years’ data.

c. Identifying returns that should be considered for audit by department

revenue agents

d. Issuing refund checks to taxpayers

3Inquiry services. A taxpayer will be allowed to determine the status of his or her

return or get information from the last three years’ returns by calling or visiting

one of the department’s regional offices, or by accessing the department’s web

site and entering their social security number.

The state commissioner of taxation and the state attorney general are concerned about

protecting the privacy of personal information submitted by taxpayers. They want to have

potential problems identified before the system is fully developed and implemented so that

the proper controls can be incorporated into the new system.

Required

Describe the potential privacy problems that could arise in each of the following three

areas of processing, and recommend the corrective action(s) to solve each problem

identified:

a. Data input

b. Processing of returns

c. Data inquiry

[CMA examination, adapted]

9-5

Accounting Information Systems

a. Privacy problems that could arise in the processing of input data, and recommended

corrective actions, are as follows:

Problem Controls

b. Privacy problems that could arise in the processing of returns, and recommended

corrective actions, are as follows:

Problem Controls

tax liability.

9-6

Accounting Information Systems

c. Privacy problems that could arise in the inquiry of data, and recommended corrective

actions, are as follows:

Problem Controls

Unauthorized access

to taxpayer

information on web

site

Strong authentication of all people making inquiries via the

web site using something other than social security numbers

– preferably multi-factor, not just passwords.

disposal of old files

(CMA Examination, adapted)

9-7

Accounting Information Systems

Case 9-2 Generally Accepted Privacy Principles

Obtain a copy of Generally Accepted Privacy Principles from the AICPA’s web site

(www.aicpa.org). (You will find it by following this path: Under Interest Areas choose

Information Management and Technology Assurance then in the upper left portion of

that page in the box titled Resources select Security and Privacy and scroll down the list

until you find GAPP). Use the GAPP document to answer the following questions:

1. What is the difference between confidentiality and privacy?

Privacy relates to information collected about identifiable individuals.

2. How many categories of personal information exist? Why?

Two: personal information and sensitive personal information. Examples are provided on

page 4 of the GAPP document (which is reproduced below and highlighted in yellow):

Personal Information

Some personal information is considered sensitive. Some laws and regulations define the

following to be sensitive personal information:

• Information on medical or health conditions

9-8

Accounting Information Systems

Some information about or related to people cannot be associated with specific

individuals. Such information is referred to as nonpersonal information. This includes

statistical or summarized personal information for which the identity of the individual is

unknown or linkage to the individual has been removed. In such cases, the individual’s

The difference is that sensitive personal information can, if misused, cause significant

harm or embarrassment to the individual.

3. In terms of the principle of choice and consent, what does GAPP recommend concerning

opt-in versus opt-out?

4. Can organizations outsource their responsibility for privacy?

No. The section on “Outsourcing and Privacy” on page 3 specifically states that

5. What does principle 1 state concerning top management’s and the Board of Directors’

responsibility for privacy?

It is top management’s responsibility to assign privacy management to a specific

6. What does principle 1 state concerning the use of customers’ personal information when

testing new applications?

7. Obtain a copy of your university’s privacy policy statement. Does it satisfy GAPP criterion

2.2.3? Why?

9-9

Accounting Information Systems

8. What does GAPP principle 3 say about the use of cookies?

9. What are some examples of practices that violate management criterion 4.2.2?

Surreptitious collection of data via secret cookies or web beacons

10. What does management criterion 5.2.2 state concerning retention of customers’

personal information? How can organizations satisfy this criterion?

11. What does management criterion 5.2.3 state concerning the disposal of personal

information? How can organizations satisfy this criterion?

Organizations need to destroy media with sensitive information. Note that sometimes

12. What does management criterion 6.2.2 state concerning access? What controls

should organizations use to achieve this objective?

13. According to GAPP principle 7, what should organizations do if they wish to share

personal information they collect with a third party?

Organizations should

Disclose that they intend to share information with third parties (management

criterion 7.1.1)

9-10

Accounting Information Systems

14. What does GAPP principle 8 state concerning the use of encryption?

15. What is the relationship between GAPP principles 9 and 10?

Principle 9 stresses the importance of maintaining accurate records.

9-11