Accounting Chapter 9 Homework Attempts Screen Individual Returns The Basis Surname Sex Race ETC Rather Than

Unlock access to all the studying documents.

View Full Document

Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy

9-32

9.10 Certificate authorities are an important part of a public key infrastructure (PKI).

Research at least two certificate authorities and write a report that explains the

different types of digital certificates that they offer.

Solutions will vary depending upon the specific certificate authorities the student

investigates. Students will most likely choose Verisign, GoDaddy, Entrust, Equifax,

Deutsche Telekom, and Thawte.

DIFFERENT TYPES OF SSL CERTIFICATE

There are a number of different SSL Certificates on the market today.

1. The first type of SSL Certificate is a self-signed certificate. As the name implies, this

2. A Domain Validated Certificate is considered an entry-level SSL Certificate and can

3. A fully authenticated SSL Certificate is the first step to true online security and

confidence building. Taking slightly longer to issue, these certificates are only granted

4. Even though an SSL Certificate is capable of supporting 128-bit or 256-bit encryption,

certain older browsers and operating systems still cannot connect at this level of security.

SSL Certificates with a technology called Server-Gated Cryptography (SGC) enable 128-

5. A domain name is often used with a number of different host suffixes. For this reason,

you may employ a Wildcard Certificate that allows you to provide full SSL security to

Accounting Information

Systems

any host of your domain—for example: host.your_domain. com (where “host” varies but

the domain name stays constant).

6. Similar to a Wildcard Certificate, but a little more versatile, the SAN (Subject

7. Code Signing Certificates are specifically designed to ensure that the software you

have downloaded was not tampered with while en route. There are many cyber criminals

8. Extended Validation (EV) SSL Certificates offer the highest industry standard for

authentication and provide the best level of customer trust available. When consumers

Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy

9-34

9.11 Obtain a copy of COBIT (available at www.isaca.org) and read the control

objectives that relate to encryption (DS5.8 and DS5.11). What are the essential

control procedures that organizations should implement when using encryption?

COBIT control objective DS5.8 addresses key management policies with respect to

encryption. This should include procedures concerning:

• Minimum key lengths

• Use of approved algorithms

• Procedures to authenticate recipients

COBIT control objective DS5.11 addresses the use of encryption during the transmission

of information. This should include procedures concerning:

• Procedures to ensure information is encrypted prior to transmission

Accounting Information

Systems

9-35

SUGGESTED SOLUTIONS TO THE CASES

Case 9-1 Protecting Privacy of Tax Returns

The department of taxation in your state is developing a new computer system for

processing individual and corporate income-tax returns. The new system features direct

data input and inquiry capabilities. Identification of taxpayers is provided by using the

The new system will serve three primary purposes:

1 Data will either be automatically input directly into the system if the taxpayer

files electronically or by a clerk at central headquarters scanning a paper return

received in the mail.

2 The returns will be processed using the main computer facilities at central

headquarters. Processing will include four steps:

a. Verifying mathematical accuracy

3 Inquiry services. A taxpayer will be allowed to determine the status of his or her

return or get information from the last three years’ returns by calling or visiting

one of the department’s regional offices, or by accessing the department’s web

site and entering their social security number.

The state commissioner of taxation and the state attorney general are concerned about

protecting the privacy of personal information submitted by taxpayers. They want to have

Required

Describe the potential privacy problems that could arise in each of the following three

areas of processing, and recommend the corrective action(s) to solve each problem

identified:

Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy

9-36

a. Privacy problems which could arise in the processing of input data, and

recommended corrective actions, are as follows:

Problem

Controls

Unauthorized employee

accessing paper returns

submitted by mail.

Restrict physical access to room used to house

paper returns and scanning equipment by

• Using ID badges or biometric controls

• Logging all people who enter.

b. Privacy problems which could arise in the processing of returns, and recommended

corrective actions, are as follows:

Problem

Controls

Operator intervention

to input data or to

gain output from files.

Daily review of console log messages and/or run times.

Limit operator access to only that part of the

documentation needed for equipment operation.

Prohibit operators from writing programs and designing

the system.

Accounting Information

Systems

9-37

c. Privacy problems which could arise in the inquiry of data, and recommended

corrective actions, are as follows:

Problem

Controls

Unauthorized access

to taxpayer

information on web

site

Strong authentication of all people making inquiries via

the web site using something other than social security

numbers – preferably multi-factor, not just passwords.

Encryption of all tax return data while in storage

Encryption of all traffic to/from the web site

(CMA Examination, adapted)

Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy

9-38

Case 9-2 Generally Accepted Privacy Principles

Obtain the practitioner’s version of Generally Accepted Privacy Principles from the

AICPA’s web site (www.aicpa.org). You will find it located under professional

resources and then information technology. Use it to answer the following questions:

1. What is the difference between confidentiality and privacy?

Privacy relates to information collected about identifiable individuals.

2. How many categories of personal information exist? Why?

Two: personal information and sensitive personal information. Examples are provided on

page 4 of the GAPP document (which is reproduced below and highlighted in yellow):

Personal Information

Accounting Information

Systems

3. In terms of the principle of choice and consent, what does GAPP recommend

concerning opt-in versus opt-out?

Sensitive personal information requires explicit consent (i.e., opt-in). Other personal

information can be collected through either explicit (opt-in) or implicit (opt-out) consent.

4. Can organizations outsource their responsibility for privacy?

5. What does principle 1 state concerning top management’s and the Board of

Directors’ responsibility for privacy?

6. What does principle 1 state concerning the use of customers’ personal information

when testing new applications?

It must be rendered anonymous (all personally identified information removed).

Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy

9-40

7. Obtain a copy of your university’s privacy policy statement. Does it satisfy GAPP

criterion 2.2.3? Why?

Answers will vary. The key point is the rationale provided as to why the policy is (not)

clear and easy to understand.

8. What does GAPP principle 3 say about the use of cookies?

9. What are some examples of practices that violate management criterion 4.2.2?

• Surreptitious collection of data via secret cookies or web beacons

10. What does management criterion 5.2.2 state concerning retention of customers’

personal information? How can organizations satisfy this criterion?

Organizations need a retention policy and must regularly inventory the information they

store and delete it if no longer relevant.

11. What does management criterion 5.2.3 state concerning the disposal of personal

information? How can organizations satisfy this criterion?

12. What does management criterion 6.2.2 state concerning access? What controls

should organizations use to achieve this objective?

13. According to GAPP principle 7, what should organizations do if they wish to share

personal information they collect with a third party?

Accounting Information

Systems

Organizations should

• Disclose that they intend to share information with third parties (management

criterion 7.1.1)

14. What does GAPP principle 8 state concerning the use of encryption?

Personal information must be encrypted whenever transmitted (management criterion

8.2.5) or stored on portable media (management criterion 8.2.6).

15. What is the relationship between GAPP principles 9 and 10?