Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-32
9.10 Certificate authorities are an important part of a public key infrastructure (PKI).
Research at least two certificate authorities and write a report that explains the
different types of digital certificates that they offer.
Solutions will vary depending upon the specific certificate authorities the student
investigates. Students will most likely choose Verisign, GoDaddy, Entrust, Equifax,
Deutsche Telekom, and Thawte.
DIFFERENT TYPES OF SSL CERTIFICATE
There are a number of different SSL Certificates on the market today.
1. The first type of SSL Certificate is a self-signed certificate. As the name implies, this
2. A Domain Validated Certificate is considered an entry-level SSL Certificate and can
3. A fully authenticated SSL Certificate is the first step to true online security and
confidence building. Taking slightly longer to issue, these certificates are only granted
4. Even though an SSL Certificate is capable of supporting 128-bit or 256-bit encryption,
certain older browsers and operating systems still cannot connect at this level of security.
SSL Certificates with a technology called Server-Gated Cryptography (SGC) enable 128-
5. A domain name is often used with a number of different host suffixes. For this reason,
you may employ a Wildcard Certificate that allows you to provide full SSL security to
Accounting Information
Systems
any host of your domain—for example: host.your_domain. com (where “host” varies but
the domain name stays constant).
6. Similar to a Wildcard Certificate, but a little more versatile, the SAN (Subject
7. Code Signing Certificates are specifically designed to ensure that the software you
have downloaded was not tampered with while en route. There are many cyber criminals
8. Extended Validation (EV) SSL Certificates offer the highest industry standard for
authentication and provide the best level of customer trust available. When consumers
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-34
9.11 Obtain a copy of COBIT (available at www.isaca.org) and read the control
objectives that relate to encryption (DS5.8 and DS5.11). What are the essential
control procedures that organizations should implement when using encryption?
COBIT control objective DS5.8 addresses key management policies with respect to
encryption. This should include procedures concerning:
• Minimum key lengths
• Use of approved algorithms
• Procedures to authenticate recipients
COBIT control objective DS5.11 addresses the use of encryption during the transmission
of information. This should include procedures concerning:
• Procedures to ensure information is encrypted prior to transmission
Accounting Information
Systems
9-35
SUGGESTED SOLUTIONS TO THE CASES
Case 9-1 Protecting Privacy of Tax Returns
The department of taxation in your state is developing a new computer system for
processing individual and corporate income-tax returns. The new system features direct
data input and inquiry capabilities. Identification of taxpayers is provided by using the
The new system will serve three primary purposes:
1 Data will either be automatically input directly into the system if the taxpayer
files electronically or by a clerk at central headquarters scanning a paper return
received in the mail.
2 The returns will be processed using the main computer facilities at central
headquarters. Processing will include four steps:
a. Verifying mathematical accuracy
3 Inquiry services. A taxpayer will be allowed to determine the status of his or her
return or get information from the last three years’ returns by calling or visiting
one of the department’s regional offices, or by accessing the department’s web
site and entering their social security number.
The state commissioner of taxation and the state attorney general are concerned about
protecting the privacy of personal information submitted by taxpayers. They want to have
Required
Describe the potential privacy problems that could arise in each of the following three
areas of processing, and recommend the corrective action(s) to solve each problem
identified:
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-36
a. Privacy problems which could arise in the processing of input data, and
recommended corrective actions, are as follows:
Problem
Controls
Unauthorized employee
accessing paper returns
submitted by mail.
Restrict physical access to room used to house
paper returns and scanning equipment by
• Using ID badges or biometric controls
• Logging all people who enter.
b. Privacy problems which could arise in the processing of returns, and recommended
corrective actions, are as follows:
Problem
Controls
Operator intervention
to input data or to
gain output from files.
Limit operator access to only that part of the
documentation needed for equipment operation.
Prohibit operators from writing programs and designing
the system.
Accounting Information
Systems
9-37
c. Privacy problems which could arise in the inquiry of data, and recommended
corrective actions, are as follows:
Problem
Controls
Unauthorized access
to taxpayer
information on web
site
Strong authentication of all people making inquiries via
the web site using something other than social security
numbers – preferably multi-factor, not just passwords.
Encryption of all tax return data while in storage
Encryption of all traffic to/from the web site
(CMA Examination, adapted)
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-38
Case 9-2 Generally Accepted Privacy Principles
Obtain the practitioner’s version of Generally Accepted Privacy Principles from the
AICPA’s web site (www.aicpa.org). You will find it located under professional
resources and then information technology. Use it to answer the following questions:
1. What is the difference between confidentiality and privacy?
Privacy relates to information collected about identifiable individuals.
2. How many categories of personal information exist? Why?
Two: personal information and sensitive personal information. Examples are provided on
page 4 of the GAPP document (which is reproduced below and highlighted in yellow):
Personal Information
Accounting Information
Systems
3. In terms of the principle of choice and consent, what does GAPP recommend
concerning opt-in versus opt-out?
Sensitive personal information requires explicit consent (i.e., opt-in). Other personal
information can be collected through either explicit (opt-in) or implicit (opt-out) consent.
4. Can organizations outsource their responsibility for privacy?
5. What does principle 1 state concerning top management’s and the Board of
Directors’ responsibility for privacy?
6. What does principle 1 state concerning the use of customers’ personal information
when testing new applications?
It must be rendered anonymous (all personally identified information removed).
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-40
7. Obtain a copy of your university’s privacy policy statement. Does it satisfy GAPP
criterion 2.2.3? Why?
Answers will vary. The key point is the rationale provided as to why the policy is (not)
clear and easy to understand.
8. What does GAPP principle 3 say about the use of cookies?
9. What are some examples of practices that violate management criterion 4.2.2?
• Surreptitious collection of data via secret cookies or web beacons
10. What does management criterion 5.2.2 state concerning retention of customers’
personal information? How can organizations satisfy this criterion?
Organizations need a retention policy and must regularly inventory the information they
store and delete it if no longer relevant.
11. What does management criterion 5.2.3 state concerning the disposal of personal
information? How can organizations satisfy this criterion?
12. What does management criterion 6.2.2 state concerning access? What controls
should organizations use to achieve this objective?
13. According to GAPP principle 7, what should organizations do if they wish to share
personal information they collect with a third party?
Accounting Information
Systems
Organizations should
• Disclose that they intend to share information with third parties (management
criterion 7.1.1)
14. What does GAPP principle 8 state concerning the use of encryption?
Personal information must be encrypted whenever transmitted (management criterion
8.2.5) or stored on portable media (management criterion 8.2.6).
15. What is the relationship between GAPP principles 9 and 10?
