Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Accounting Information Systems
CHAPTER 9
INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY –
PART 2: CONFIDENTIALITY AND PRIVACY
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
9.1 From the viewpoint of the customer, what are the advantages and disadvantages to
the opt-in versus the opt-out approaches to collecting personal information? From
the viewpoint of the organization desiring to collect such information?
For the consumer, opt-out represents many disadvantages because the consumer is
responsible for explicitly notifying every company that might be collecting the
9.2 What risks, if any, does offshore outsourcing of various information systems
functions pose to satisfying the principles of confidentiality and privacy?
Outsourcing is and will likely continue to be a topic of interest. One question that may
facilitate discussion is to ask the students if once a company sends some operations
offshore, does the outsourcing company still have legal control over their data or do the
laws of the off shore company dictate ownership? Should the outsourcing company be
liable in this country for data that was lost or compromised by an outsourcing offshore
partner?
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-2
9.3 Should organizations permit personal use of e-mail systems by employees during
working hours?
Since most students will encounter this question as an employee and as a future manager,
the concept of personal email use during business hours should generate significant
discussion.
Accounting Information
Systems
9.4 What privacy concerns might arise from the use of biometric authentication
techniques? What about the embedding of RFID tags in products such as clothing?
What other technologies might create privacy concerns?
Many people may view biometric authentication as invasive. That is, in order to gain
access to a work related location or data, they must provide a very personal image of part
of their body such as their retina, finger or palm print, their voice, etc. Providing such
personal information may make some individuals fearful that the organization collecting
9.5 What do you think an organization’s duty or responsibility should be to protect the
privacy of its customers’ personal information? Why?
Some students will argue that managers have an ethical duty to “do no harm” and,
therefore, should take reasonable steps to protect the personal information their company
collects from customers.
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-4
9.6 Assume you have interviewed for a job online and now receive an offer of
employment. The job requires you to move across the country. The company sends
you a digital signature along with the contract. How does this provide you with
enough assurance to trust the offer so that you are willing to make the move?
A digital signature provides the evidence needed for non-repudiation, which means you
can enforce the contract in court, if necessary. The reason is that the digital signature
Accounting Information
Systems
SUGGESTED SOLUTIONS TO THE PROBLEMS
9.1 Match the terms with their definitions:
1. _d__ Virtual Private
a. A hash encrypted with the creator’s private key
6. _p__ Symmetric
encryption
f. Unauthorized use of facts about another person to commit fraud
or other crimes.
7. __h_ Spam
g. The process of turning ciphertext into plaintext.
8. __i_ Plaintext
h. Unwanted e-mail.
16. _n_ Key escrow
p. An encryption process that uses the same key to both encrypt
and decrypt.
q. The inability to unilaterally deny having created a document or
file or having agreed to perform a transaction.
r. Software that limits what actions (read, copy, print, etc.) that
users granted access to a file or document can perform.
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-6
9.2 Cost-effective controls to provide confidentiality require valuing the information
that is to be protected. This involves classifying information into discrete categories.
Propose a minimal classification scheme that could be used by any business, and
provide examples of the type of information that would fall into each of those
categories.
There is no single correct solution for this problem. Student responses will vary
depending on their experience with various businesses. One minimal classification
scheme could be highly confidential or top-secret, confidential or internal only, and
public. The following table lists some examples of items that could fall into each basic
category.
Highly Confidential
(Top Secret)
Confidential
(Internal)
Public
9-7
9.3 Download a hash calculator that can create hashes for both files and text input. Use
it to create SHA-256 (or any other hash algorithm your instructor assigns) hashes
for the following:
a. A document that contains this text: “Congratulations! You earned an A+”
b. A document that contains this text: “Congratulations! You earned an A-”
Solution: Slavasoft.com has a free hash calculator called “HashCalc” that will allow you
to generate a number of different hashes, including SHA-256. It is an easy tool to install
and use.
To use it, simply open the program and then point to the file that you wish to hash:
Step 1: Click on the button to find
your file
Step 2: Select one or more hash
values by clicking on the box to the
left of that hash
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-8
The exact hash values will differ depending upon the program used to create the text
documents (e.g., Word versus Notepad). Below are SHA-256 hashes of files created in
Word for Windows 2007 on a computer running Windows 7:
And here are the SHA-256 hash values of the same files created in NotePad:
Part a: 414b6e3799ccd6ff1fe7fb5c0b720b22995e8f28a0e0eedf00feaf54ed541490
Notice how any change, no matter how small results in a different hash value:
• changing a “+” to a “-“ sign (compare hashes for parts a and part b)
• changing from uppercase “A” to lowercase “a” (compare hashes for parts b and c)
• inserting a space (compare hashes for parts a and d)
This is the reason that hashes are so important – they provide a way to test the “integrity”
of a file. If two files are supposed to be identical, but they have different hash values,
then one of them has been changed.
The solution to part e depends upon whether you are using a simple text editor like
NotePad or a more powerful word processing program like Word. If you are using
If you are using Word, then the “Save As” command will generate a document that has
the same text, but a different hash value because Word incorporates system data when
saving the file:
• Word document for part a:
866af63d78f6546b95e48919e9007309b1cd646da384035c5e6f4790b90cbf24
• Word document for part e:
Accounting Information
Systems
9-9
– which has the same SHA-256 value as the original:
866af63d78f6546b95e48919e9007309b1cd646da384035c5e6f4790b90cbf24
Accounting Information Systems
9.4 Accountants often need to print financial statements with the words
“CONFIDENTIAL” or “DRAFT” appearing in light type in the background.
a. Create a watermark with the word “CONFIDENTIAL” in a Word document.
Print out a document that displays that watermark.
In Word, the Page Layout menu contains an option to create a watermark.
Accounting Information
Systems
b. Create the same watermark in Excel and print out a spreadsheet page that
displays that watermark.
Excel does not have a built-in watermark facility. However, if you search for information
about watermarks in Excel’s help function, you learn that you have two options:
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
Accounting Information
Systems
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-14
c. Can you make your watermark “invisible” so that it can be used to detect whether a
document containing sensitive information has been copied to an unauthorized
location? How? How could you use that “invisible” watermark to detect violation of
copying policy?
If you make the text of the watermark white, then it will not display on the screen. To
Accounting Information Systems
9-15
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
9.5 Create a spreadsheet to compare current monthly mortgage payments versus the new monthly payments if the loan were
refinanced, as shown (you will need to enter formulas into the two cells with solid borders like a box: D9 and D14)
a. Restrict access to the spreadsheet by encrypting it.
In Excel 2007, choose Prepare and then Encrypt Document.
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-16
Then select a password, and be sure to remember it:
Accounting Information Systems
9-17
Further protect the spreadsheet by limiting users to only being able to select and enter data in the six cells without borders.
To protect the two cells that contain the formula (shown below with red boxed borders):
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
9-18
Then uncheck the box next to “Locked” as shown below, because these are going to be the only cells we do not protect in the next step.
Now, under the Format drop-down menu, select “Protect Sheet” and then
Accounting Information Systems
a) enter a password, and
b) uncheck the box “Select locked cells”. This will protect the entire sheet EXCEPT for the cells you unlocked in the previous step –
Accounting Information Systems
9.6 Research the information rights management software that may be available for
your computer. What are its capabilities for limiting access rights? Write a report of
your findings.
Optional: If you can download and install IRM software, use it to prevent anyone
from being able to copy or print your report.
Solutions will vary depending upon the student’s computer and version of operating
system. Windows, for example, has information rights management software but
