Accounting Chapter 9 Homework Health Insurance Portability And Accountability Act AICPA Page Multiple Choice Which The

Page 1 of 11

CHAPTER 9

INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY—PART 2:

CONFIDENTIALITY, PRIVACY, PROCESSING INTEGRITY, AND AVAILABILITY

Instructor’s Manual

Learning Objectives:

2. Identify and explain controls designed to protect the privacy of

customers’ personal information.

Confidentiality

Reliable systems protect confidential information from

unauthorized disclosure.

Types of information that need to be protected would include;

business plans, pricing strategies, client and customer lists,

and legal documents.

Encrypting information before sending it over the Internet

creates what is called a Virtual Private Network (VPN).

It is also important to control access to system outputs.

Useful control procedures for doing to include the

following:

1. Do not allow visitors to roam through buildings

Page 2 of 11

3. Restrict access to rooms housing printers and fax

machines.

4. Code reports to reflect the importance of the

information contained therein, and train employees to

not leave reports containing sensitive information in

plain view on their desktops when they are not

physically present.

Incorporation of digital cameras in cell phones makes it possible

for visitors to surreptitiously capture confidential information.

So, many organizations now prohibit visitors from using

cell phones.

Multiple Choice 1

It is especially important to encrypt sensitive information stored in:

a. hard drives

b. cell phones

c. database

d. turnaround documents

Multiple Choice 2

It is important to control access to system output. Some of the control

procedures include:

a. The organization establishes a set of procedures and policies for

protecting the privacy of personal information.

Privacy

The Trust Services Framework privacy principle is closely related

to the confidentiality principle, differing primarily in that it

focuses on protecting personal information about customers rather

than organizational data.

Ten internationally recognized best practices for protecting the

privacy of customers’ personal information:

1. Management. The organization establishes a set of

procedures and policies for protecting the privacy of

2. Notice. The organization provides notice about its privacy

3. Choice and Consent. The organization describes the choices

4. Collection. The organization collects only that

information needed to fulfill the purposes stated in its

privacy policies.

5. Use and Retention. The organization uses its customers’

6. Access. The organization provides individuals with the

7. Disclosure to Third Parties. The organization discloses

customers’ personal privacy policies and only to third

parties who provide equivalent protection of that

information.

8. Security. The organization takes reasonable steps to

10. Monitoring and Enforcement. The organization assigns one

or more employees to be responsible for assuring

compliance with its stated privacy policies and

periodically verifies compliance with those policies.

As in the case for confidential information, encryption and access

controls are the two basic mechanisms for protecting consumers’

personal information.

Organizations also need to train employees on how to manage

personal information collected from customers.

An incident involving the unauthorized disclosure of customers’

personal information can be costly. For example, Spain levies

fines up to $600,000 per privacy violation and France imposes

jail sentences up to three years.

Another concern involves the ever-increasing amount of spam.

Not only does spam reduce the efficiency benefits of e–mail but

it is also a source of many viruses, worms, spyware programs, and

other types of malware.

CAN-SPAM’s guidelines or risk sanctions. Key provisions include

the following:

1. The sender’s identity must be clearly displayed in the

header of the message.

3. The body of the message must provide recipients with a

Page 5 of 11

4. The body of the message must include the sender’s valid

postal address.

FOCUS 9-1 on page 256 provides steps in protecting yourself from

identity theft:

2. Never send personally identifying information in

unencrypted e-mail.

3. Beware of e-mail, telephone, and print requests to verify

4. Do not carry your Social Security card with you.

5. Print only your initials and last name, rather than your

6. Limit the amount of other information (address and phone

7. Do not place outgoing mail containing checks or personal

information in your mailbox for pickup.

9. Use special software to thoroughly clean any digital media

prior to disposal, or physically destroy the media.

11. File a police report as soon as you discover that your

purse or wallet was stolen.

13. Immediately cancel any stolen or lost credit cards.

Multiple Choice 3

Which of the following requires organizations to protect the privacy of

their customers’ personal information?

a. COBIT DS 11

b. Trust Services Privacy Framework

c. The Health Insurance Portability and Accountability Act

d. AICPA

Page 6 of 11

Multiple Choice 4

Which of the following statements is false?

a. Employee use of e-mail and instant messaging probably represents

two of the greatest threats to the confidentiality of sensitive

information.

Encryption

Encryption is the final layer of preventive controls.

Encryption is the process of transforming normal text,

called plaintext, into unreadable gibberish, called

ciphertext.

The key is also a string of binary digits of a fixed

length.

Page 7 of 11

The following is a Binary Number, Decimal, and Hexadecimal

table. Hexadecimal is often used because it’s simpler and

takes less space.

Binary

Number

Decimal

Equivalent

Hexadecimal

Equivalent

0001

0010

0110

0111

1000

1001

1110

1111

1

2

6

7

8

9

14

15

1

2

6

7

8

9

E

F

Page 8 of 11

Three important factors determine the strength of any

encryption system:

1. Key length

Longer keys provide stronger encryption by reducing the

2. Key management policies

The procedures used to store and manage the encryption

keys are also important.

COBIT control objective DS 5.8 identifies important

control objectives related to the management of

3. Nature of encryption algorithm

A third factor affecting encryption strength concerns

the nature of the algorithm.

Types of Encryption Systems

There are two basic types of encryption systems:

1. Symmetric Encryption Systems that use the same key

both to encrypt and to decrypt

Page 9 of 11

2. Asymmetric Encryption Systems that use two keys.

One key, called the public key, is widely

distributed and available to everyone. The other

key, called the private key, is kept secret and

known only to the owner of that pair of keys.

Hashing

Hashing is a process that takes plaintext of any length and

transforms it into a short code called a hash.

Digital Signatures

Asymmetric encryption and hashing are used to create

digital signatures.

A digital signature is information encrypted with the

creator’s private key.

Digital Certificates and Public Key Infrastructure

A digital certificate is an electronic document, created

and digitally signed by a trusted third party that

certifies the identity of the owner of a particular public

key

The term Public Key Infrastructure (PKI) refers to the

system and processes used to issue and manage asymmetric

keys and digital certificates

Page 10 of 11

Illustrative Example: The Role of Encryption and Hashing in

E-Business

Figure 9-3 on page 263 provides this example

Step 1: A Northwest Industries employee connects to

the government agency’s Web site and clicks on the

button for submitting bids on open contracts.

The encryption software performs the following

actions:

a. Uses a hashing algorithm, such as MD5, to

create a hash of the bid.

Step 3: The encrypted bid, the AES key needed to

decrypt the bid, and Northwest Industries’ digital

signature are all sent over the Internet to the

government agency.

Step 4: The government agency’s computer receives the

package of information and performs the following

steps:

a. Uses Northwest Industries’ public key to

decrypt the digital signature. This produces a

hash of the original bid.

b. Uses its private key to decrypt the AES key

sent by Northwest Industries.

Page 11 of 11

and (2) the bid has not been altered or

garbled during transmission.

Step 5: The agency sends Northwest Industries an

acknowledgement that its bid has been received.

Effects of Encryption on Other Layers of Defense

Digital signatures use asymmetric encryption to create legally–

Multiple Choice 5

Which of the following statements is true?

a. Symmetric encryption is faster than asymmetric encryption and can

be used to provide nonrepudiation of contracts.

b. Symmetric encryption is faster than asymmetric encryption but

cannot be used to provide nonrepudiation of contracts.

c. Asymmetric encryption is faster than symmetric encryption and can

be used to provide nonrepudiation of contracts.

d. Asymmetric encryption is faster than symmetric encryption but

cannot be used to provide nonrepudiation of contracts.