Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Page 1 of 11
CHAPTER 9
INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY—PART 2:
CONFIDENTIALITY, PRIVACY, PROCESSING INTEGRITY, AND AVAILABILITY
Instructor’s Manual
Learning Objectives:
2. Identify and explain controls designed to protect the privacy of
customers’ personal information.
Confidentiality
Reliable systems protect confidential information from
unauthorized disclosure.
Types of information that need to be protected would include;
business plans, pricing strategies, client and customer lists,
and legal documents.
Encrypting information before sending it over the Internet
creates what is called a Virtual Private Network (VPN).
It is also important to control access to system outputs.
Useful control procedures for doing to include the
following:
1. Do not allow visitors to roam through buildings
Page 2 of 11
3. Restrict access to rooms housing printers and fax
machines.
4. Code reports to reflect the importance of the
information contained therein, and train employees to
not leave reports containing sensitive information in
plain view on their desktops when they are not
physically present.
Incorporation of digital cameras in cell phones makes it possible
for visitors to surreptitiously capture confidential information.
So, many organizations now prohibit visitors from using
cell phones.
Multiple Choice 1
It is especially important to encrypt sensitive information stored in:
a. hard drives
b. cell phones
c. database
d. turnaround documents
Multiple Choice 2
It is important to control access to system output. Some of the control
procedures include:
a. The organization establishes a set of procedures and policies for
protecting the privacy of personal information.
Privacy
The Trust Services Framework privacy principle is closely related
to the confidentiality principle, differing primarily in that it
focuses on protecting personal information about customers rather
than organizational data.
Ten internationally recognized best practices for protecting the
privacy of customers’ personal information:
1. Management. The organization establishes a set of
procedures and policies for protecting the privacy of
2. Notice. The organization provides notice about its privacy
3. Choice and Consent. The organization describes the choices
4. Collection. The organization collects only that
information needed to fulfill the purposes stated in its
privacy policies.
5. Use and Retention. The organization uses its customers’
6. Access. The organization provides individuals with the
7. Disclosure to Third Parties. The organization discloses
customers’ personal privacy policies and only to third
parties who provide equivalent protection of that
information.
8. Security. The organization takes reasonable steps to
10. Monitoring and Enforcement. The organization assigns one
or more employees to be responsible for assuring
compliance with its stated privacy policies and
periodically verifies compliance with those policies.
As in the case for confidential information, encryption and access
controls are the two basic mechanisms for protecting consumers’
personal information.
Organizations also need to train employees on how to manage
personal information collected from customers.
An incident involving the unauthorized disclosure of customers’
personal information can be costly. For example, Spain levies
fines up to $600,000 per privacy violation and France imposes
jail sentences up to three years.
Another concern involves the ever-increasing amount of spam.
Not only does spam reduce the efficiency benefits of e-mail but
it is also a source of many viruses, worms, spyware programs, and
other types of malware.
CAN-SPAM’s guidelines or risk sanctions. Key provisions include
the following:
1. The sender’s identity must be clearly displayed in the
header of the message.
3. The body of the message must provide recipients with a
Page 5 of 11
4. The body of the message must include the sender’s valid
postal address.
FOCUS 9-1 on page 256 provides steps in protecting yourself from
identity theft:
2. Never send personally identifying information in
unencrypted e-mail.
3. Beware of e-mail, telephone, and print requests to verify
4. Do not carry your Social Security card with you.
5. Print only your initials and last name, rather than your
6. Limit the amount of other information (address and phone
7. Do not place outgoing mail containing checks or personal
information in your mailbox for pickup.
9. Use special software to thoroughly clean any digital media
prior to disposal, or physically destroy the media.
11. File a police report as soon as you discover that your
purse or wallet was stolen.
13. Immediately cancel any stolen or lost credit cards.
Multiple Choice 3
Which of the following requires organizations to protect the privacy of
their customers’ personal information?
a. COBIT DS 11
b. Trust Services Privacy Framework
c. The Health Insurance Portability and Accountability Act
d. AICPA
Page 6 of 11
Multiple Choice 4
Which of the following statements is false?
a. Employee use of e-mail and instant messaging probably represents
two of the greatest threats to the confidentiality of sensitive
information.
Encryption
Encryption is the final layer of preventive controls.
Encryption is the process of transforming normal text,
called plaintext, into unreadable gibberish, called
ciphertext.
The key is also a string of binary digits of a fixed
length.
Page 7 of 11
The following is a Binary Number, Decimal, and Hexadecimal
table. Hexadecimal is often used because it’s simpler and
takes less space.
Binary
Number
Decimal
Equivalent
Hexadecimal
Equivalent
0001
0010
0110
0111
1000
1001
1110
1111
1
2
6
7
8
9
14
15
1
2
6
7
8
9
E
F
Page 8 of 11
Three important factors determine the strength of any
encryption system:
1. Key length
Longer keys provide stronger encryption by reducing the
2. Key management policies
The procedures used to store and manage the encryption
keys are also important.
COBIT control objective DS 5.8 identifies important
control objectives related to the management of
3. Nature of encryption algorithm
A third factor affecting encryption strength concerns
the nature of the algorithm.
Types of Encryption Systems
There are two basic types of encryption systems:
1. Symmetric Encryption Systems that use the same key
both to encrypt and to decrypt
Page 9 of 11
2. Asymmetric Encryption Systems that use two keys.
One key, called the public key, is widely
distributed and available to everyone. The other
key, called the private key, is kept secret and
known only to the owner of that pair of keys.
Hashing
Hashing is a process that takes plaintext of any length and
transforms it into a short code called a hash.
Digital Signatures
Asymmetric encryption and hashing are used to create
digital signatures.
A digital signature is information encrypted with the
creator’s private key.
Digital Certificates and Public Key Infrastructure
A digital certificate is an electronic document, created
and digitally signed by a trusted third party that
certifies the identity of the owner of a particular public
key
The term Public Key Infrastructure (PKI) refers to the
system and processes used to issue and manage asymmetric
keys and digital certificates
Page 10 of 11
Illustrative Example: The Role of Encryption and Hashing in
E-Business
Figure 9-3 on page 263 provides this example
Step 1: A Northwest Industries employee connects to
the government agency’s Web site and clicks on the
button for submitting bids on open contracts.
The encryption software performs the following
actions:
a. Uses a hashing algorithm, such as MD5, to
create a hash of the bid.
Step 3: The encrypted bid, the AES key needed to
decrypt the bid, and Northwest Industries’ digital
signature are all sent over the Internet to the
government agency.
Step 4: The government agency’s computer receives the
package of information and performs the following
steps:
a. Uses Northwest Industries’ public key to
decrypt the digital signature. This produces a
hash of the original bid.
b. Uses its private key to decrypt the AES key
sent by Northwest Industries.
Page 11 of 11
and (2) the bid has not been altered or
garbled during transmission.
Step 5: The agency sends Northwest Industries an
acknowledgement that its bid has been received.
Effects of Encryption on Other Layers of Defense
Digital signatures use asymmetric encryption to create legally-
Multiple Choice 5
Which of the following statements is true?
a. Symmetric encryption is faster than asymmetric encryption and can
be used to provide nonrepudiation of contracts.
b. Symmetric encryption is faster than asymmetric encryption but
cannot be used to provide nonrepudiation of contracts.
c. Asymmetric encryption is faster than symmetric encryption and can
be used to provide nonrepudiation of contracts.
d. Asymmetric encryption is faster than symmetric encryption but
cannot be used to provide nonrepudiation of contracts.
