Confidentiality and Privacy Controls: Control and Audit of Accounting Information Systems

PART II
Control and Audit of

Accounting Information
Systems
Confidentiality and Privacy Controls
Chapter 9
Copyright © 2015 Pearson Education, Inc.

1
Learning Objectives
• Identify and explain controls designed to protect
the confidentiality of sensitive information.
• Identify and explain controls designed to protect

the privacy of customers’ personal information.
• Explain how the two basic types of encryption

systems work.
2
Preserving Confidentiality
• Organizations possess a myriad of sensitive information,

including strategic plans, trade secrets, cost information, legal
documents, and process improvements.
• This intellectual property often is crucial to the organization’s
long-run competitive advantage and success.
• Consequently, preserving the confidentiality of the
organization’s intellectual property, and similar information
shared with it by its business partners, has long been
recognized as a basic objective of information security.
3
Four Basic actions To Preserve The Confidentiality
Of Sensitive Information:

4
Protecting Confidentiality and Privacy of Sensitive
Information
1. IDENTIFY AND CLASSIFY INFORMATION TO BE
PROTECTED:
• The first step to protect the confidentiality of intellectual property

and other sensitive business information is to identify where such
information resides and who has access to it.
• This sounds easy, but undertaking a thorough inventory of every

digital and paper store of information is both time-consuming and
costly because it involves examining more than just the contents of
the organization’s financial systems.

5
Information
1. IDENTIFY AND CLASSIFY INFORMATION TO BE
PROTECTED:
• After the information that needs to be protected has been identified,

the next step is to classify the information in terms of its value to
the organization.
• Classification is the responsibility of information owners, not

information security professionals, because only the former
understand how the information is used.
• Once the information has been classified, the appropriate set of
controls can be deployed to protect it.
6
Information
2. PROTECTING CONFIDENTIALITY WITH ENCRYPTION:
• Encryption is an extremely important and effective tool to protect

confidentiality.
• It is the only way to protect information in transit over the Internet.
• It is also a necessary part of defense-in-depth to protect information

stored on websites or in a public cloud. For example, many
accounting firms have created secure portals that they use to share
sensitive audit, tax, or consulting information with clients.
7
Information
2. PROTECTING CONFIDENTIALITY WITH ENCRYPTION:
• Encryption, however, is not a panacea. Encryption only protects

information while it is stored or being transmitted, not during
processing, because information must be decrypted in order to be
processed.
• Consequently, protecting confidentiality requires, supplementing

encryption with the access controls and training.

8
Information
3. CONTROLLING ACCESS TO SENSITIVE INFORMATION:
• Authentication and authorization controls are not sufficient to

protect confidentiality because they only control initial access to
sensitive information that is stored digitally.
• Organizations need to protect sensitive information throughout its

entire life cycle, including distribution and disposal, regardless of
whether it is stored digitally or physically.
9
Information
• Information rights management (IRM) software provides an
additional layer of protection to sensitive information that is stored in
digital format, offering the capability not only to limit access to
specific files or documents but also to specify the actions (read, copy,
print, download to USB devices, etc.) that individuals who are granted
access to that resource can perform. Some IRM software even has the
capability to limit those privileges to a specific period of time and to
remotely erase protected files.
10
Information
• One tool for adopting controls over outbound communications: “data
loss prevention (DLP) software” , which works like antivirus programs
in reverse, blocking outgoing messages (whether e-mail, IM, or other
means) that contain key words or phrases associated with the
intellectual property or other sensitive data the organization wants to
protect. DLP software is a preventive control.
• It can and should be supplemented by embedding code called a digital
watermark in documents.
11
Information

• The digital watermark is a detective control that enables an
organization to identify confidential information that has been
disclosed. When an organization discovers documents containing its
digital watermark on the Internet, it has evidence that the preventive
controls designed to protect its sensitive information have failed. It
should then investigate how the compromise occurred and take
appropriate corrective action.
12
Information
4. TRAINING:
• Training is arguably the most important control for protecting

confidentiality.
• Employees need to know what information they can share with outsiders
and what information needs to be protected.
• For example, employees often do not realize the importance of
information they possess, such as time-saving steps or undocumented
features they have discovered when using a particular software program.
13
Information
4. TRAINING:
• It is important for management to inform employees who will
attend external training courses, trade shows, or conferences
whether they can discuss such information or whether it should be
protected because it provides the company a cost savings or quality
improvement advantage over its competitors.
• Employees also need to be taught how to protect confidential data.

14
Information
4. TRAINING:
• Training should cover such topics as how to use encryption software and the
importance of always logging out of applications and using a password-protected
screen saver before leaving their laptop or workstation unattended to prevent
other employees from obtaining unauthorized access to that information.
• Employees also need to know how to code reports they create to reflect the
importance of the information contained therein so that other employees will
know how to handle those reports.
• They also need to be taught not to leave reports containing sensitive information
in plain view on their desks.
15
Privacy
• The Trust Services Framework privacy principle is closely
related to the confidentiality principle, differing primarily in
that it focuses on protecting personal information about
customers, employees, suppliers, or business partners rather
than organizational data.
• Consequently, the controls that need to be implemented to
protect privacy are the same ones used to protect
confidentiality: identification of the information that needs to
be protected, encryption, access controls, and training.
16
Privacy
• To protect privacy, organizations should run data masking programs
that replace such personal information with fake values (e.g., replace a
real social security number with a different set of numbers that have the
same characteristics, such as 123-45-6789) before sending that data to
the program development and testing system.
• The fake data are called tokens; hence data masking is often referred to
as tokenization.
• Organizations also need to train employees on how to manage and
protect personal information collected from customers.
• This is especially important for medical and financial information.
17
PRIVACY CONCERNS
• Two major privacy-elated concerns are SPAM and IDENTITY THEFT.
• Spam is unsolicited e-mail that contains either advertising or offensive
content.
• Spam is a privacy-related issue because recipients are often targeted as
a result of unauthorized access to e-mail address lists and databases
containing personal information.
• The volume of spam is overwhelming many e-mail systems. Spam not
only reduces the efficiency benefits of e-mail but also is a source of
many viruses, worms, spyware programs, and other types of malware.
18
PRIVACY CONCERNS
• Organizations need to be sure to follow CAN-SPAM’s guidelines or risk
sanctions.
• Key provisions include the following:
1. The sender’s identity must be clearly displayed in the header of the message.
2. The subject field in the header must clearly identify the message as an
advertisement or solicitation.
3. The body of the message must provide recipients with a working link that can
be used to opt out of future e-mail.
4. The body of the message must include the sender’s valid postal address.
5. Organizations should not send commercial e-mail to randomly generated
addresses, nor should they set up websites designed to “harvest” e-mail
addresses of potential customers.
19
PRIVACY CONCERNS

• Identity theft is the unauthorized use of someone’s personal information
for the perpetrator’s benefit.
• Often, identity theft is a financial crime, in which the perpetrator obtains
loans or opens new credit cards in the victim’s name and sometimes loots
the victim’s bank accounts.

20
PRIVACY CONCERNS
• However, a growing proportion of identity theft cases involve
fraudulently obtaining medical care and services.
• Medical identity theft can have life-threatening consequences because of
errors it may create in the victim’s medical records, such as changing
information about drug allergies or prescriptions.
• Tax identity theft is another growing problem: perpetrators typically use
the victim’s social security number to file a fraudulent claim for a refund
early in the tax-filing season.

21
PRIVACY CONCERNS
See P-276
In your
textbook

22
PRIVACY CONCERNS
• Organizations, however, also have a role to play in preventing

identity theft.
• Customers, employees, suppliers, and business partners entrust
organizations with their personal information. Organizations
economically benefit from having access to that information.
• Therefore, organizations have an ethical and moral obligation
to implement controls to protect the personal information that
they collect.

23
PRIVACY REGULATIONS AND GENERALLY
ACCEPTED PRIVACY PRINCIPLES
• The American Institute of Certified Public Accountants (AICPA) and
the Canadian Institute of Chartered Accountants (CICA) jointly
developed a framework called Generally Accepted Privacy Principles
(GAPP).
• GAPP identifies and defines the following 10 internationally
recognized best practices for protecting the privacy of customers’
personal information:
1. Management: organizations need to establish a set of procedures and
policies for protecting the privacy of personal information they collect
from customers, as well as information about their customers obtained
from third parties such as credit bureaus.
• They should assign responsibility and accountability for implementing
those policies and procedures to a specific person or group of
employees.
24
2. Notice: an organization should provide notice about its privacy

policies and practices at or before the time it collects personal
information from customers, or as soon as practicable thereafter.
• The notice should clearly explain what information is being
collected, the reasons for its collection, and how the information
will be used.

25
3. Choice and consent: organizations should explain the choices

available to individuals and obtain their consent prior to the
collection and use of their personal information.
• The nature of the choices offered differs across countries. In the
United States, the default policy is called opt-out, which allows
organizations to collect personal information about customers
unless the customer explicitly objects.

26
4. Collection: an organization should collect only the information

needed to fulfill the purposes stated in its privacy policies.
• One particular issue of concern is the use of cookies on websites.
• A cookie is a text file created by a website and stored on a
visitor’s hard disk.
• Cookies store information about what the user has done on the
site.
27
5. Use, retention, and disposal: organizations should use

customers’ personal information only in the manner described in
their stated privacy policies and retain that information only as
long as it is needed to fulfill a legitimate business purpose.
• When the information is no longer useful, it should be disposed
of in a secure manner.

28
6. Access: an organization should provide individuals with the ability to

access, review, correct, and delete the personal information stored about
them.
7. Disclosure to third parties: organizations should disclose their
customers’ personal information to third parties only in the situations and
manners described in the organization’s privacy policies and only to third
parties who provide the same level of privacy protection as does the
organization that initially collected the information.

29
8. Security: an organization must take reasonable steps to protect

its customers’ personal information from loss or unauthorized
disclosure. Indeed, it is not possible to protect privacy without
adequate information security.
• Therefore, organizations must use the various preventive,
detective, and corrective controls discussed earlier to restrict
access to their customers’ personal information.

30
9. Quality: organizations should maintain the integrity of their customers’ personal
information and employ procedures to ensure that it is reasonably accurate. Providing
customers with a way to review the personal information stored by the organization
(GAPP principle 6) can be a cost-effective way to achieve this objective.
10. Monitoring and enforcement: an organization should assign one or more employees
to be responsible for ensuring compliance with its stated privacy policies. Organizations
must also periodically verify that their employees are complying with stated privacy
policies.
31
Encryption
• Encryption is the process of transforming normal content,

called plaintext, into unreadable gibberish, called ciphertext.
Decryption reverses this process, transforming ciphertext back
into plaintext.
• Encryption is a preventive control that can be used to protect
both confidentiality and privacy.

32
Encryption
• Encryption protects data while it is in transit over the Internet
and also provides one last barrier that must be overcome by an
intruder who has obtained unauthorized access to stored
information.
• Encryption also strengthens authentication procedures and
plays an essential role in ensuring and verifying the validity of e-
business transactions.
• Therefore, it is important for accountants, auditors, and systems
professionals to understand encryption.
33
Encryption Steps
• Takes plain text and with
an encryption key and
algorithm, converts to
unreadable ciphertext
(sender of message)
• To read ciphertext,
encryption key reverses
process to make
information readable
(receiver of message)

34
Encryption
FACTORS THAT INFLUENCE ENCRYPTION STRENGTH:

• Three important factors determine the strength of any encryption system:
(1) key length,

(2) encryption algorithm, &
(3) policies for managing the cryptographic keys.

35
Encryption
(1) KEY LENGTH Longer keys provide stronger encryption by reducing the
number of repeating blocks in the ciphertext. This makes it harder to spot patterns
in the ciphertext that reflect patterns in the original plaintext. For example, a 24-bit
key encrypts plaintext in blocks of 24 bits.
In English, 8 bits represent each letter. Thus, a 24-bit key encrypts English
plaintext in chunks of three letters. This makes it easy to use information about
relative word frequencies.
That’s why most encryption keys are at least 256 bits long (corresponding to 32
English letters), and are often 1,024 bits or longer.
36
Encryption
(2) ENCRYPTION ALGORITHM The nature of the algorithm used to

combine the key and the plaintext is important. A strong algorithm is
difficult, if not impossible, to break by using brute-force guessing
techniques.
Secrecy is not necessary for strength. Indeed, the procedures used by the
most accepted and widely used encryption algorithms are publicly available.
Their strength is due not to the secrecy of their procedures but to the fact
that they have been rigorously tested and demonstrated to resist brute-force
guessing attacks.
37
Encryption
(3) POLICIES FOR MANAGING CRYPTOGRAPHIC KEYS
The management of cryptographic keys is often the most vulnerable aspect
of encryption systems. No matter how long the keys are, or how strong an
encryption algorithm is, if the keys have been stolen, the encryption can be
easily broken.
Therefore, cryptographic keys must be stored securely and protected with
strong access controls. Best practices include (1) not storing cryptographic
keys in a browser or any other file that other users of that system can readily
access and (2) using a strong (and long) passphrase to protect the keys.
38
Types of Encryption
1. Symmetric encryption systems: use the same key both to encrypt and to
decrypt.
2. Asymmetric encryption systems use two keys. One key, called the
public key, is widely distributed and available to everyone; the other,
called the private key, is kept secret and known only to the owner of that
pair of keys. Either the public or private key can be used to encrypt, but
only the other key can decrypt the ciphertext.
• For both types of encryption systems, loss or theft of the encryption keys are major
threats. Should the keys be lost, the encrypted information cannot be recovered.
• One solution to this is to use encryption software that creates a built-in master key that
can be used to decrypt anything encrypted by that software.
39
Types of Encryption

40
HASHING
• Hashing is a process that takes plaintext of any length and creates a short
code called a hash.
• For example, the SHA-256 algorithm creates a 256-bit hash, regardless of
the size of the original plaintext.

41
Virtual Private Network
• Securely transmits encrypted data between sender and receiver

▫ Sender and receiver have the appropriate encryption and decryption
keys.

42
• To protect confidentiality and privacy, information must be

encrypted not only within a system, but also when it is in
transit over the Internet. As then previous Figure shows,
encrypting information while it traverses the Internet creates a
virtual private network (VPN), so named because it provides
the functionality of a privately owned secure network without
the associated costs of leased telephone lines, satellites, and
other communication equipment.

43
• Using VPN software to encrypt information while it is in transit over

the Internet in effect creates private communication channels, often
referred to as tunnels, which are accessible only to those parties
possessing the appropriate encryption and decryption keys.
• VPNs also include controls to authenticate the parties exchanging
information and to create an audit trail of the exchange.
• Thus, VPNs ensure that sensitive information is exchanged securely
and in a manner that can provide proof of its authenticity.

44
Key Terms
• Information rights • Asymmetric encryption
management (IRM) systems
• Data loss prevention (DLP) • Public key
• Digital watermark • Private key
• Data masking • Key escrow
• Spam • Hashing
• Identity theft • Hash
• Cookie • Nonrepudiation
• Encryption • Digital signature
• Plaintext • Digital certificate
• Ciphertext • Certificate of authority
• Decryption • Public key infrastructure (PKI)
• Symmetric encryption systems • Virtual private network (VPN)
Copyright © 2015 Pearson Education, Inc. End of Chapter 9 45

Confidentiality and Privacy Controls: Control and Audit of Accounting Information Systems

Uploaded by

Copyright:

Available Formats

Confidentiality and Privacy Controls: Control and Audit of Accounting Information Systems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Confidentiality and Privacy Controls: Control and Audit of Accounting Information Systems

Uploaded by

Copyright:

Available Formats

PART II

Control and Audit of

Confidentiality and Privacy Controls

Copyright © 2015 Pearson Education, Inc.

• Identify and explain controls designed to protect

• Explain how the two basic types of encryption

• Organizations possess a myriad of sensitive information,

Copyright © 2015 Pearson Education, Inc.

• The first step to protect the confidentiality of intellectual property

• This sounds easy, but undertaking a thorough inventory of every

Copyright © 2015 Pearson Education, Inc.

• After the information that needs to be protected has been identified,

• Classification is the responsibility of information owners, not

• Encryption is an extremely important and effective tool to protect

• It is the only way to protect information in transit over the Internet.

• It is also a necessary part of defense-in-depth to protect information

• Encryption, however, is not a panacea. Encryption only protects

• Consequently, protecting confidentiality requires, supplementing

Copyright © 2015 Pearson Education, Inc.

• Authentication and authorization controls are not sufficient to

• Organizations need to protect sensitive information throughout its

3. CONTROLLING ACCESS TO SENSITIVE INFORMATION:

• Training is arguably the most important control for protecting

Copyright © 2015 Pearson Education, Inc.

• Two major privacy-elated concerns are SPAM and IDENTITY THEFT.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

• Organizations, however, also have a role to play in preventing

Copyright © 2015 Pearson Education, Inc.

2. Notice: an organization should provide notice about its privacy

Copyright © 2015 Pearson Education, Inc.

3. Choice and consent: organizations should explain the choices

Copyright © 2015 Pearson Education, Inc.

4. Collection: an organization should collect only the information

5. Use, retention, and disposal: organizations should use

Copyright © 2015 Pearson Education, Inc.

6. Access: an organization should provide individuals with the ability to

Copyright © 2015 Pearson Education, Inc.

8. Security: an organization must take reasonable steps to protect

Copyright © 2015 Pearson Education, Inc.

9. Quality: organizations should maintain the integrity of their customers’ personal

information and employ procedures to ensure that it is reasonably accurate. Providing

(GAPP principle 6) can be a cost-effective way to achieve this objective.

• Encryption is the process of transforming normal content,

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

FACTORS THAT INFLUENCE ENCRYPTION STRENGTH:

(1) key length,

Copyright © 2015 Pearson Education, Inc.

(2) ENCRYPTION ALGORITHM The nature of the algorithm used to

Copyright © 2015 Pearson Education, Inc.

Copyright © 2015 Pearson Education, Inc.

• Securely transmits encrypted data between sender and receiver

Copyright © 2015 Pearson Education, Inc.

• To protect confidentiality and privacy, information must be

Copyright © 2015 Pearson Education, Inc.

• Using VPN software to encrypt information while it is in transit over

Copyright © 2015 Pearson Education, Inc.