C

Information Systems Controls

for System Reliability
Part 2: Confidentiality, Privacy,
Processing Integrity, and
Availability
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

1 of 136

INTRODUCTION
Questions to be addressed in this chapter include:
What controls are used to protect the confidentiality of
sensitive information?
What controls are designed to protect privacy of
customers personal information?
What controls ensure processing integrity?
How are information systems changes controlled to
ensure that the new system satisfies all five
principles of systems reliability?

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

2 of 136

INTRODUCTION
Reliable systems satisfy
five principles:

AVAILABILITY

PROCESSING INTEGRITY

PRIVACY

CONFIDENTIALITY

SYSTEMS
RELIABILITY

Information Security
(discussed in Chapter 7)
Confidentiality
Privacy
Processing integrity
Availability

SECURITY
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

3 of 136

CONFIDENTIALITY
Maintaining confidentiality requires that
management identify which information is
sensitive.
Each organization will develop its own definitions
of what information needs to be protected.
Most definitions will include:

Business plans
Pricing strategies
Client and customer lists
Legal documents

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

4 of 136

CONFIDENTIALITY
Table 8-1 in your textbook summaries key
controls to protect confidentiality of information:
Situation

Controls

Storage

Encryption and access controls

Transmission

Encryption

Disposal

Shredding, thorough erasure, physical

destruction

Overall

Categorization to reflect value and training

in proper work practices

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

5 of 136

CONFIDENTIALITY
It is critical to encrypt any sensitive information
stored in devices that are easily lost or stolen,
such as laptops, PDAs, cell phones, and other
portable devices.
Many organizations have policies against storing
sensitive information on these devices.
81% of users admit they do so anyway.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

6 of 136

CONFIDENTIALITY
Access to system outputs should also be controlled:
Do not allow visitors to roam through buildings unsupervised.
Require employees to log out of any application before
leaving their workstation unattended, so other employees do
not have unauthorized access.
Workstations should use password-protected screen savers
that automatically engage when there is no activity for a
specified period.
Access should be restricted to rooms housing printers and
fax machines.
Reports should be coded to reflect the importance of the
information therein, and employees should be trained not to
leave reports with sensitive information laying in plain view.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

7 of 136

CONFIDENTIALITY
Many organizations are taking steps to address
the confidentiality threats created by email and
IM.
One response is to mandate encryption of all email
with sensitive information.
Some organizations prohibit use of freeware IM
products and purchase commercial products with
security features, including encryption.
Users sending emails must be trained to be very
careful about the identity of their addressee.
EXAMPLE: The organization may have two employees
named Allen Smith. Its critical that sensitive information go to
the correct Allen Smith.
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

8 of 136

PRIVACY

SECURITY
2008 Prentice Hall Business Publishing

AVAILABILITY

PROCESSING INTEGRITY

PRIVACY

CONFIDENTIALITY

SYSTEMS
RELIABILITY

In the Trust Services

framework, the privacy
principle is closely related to
the confidentiality principle.
Primary difference is that
privacy focuses on protecting
personal information about
customers rather than
organizational data.
Key controls for privacy are
the same that were
previously listed for
confidentiality.

Accounting Information Systems, 11/e

Romney/Steinbart

9 of 136

PRIVACY
COBIT section DS 11 addresses the
management of data and specifies the need to
comply with regulatory requirements.
A number of regulations, including the Health
Insurance Portability and Accountability Act
(HIPAA) and the Financial Services
Modernization Act (aka, Gramm-Leach-Billey
Act) require organizations to protect the privacy
of customer information.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

10 of 136

PRIVACY
The Trust Services privacy framework of the AICPA and CICA
lists ten internationally recognized best practices for protecting
the privacy of customers personal information:

Management
The organization assigns one
Notice
or more employees to be
responsible for assuring and
Choice and consent
verifying compliance with its
Collection
stated policies.
Use and retention
Also provides for procedures
Access
to respond to customer
Disclosure to Third Parties complaints, including thirdSecurity
party dispute-resolution
processes.
Quality
Monitoring and enforcement

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

11 of 136

PRIVACY
One topic of concern is cookies used on Web
sites.
A cookie is a text file created by a Website and stored
on a visitors hard drive. It records what the visitor has
done on the site.
Most Websites create multiple cookies per visit to
make it easier for visitors to navigate the site.
Browsers can be configured to refuse cookies, but it
may make the Website inaccessible.
Cookies are text files and cannot do anything other
store information, but many people worry that they
violate privacy rights.
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

12 of 136

PRIVACY
Another privacy-related issue that is of growing
concern is identity theft.
Organizations have an ethical and moral obligation to
implement controls to protect databases that contain
their customers personal information.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

13 of 136

PRIVACY
Consequently, organizations must carefully follow the CANSPAM guidelines, which include:
The senders identity must be clearly displayed in the message header.
The subject field in the header must clearly identify the message as an
advertisement or solicitation.
The body must provide recipients with a working link that can be used to
opt out of future email.
The body must include the senders valid postal address.
Organizations should not:
Send email to randomly generated addresses.
Set up Websites designed to harvest email addresses of
potential customers.
Experts recommend that organizations redesign their
own Websites to include a visible means for visitors
to opt in to receive email.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

14 of 136

PROCESSING INTEGRITY
COBIT control objective

SECURITY
2008 Prentice Hall Business Publishing

AVAILABILITY

PROCESSING INTEGRITY

PRIVACY

CONFIDENTIALITY

SYSTEMS
RELIABILITY

DS 11.1 addresses the

need for controls over the
input, processing, and
output of data.
Identifies six categories of
controls that can be used
to satisfy that objective.
Six categories are grouped
into three for discussion.

Accounting Information Systems, 11/e

Romney/Steinbart

15 of 136

PROCESSING INTEGRITY
Three categories/groups of integrity
controls are designed to meet the
preceding objectives:
Input controls
Processing controls
Output controls

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

16 of 136

PROCESSING INTEGRITY
Once data is collected, data entry control procedures are
needed to ensure that its entered correctly. Common
tests to validate input include:

Field check
Sign check
Limit check
Range check
Size (or capacity) check
Completeness check
Validity check
Reasonableness test
Check digit verification

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

17 of 136

PROCESSING INTEGRITY
Processing Controls
Processing controls to ensure that data is
processed correctly include:

Data matching
File labels
Recalculation of batch totals
Cross-footing balance test
Write-protection mechanisms
Database processing integrity procedures

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

18 of 136

AVAILABILITY

AVAILABILITY

PROCESSING INTEGRITY

PRIVACY

CONFIDENTIALITY

SYSTEMS
RELIABILITY

Reliable systems are available

for use whenever needed.
Threats to system availability
originate from many sources,
including:

Hardware and software failures

Natural and man-made disasters
Human error
Worms and viruses
Denial-of-service attacks and
other sabotage

SECURITY
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

19 of 136

AVAILABILITY
COBIT control objectives DS 12.1 and 12.4
address the importance of proper location and
design of rooms housing mission-critical servers
and databases.
Raised floors protect from flood damage.
Fire protection and suppression devices reduce
likelihood of fire damage.
Adequate air conditioning reduces likelihood of
damage from over-heating or humidity.
Cables with special plugs that cannot be easily
removed reduce risk of damage due to accidentally
unplugging.
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

20 of 136

AVAILABILITY
An uninterruptible power supply (UPS)
provides protection from a prolonged power
outage and buys the system enough time to
back up critical data and shut down safely.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

21 of 136

AVAILABILITY
Training is especially important.
Well-trained operators are less likely to make mistakes
and more able to recover if they do.
Security awareness training, particularly concerning
safe email and Web-browsing practices, can reduce
risk of virus and worm infection.

Anti-virus software should be installed, run, and

kept current.
Email should be scanned for viruses at both the
server and desktop levels.
Newly acquired software and disks, CDs, or
DVDs should be scanned and tested first on a
machine that is isolated from the main network.
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

22 of 136

AVAILABILITY

COBIT control objective DS 13.1 stresses the

importance of defining and documenting
operational procedures and ensuring that
operations staff understand their
responsibilities.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

23 of 136

AVAILABILITY
Key components of effective disaster
recovery and business continuity plans
include:
Data backup procedures
Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
Thorough documentation
Periodic testing
Adequate insurance
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

24 of 136

CHANGE MANAGEMENT CONTROLS

Organizations constantly modify their information
systems to reflect new business practices and to take
advantage of advances in IT.
Controls are needed to ensure such changes dont
negatively impact reliability.
Existing controls related to security, confidentiality,
privacy, processing integrity, and availability should be
modified to maintain their effectiveness after the change.
Change management controls need to ensure adequate
segregation of duties is maintained in light of the
modifications to the organizational structure and
adoption of new software.

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

25 of 136

CHANGE MANAGEMENT CONTROLS

Important change management controls include:
All change requests should be documented in a
standard format that identifies:
Nature of the change
Reason for the change
Date of the request

All changes should be approved by appropriate levels

of management.
Approvals should be clearly documented to provide an audit
trail.
Management should consult with the CSO and other IT
managers about impact of the change on reliability.
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

26 of 136

Attacks threatening confidentiality

In general, two types of attack threaten the confidentiality of
information: snooping and traffic analysis. Snooping refers
to unauthorized access to or interception of data. Traffic
analysis refers other types of information collected by an
intruder by monitoring online traffic.
Attacks threatening integrity
The integrity of data can be threatened by several kinds of
attack: modification, masquerading, replaying and
repudiation.

16.27
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

27 of 136

Attacks threatening availability

Denial of service (DoS) attacks may slow down or totally
interrupt the service of a system. The attacker can use several
strategies to achieve this. They might make the system so
busy that it collapses, or they might intercept messages sent
in one direction and make the sending system believe that
one of the parties involved in the communication or message
has lost the message and that it should be resent.

16.28
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

28 of 136

Security services
Standards have been defined for security services to achieve
security goals and prevent security attacks. Figure 16.3
shows the taxonomy of the five common services.

Figure 16.3 Security services

16.29
2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

29 of 136

Techniques
The actual implementation of security goals needs some help
from mathematics. Two techniques are prevalent today: one
is very generalcryptographyand one is specific
steganography.
Cryptography
Some security services can be implemented using
cryptography. Cryptography, a word with Greek origins,
means secret writing.
Steganography
The word steganography, with its origin in Greek,
means covered writing, in contrast to cryptography,
which means
16.30
secret
writing.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart
30 of 136

End

2008 Prentice Hall Business Publishing

Accounting Information Systems, 11/e

Romney/Steinbart

31 of 136