Professional Documents
Culture Documents
Romney/Steinbart
1 of 136
INTRODUCTION
Questions to be addressed in this chapter include:
What controls are used to protect the confidentiality of
sensitive information?
What controls are designed to protect privacy of
customers personal information?
What controls ensure processing integrity?
How are information systems changes controlled to
ensure that the new system satisfies all five
principles of systems reliability?
Romney/Steinbart
2 of 136
INTRODUCTION
Reliable systems satisfy
five principles:
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
Information Security
(discussed in Chapter 7)
Confidentiality
Privacy
Processing integrity
Availability
SECURITY
2008 Prentice Hall Business Publishing
Romney/Steinbart
3 of 136
CONFIDENTIALITY
Maintaining confidentiality requires that
management identify which information is
sensitive.
Each organization will develop its own definitions
of what information needs to be protected.
Most definitions will include:
Business plans
Pricing strategies
Client and customer lists
Legal documents
Romney/Steinbart
4 of 136
CONFIDENTIALITY
Table 8-1 in your textbook summaries key
controls to protect confidentiality of information:
Situation
Controls
Storage
Transmission
Encryption
Disposal
Overall
Romney/Steinbart
5 of 136
CONFIDENTIALITY
It is critical to encrypt any sensitive information
stored in devices that are easily lost or stolen,
such as laptops, PDAs, cell phones, and other
portable devices.
Many organizations have policies against storing
sensitive information on these devices.
81% of users admit they do so anyway.
Romney/Steinbart
6 of 136
CONFIDENTIALITY
Access to system outputs should also be controlled:
Do not allow visitors to roam through buildings unsupervised.
Require employees to log out of any application before
leaving their workstation unattended, so other employees do
not have unauthorized access.
Workstations should use password-protected screen savers
that automatically engage when there is no activity for a
specified period.
Access should be restricted to rooms housing printers and
fax machines.
Reports should be coded to reflect the importance of the
information therein, and employees should be trained not to
leave reports with sensitive information laying in plain view.
Romney/Steinbart
7 of 136
CONFIDENTIALITY
Many organizations are taking steps to address
the confidentiality threats created by email and
IM.
One response is to mandate encryption of all email
with sensitive information.
Some organizations prohibit use of freeware IM
products and purchase commercial products with
security features, including encryption.
Users sending emails must be trained to be very
careful about the identity of their addressee.
EXAMPLE: The organization may have two employees
named Allen Smith. Its critical that sensitive information go to
the correct Allen Smith.
2008 Prentice Hall Business Publishing
Romney/Steinbart
8 of 136
PRIVACY
SECURITY
2008 Prentice Hall Business Publishing
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
Romney/Steinbart
9 of 136
PRIVACY
COBIT section DS 11 addresses the
management of data and specifies the need to
comply with regulatory requirements.
A number of regulations, including the Health
Insurance Portability and Accountability Act
(HIPAA) and the Financial Services
Modernization Act (aka, Gramm-Leach-Billey
Act) require organizations to protect the privacy
of customer information.
Romney/Steinbart
10 of 136
PRIVACY
The Trust Services privacy framework of the AICPA and CICA
lists ten internationally recognized best practices for protecting
the privacy of customers personal information:
Management
The organization assigns one
Notice
or more employees to be
responsible for assuring and
Choice and consent
verifying compliance with its
Collection
stated policies.
Use and retention
Also provides for procedures
Access
to respond to customer
Disclosure to Third Parties complaints, including thirdSecurity
party dispute-resolution
processes.
Quality
Monitoring and enforcement
Romney/Steinbart
11 of 136
PRIVACY
One topic of concern is cookies used on Web
sites.
A cookie is a text file created by a Website and stored
on a visitors hard drive. It records what the visitor has
done on the site.
Most Websites create multiple cookies per visit to
make it easier for visitors to navigate the site.
Browsers can be configured to refuse cookies, but it
may make the Website inaccessible.
Cookies are text files and cannot do anything other
store information, but many people worry that they
violate privacy rights.
2008 Prentice Hall Business Publishing
Romney/Steinbart
12 of 136
PRIVACY
Another privacy-related issue that is of growing
concern is identity theft.
Organizations have an ethical and moral obligation to
implement controls to protect databases that contain
their customers personal information.
Romney/Steinbart
13 of 136
PRIVACY
Consequently, organizations must carefully follow the CANSPAM guidelines, which include:
The senders identity must be clearly displayed in the message header.
The subject field in the header must clearly identify the message as an
advertisement or solicitation.
The body must provide recipients with a working link that can be used to
opt out of future email.
The body must include the senders valid postal address.
Organizations should not:
Send email to randomly generated addresses.
Set up Websites designed to harvest email addresses of
potential customers.
Experts recommend that organizations redesign their
own Websites to include a visible means for visitors
to opt in to receive email.
Romney/Steinbart
14 of 136
PROCESSING INTEGRITY
COBIT control objective
SECURITY
2008 Prentice Hall Business Publishing
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
Romney/Steinbart
15 of 136
PROCESSING INTEGRITY
Three categories/groups of integrity
controls are designed to meet the
preceding objectives:
Input controls
Processing controls
Output controls
Romney/Steinbart
16 of 136
PROCESSING INTEGRITY
Once data is collected, data entry control procedures are
needed to ensure that its entered correctly. Common
tests to validate input include:
Field check
Sign check
Limit check
Range check
Size (or capacity) check
Completeness check
Validity check
Reasonableness test
Check digit verification
Romney/Steinbart
17 of 136
PROCESSING INTEGRITY
Processing Controls
Processing controls to ensure that data is
processed correctly include:
Data matching
File labels
Recalculation of batch totals
Cross-footing balance test
Write-protection mechanisms
Database processing integrity procedures
Romney/Steinbart
18 of 136
AVAILABILITY
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
SECURITY
2008 Prentice Hall Business Publishing
Romney/Steinbart
19 of 136
AVAILABILITY
COBIT control objectives DS 12.1 and 12.4
address the importance of proper location and
design of rooms housing mission-critical servers
and databases.
Raised floors protect from flood damage.
Fire protection and suppression devices reduce
likelihood of fire damage.
Adequate air conditioning reduces likelihood of
damage from over-heating or humidity.
Cables with special plugs that cannot be easily
removed reduce risk of damage due to accidentally
unplugging.
2008 Prentice Hall Business Publishing
Romney/Steinbart
20 of 136
AVAILABILITY
An uninterruptible power supply (UPS)
provides protection from a prolonged power
outage and buys the system enough time to
back up critical data and shut down safely.
Romney/Steinbart
21 of 136
AVAILABILITY
Training is especially important.
Well-trained operators are less likely to make mistakes
and more able to recover if they do.
Security awareness training, particularly concerning
safe email and Web-browsing practices, can reduce
risk of virus and worm infection.
Romney/Steinbart
22 of 136
AVAILABILITY
Romney/Steinbart
23 of 136
AVAILABILITY
Key components of effective disaster
recovery and business continuity plans
include:
Data backup procedures
Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
Thorough documentation
Periodic testing
Adequate insurance
2008 Prentice Hall Business Publishing
Romney/Steinbart
24 of 136
Romney/Steinbart
25 of 136
Romney/Steinbart
26 of 136
16.27
2008 Prentice Hall Business Publishing
Romney/Steinbart
27 of 136
16.28
2008 Prentice Hall Business Publishing
Romney/Steinbart
28 of 136
Security services
Standards have been defined for security services to achieve
security goals and prevent security attacks. Figure 16.3
shows the taxonomy of the five common services.
Romney/Steinbart
29 of 136
Techniques
The actual implementation of security goals needs some help
from mathematics. Two techniques are prevalent today: one
is very generalcryptographyand one is specific
steganography.
Cryptography
Some security services can be implemented using
cryptography. Cryptography, a word with Greek origins,
means secret writing.
Steganography
The word steganography, with its origin in Greek,
means covered writing, in contrast to cryptography,
which means
16.30
secret
writing.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart
30 of 136
End
Romney/Steinbart
31 of 136