Accounting information systems 11e romney steinbart chapter 08
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.46 MB, 136 trang )
C
HAPTER 8
Information Systems Controls
for System Reliability
Part 2: Confidentiality, Privacy,
Processing Integrity, and
Availability
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
1 of 136
INTRODUCTION
• Questions to be addressed in this chapter
include:
– What controls are used to protect the
confidentiality of sensitive information?
– What controls are designed to protect privacy of
customers’ personal information?
– What controls ensure processing integrity?
– How are information systems changes controlled
to ensure that the new system satisfies all five
principles of systems reliability?
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
2 of 136
INTRODUCTION
• Reliable systems satisfy
five principles:
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
– Information Security
(discussed in Chapter 7)
– Confidentiality
– Privacy
– Processing integrity
– Availability
SECURITY
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
3 of 136
CONFIDENTIALITY
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• Reliable systems
maintain the
confidentiality of
sensitive information.
SECURITY
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
4 of 136
CONFIDENTIALITY
• Maintaining confidentiality requires that
management identify which information is
sensitive.
• Each organization will develop its own
definitions of what information needs to be
• COBIT control objective PO 2.3 specifies the
protected.
need to identify and to properly label potentially
• Most definitions
will include:
sensitive information, to assign responsibility
–
–
–
–
Businessfor
plans
its protection, and to implement appropriate
controls.
Pricing strategies
Client and customer lists
Legal documents
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
5 of 136
CONFIDENTIALITY
• Table 8-1 in your textbook summaries key controls
to protect confidentiality of information:
Situation
Controls
Storage
Encryption and access controls
Transmission
Encryption
Disposal
Shredding, thorough erasure, physical
destruction
Overall
Categorization to reflect value and training
in proper work practices
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
6 of 136
CONFIDENTIALITY
• Encryption is a fundamental control
procedure for protecting the confidentiality
of sensitive information.
• Confidential information should be
encrypted:
– While stored
– Whenever transmitted
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
7 of 136
CONFIDENTIALITY
• The Internet provides inexpensive
transmission, but data is easily intercepted.
• Encryption solves the interception issue.
• If data is encrypted before sending it, a
virtual private network (VPN) is created.
– Provides the functionality of a privately owned
network
– But uses the Internet
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
8 of 136
CONFIDENTIALITY
• Use of VPN software creates private
communication channels, often referred to as
tunnels.
– The tunnels are accessible only to parties who
have the appropriate encryption and decryption
keys. • In accordance with COBIT DS 5.11, VPNs include
controls to authenticate the parties exchanging
– Cost of the
VPN software
is much
lesstrail
than
information
and to create
an audit
of costs
the
of leasingexchange.
or buying a privately-owned, secure
communications network.
– Also, makes it much easier to add or remove sites
from the “network.”
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
9 of 136
CONFIDENTIALITY
• It is critical to encrypt any sensitive
information stored in devices that are easily
lost or stolen, such as laptops, PDAs, cell
phones, and other portable devices.
– Many organizations have policies against storing
sensitive information on these devices.
– 81% of users admit they do so anyway.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
10 of 136
CONFIDENTIALITY
• Encryption alone is not sufficient to protect
confidentiality. Given enough time, many encryption
schemes can be broken.
• Access controls are also needed:
– To prevent unauthorized parties from obtaining the
encrypted data; and
– Because not all confidential information can be encrypted
in storage.
• Strong authentication techniques are necessary.
• Strong authorization controls should be used to limit
the actions (read, write, change, delete, copy, etc.)
that authorized users can perform when accessing
confidential information.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
11 of 136
CONFIDENTIALITY
• Access to system outputs should also be controlled:
– Do not allow visitors to roam through buildings
unsupervised.
– Require employees to log out of any application before
leaving their workstation unattended, so other employees
do not have unauthorized access.
– Workstations should use password-protected screen
savers that automatically engage when there is no activity
for a specified period.
– Access should be restricted to rooms housing printers and
fax machines.
– Reports should be coded to reflect the importance of the
information therein, and employees should be trained not to
leave reports with sensitive information laying in plain view.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
12 of 136
CONFIDENTIALITY
• It is especially important to control
disposal of information resources.
• Printed reports and microfilm with
sensitive information should be
• COBIT control objective DS 11.4 addresses the
shredded.need to define and implement procedures
governing the disposal of sensitive data and any
hardware on which that data was stored.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
13 of 136
CONFIDENTIALITY
• Special procedures are needed for information
stored on magnet and optical media.
– Using built-in operating system commands to delete the
information does not truly delete it, and utility programs will
often be able to recover these files.
– De-fragmenting a disk may actually create multiple copies
of a “deleted” document.
– Consequently, special software should be used to “wipe”
the media clean by repeatedly overwriting the disk with
random patterns of data (sometimes referred to as
“shredding” a disk).
– Magnetic disks and tapes can be run through devices to
demagnetize them.
– The safest alternative may be to physically destroy disks
with highly sensitive data.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
14 of 136
CONFIDENTIALITY
• Controls to protect confidentiality must be
continuously reviewed and modified to
respond to new threats created by
technological advances.
• Many organizations now prohibit visitors
from using cell phones while touring their
facilities because of the threat caused by
cameras in these phones.
• Because these devices are easy to hide,
some organizations use jamming devices to
deactivate their imaging systems while on
company premises.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
15 of 136
CONFIDENTIALITY
• Phone conversations have also been affected
by technology.
• The use of voice-over-the-Internet (VoIP)
technology means that phone conversations
are routed in packets over the Internet.
– Because this technology makes wiretapping much
easier, conversations about sensitive topics
should be encrypted.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
16 of 136
CONFIDENTIALITY
• Employee use of email and instant
messaging (IM) probably represents two of
the greatest threats to the confidentiality of
sensitive information.
– It is virtually impossible to control its distribution
once held by the recipient.
– Organizations need to develop comprehensive
policies governing the appropriate and allowable
use of these technologies for business purposes.
– Employees need to be trained on what type of
information they can and cannot share, especially
with IM.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
17 of 136
CONFIDENTIALITY
• Many organizations are taking steps to
address the confidentiality threats created by
email and IM.
– One response is to mandate encryption of all
email with sensitive information.
– Some organizations prohibit use of freeware IM
products and purchase commercial products with
security features, including encryption.
– Users sending emails must be trained to be very
careful about the identity of their addressee.
• EXAMPLE: The organization may have two employees
named Allen Smith. It’s critical that sensitive information
go to the correct Allen Smith.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
18 of 136
PRIVACY
SECURITY
© 2008 Prentice Hall Business Publishing
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• In the Trust Services
framework, the privacy
principle is closely related to
the confidentiality principle.
• Primary difference is that
privacy focuses on
protecting personal
information about customers
rather than organizational
data.
• Key controls for privacy are
the same that were
previously listed for
confidentiality.
Accounting Information Systems, 11/e
Romney/Steinbart
19 of 136
PRIVACY
• COBIT section DS 11 addresses the
management of data and specifies the need
to comply with regulatory requirements.
• A number of regulations, including the Health
Insurance Portability and Accountability Act
(HIPAA) and the Financial Services
Modernization Act (aka, Gramm-Leach-Billey
Act) require organizations to protect the
privacy of customer information.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
20 of 136
PRIVACY
• The Trust Services privacy framework of the AICPA
and CICA lists ten internationally recognized best
practices for protecting the privacy of customers’
personal information:
– Management
•
•
The organization establishes a set of procedures
and policies for protecting privacy of personal
information it collects.
Assigns responsibility and accountability for
those policies to a specific person or group.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
21 of 136
PRIVACY
• The Trust Services privacy framework of the AICPA
and CICA lists ten internationally recognized best
practices for protecting the privacy of customers’
personal information:
– Management
– Notice
•
Provides notice about its policies and practices
when it collects the information or as soon as
practicable thereafter.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
22 of 136
• Describes the choices available to
individuals and obtains their consent
to the collection and use of their
personal information.
• Choices may differ across countries.
The Trust Services privacy
framework of the AICPA
– United States—The default is “opt
and CICA lists ten internationally
recognized best
out,” i.e., organizations can collect
practices for protecting thepersonal
privacyinformation
of customers’
about
personal information:
customers unless the customer
explicitly objects.
– Management
– Europe—The default is “opt in,”
– Notice
i.e., they can’t collect the
– Choice and consent
information unless customers
explicitly give them permission.
• Collection
– The organization collects only that
information needed to fulfill the
purposes stated in its privacy
policies.
PRIVACY
•
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
23 of 136
PRIVACY
• The Trust Services privacy framework of the AICPA
and CICA lists ten internationally recognized best
practices for protecting the privacy of customers’
personal information:
–
–
–
–
Management
Notice
Choice and consent
Collection
•
The organization collects only that
information needed to fulfill the
purposes stated in its privacy policies.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
24 of 136
PRIVACY
• The Trust Services privacy framework of the AICPA
and CICA lists ten internationally recognized best
practices for protecting the privacy of customers’
personal information:
–
–
–
–
–
Management
Notice
Choice and consent
Collection
Use and retention
• The organization uses its customers’
personal information only according
to stated policy and retains that
information only as long as needed.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
25 of 136
