C
HAPTER 8
Information Systems Controls
for System Reliability
Part 2: Confidentiality, Privacy,
Processing Integrity, and
Availability
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
1 of 136
INTRODUCTION
• Questions to be addressed in this chapter
include:
– What controls are used to protect the
confidentiality of sensitive information?
– What controls are designed to protect privacy of
customers’ personal information?
– What controls ensure processing integrity?
– How are information systems changes controlled
to ensure that the new system satisfies all five
principles of systems reliability?
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
2 of 136
INTRODUCTION
• Reliable systems satisfy
five principles:
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
– Information Security
(discussed in Chapter 7)
– Confidentiality
– Privacy
– Processing integrity
– Availability
SECURITY
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
3 of 136
CONFIDENTIALITY
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• Reliable systems
maintain the
confidentiality of
sensitive information.
SECURITY
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
4 of 136
CONFIDENTIALITY
• Maintaining confidentiality requires that
management identify which information is
sensitive.
• Each organization will develop its own
definitions of what information needs to be
• COBIT control objective PO 2.3 specifies the
protected.
need to identify and to properly label potentially
• Most definitions
will include:
sensitive information, to assign responsibility
–
–
–
–
Businessfor
plans
its protection, and to implement appropriate
controls.
Pricing strategies
Client and customer lists
Legal documents
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
5 of 136
CONFIDENTIALITY
• Table 8-1 in your textbook summaries key controls
to protect confidentiality of information:
Situation
Controls
Storage
Encryption and access controls
Transmission
Encryption
Disposal
Shredding, thorough erasure, physical
destruction
Overall
Categorization to reflect value and training
in proper work practices
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
6 of 136
CONFIDENTIALITY
• Encryption is a fundamental control
procedure for protecting the confidentiality
of sensitive information.
• Confidential information should be
encrypted:
– While stored
– Whenever transmitted
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
7 of 136
CONFIDENTIALITY
• The Internet provides inexpensive
transmission, but data is easily intercepted.
• Encryption solves the interception issue.
• If data is encrypted before sending it, a
virtual private network (VPN) is created.
– Provides the functionality of a privately owned
network
– But uses the Internet
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
8 of 136
CONFIDENTIALITY
• Use of VPN software creates private
communication channels, often referred to as
tunnels.
– The tunnels are accessible only to parties who
have the appropriate encryption and decryption
keys. • In accordance with COBIT DS 5.11, VPNs include
controls to authenticate the parties exchanging
– Cost of the
VPN software
is much
lesstrail
than
information
and to create
an audit
of costs
the
of leasingexchange.
or buying a privately-owned, secure
communications network.
– Also, makes it much easier to add or remove sites
from the “network.”
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
9 of 136
CONFIDENTIALITY
• It is critical to encrypt any sensitive
information stored in devices that are easily
lost or stolen, such as laptops, PDAs, cell
phones, and other portable devices.
– Many organizations have policies against storing
sensitive information on these devices.
– 81% of users admit they do so anyway.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
10 of 136
CONFIDENTIALITY
• Encryption alone is not sufficient to protect
confidentiality. Given enough time, many encryption
schemes can be broken.
• Access controls are also needed:
– To prevent unauthorized parties from obtaining the
encrypted data; and
– Because not all confidential information can be encrypted
in storage.
• Strong authentication techniques are necessary.
• Strong authorization controls should be used to limit
the actions (read, write, change, delete, copy, etc.)
that authorized users can perform when accessing
confidential information.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
11 of 136
CONFIDENTIALITY
• Access to system outputs should also be controlled:
– Do not allow visitors to roam through buildings
unsupervised.
– Require employees to log out of any application before
leaving their workstation unattended, so other employees
do not have unauthorized access.
– Workstations should use password-protected screen
savers that automatically engage when there is no activity
for a specified period.
– Access should be restricted to rooms housing printers and
fax machines.
– Reports should be coded to reflect the importance of the
information therein, and employees should be trained not to
leave reports with sensitive information laying in plain view.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
12 of 136
CONFIDENTIALITY
• It is especially important to control
disposal of information resources.
• Printed reports and microfilm with
sensitive information should be
• COBIT control objective DS 11.4 addresses the
shredded.need to define and implement procedures
governing the disposal of sensitive data and any
hardware on which that data was stored.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
13 of 136
CONFIDENTIALITY
• Special procedures are needed for information
stored on magnet and optical media.
– Using built-in operating system commands to delete the
information does not truly delete it, and utility programs will
often be able to recover these files.
– De-fragmenting a disk may actually create multiple copies
of a “deleted” document.
– Consequently, special software should be used to “wipe”
the media clean by repeatedly overwriting the disk with
random patterns of data (sometimes referred to as
“shredding” a disk).
– Magnetic disks and tapes can be run through devices to
demagnetize them.
– The safest alternative may be to physically destroy disks
with highly sensitive data.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
14 of 136
CONFIDENTIALITY
• Controls to protect confidentiality must be
continuously reviewed and modified to
respond to new threats created by
technological advances.
• Many organizations now prohibit visitors
from using cell phones while touring their
facilities because of the threat caused by
cameras in these phones.
• Because these devices are easy to hide,
some organizations use jamming devices to
deactivate their imaging systems while on
company premises.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
15 of 136
CONFIDENTIALITY
• Phone conversations have also been affected
by technology.
• The use of voice-over-the-Internet (VoIP)
technology means that phone conversations
are routed in packets over the Internet.
– Because this technology makes wiretapping much
easier, conversations about sensitive topics
should be encrypted.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
16 of 136
CONFIDENTIALITY
• Employee use of email and instant
messaging (IM) probably represents two of
the greatest threats to the confidentiality of
sensitive information.
– It is virtually impossible to control its distribution
once held by the recipient.
– Organizations need to develop comprehensive
policies governing the appropriate and allowable
use of these technologies for business purposes.
– Employees need to be trained on what type of
information they can and cannot share, especially
with IM.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
17 of 136
CONFIDENTIALITY
• Many organizations are taking steps to
address the confidentiality threats created by
email and IM.
– One response is to mandate encryption of all
email with sensitive information.
– Some organizations prohibit use of freeware IM
products and purchase commercial products with
security features, including encryption.
– Users sending emails must be trained to be very
careful about the identity of their addressee.
• EXAMPLE: The organization may have two employees
named Allen Smith. It’s critical that sensitive information
go to the correct Allen Smith.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
18 of 136
PRIVACY
SECURITY
© 2008 Prentice Hall Business Publishing
AVAILABILITY
PROCESSING INTEGRITY
PRIVACY
CONFIDENTIALITY
SYSTEMS
RELIABILITY
• In the Trust Services
framework, the privacy
principle is closely related to
the confidentiality principle.
• Primary difference is that
privacy focuses on
protecting personal
information about customers
rather than organizational
data.
• Key controls for privacy are
the same that were
previously listed for
confidentiality.
Accounting Information Systems, 11/e
Romney/Steinbart
19 of 136
PRIVACY
• COBIT section DS 11 addresses the
management of data and specifies the need
to comply with regulatory requirements.
• A number of regulations, including the Health
Insurance Portability and Accountability Act
(HIPAA) and the Financial Services
Modernization Act (aka, Gramm-Leach-Billey
Act) require organizations to protect the
privacy of customer information.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
20 of 136
PRIVACY
• The Trust Services privacy framework of the AICPA
and CICA lists ten internationally recognized best
practices for protecting the privacy of customers’
personal information:
– Management
•
•
The organization establishes a set of procedures
and policies for protecting privacy of personal
information it collects.
Assigns responsibility and accountability for
those policies to a specific person or group.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
21 of 136
PRIVACY
• The Trust Services privacy framework of the AICPA
and CICA lists ten internationally recognized best
practices for protecting the privacy of customers’
personal information:
– Management
– Notice
•
Provides notice about its policies and practices
when it collects the information or as soon as
practicable thereafter.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
22 of 136
• Describes the choices available to
individuals and obtains their consent
to the collection and use of their
personal information.
• Choices may differ across countries.
The Trust Services privacy
framework of the AICPA
– United States—The default is “opt
and CICA lists ten internationally
recognized best
out,” i.e., organizations can collect
practices for protecting thepersonal
privacyinformation
of customers’
about
personal information:
customers unless the customer
explicitly objects.
– Management
– Europe—The default is “opt in,”
– Notice
i.e., they can’t collect the
– Choice and consent
information unless customers
explicitly give them permission.
• Collection
– The organization collects only that
information needed to fulfill the
purposes stated in its privacy
policies.
PRIVACY
•
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
23 of 136
PRIVACY
• The Trust Services privacy framework of the AICPA
and CICA lists ten internationally recognized best
practices for protecting the privacy of customers’
personal information:
–
–
–
–
Management
Notice
Choice and consent
Collection
•
The organization collects only that
information needed to fulfill the
purposes stated in its privacy policies.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
24 of 136
PRIVACY
• The Trust Services privacy framework of the AICPA
and CICA lists ten internationally recognized best
practices for protecting the privacy of customers’
personal information:
–
–
–
–
–
Management
Notice
Choice and consent
Collection
Use and retention
• The organization uses its customers’
personal information only according
to stated policy and retains that
information only as long as needed.
© 2008 Prentice Hall Business Publishing
Accounting Information Systems, 11/e
Romney/Steinbart
25 of 136