Questions & Answers –

Q1. Explain what is information audit and information security? Also, explain with examples what
are the impacts of new trends in technology on film & media industry?

The Information Audit (IA) –

It extends the concept of auditing holistically from a traditional scope of accounting and finance to the
organizational information management system. Information is representative of a resource which
requires effective management and this led to the development of interest in the use of an IA.

Role and scope of an IA –

• To identify an organization’s information resource

• To identify an organization’s information needs
• To identify the cost/benefits of information resources
• To identify the opportunities to use the information resources for strategic competitive advantage
• To integrate IT investment with strategic business initiatives
• To identify information flow and processes
• To develop an integrated information strategy and/or policy
• To create an awareness of the importance of Information Resource Management (IRM)
• To monitor/evaluate conformance to information related standards, legislations, policy and
guidelines

Information is now recognized by organizations as a key strategic asset which has a vital role to
play in decision making and in improving productivity. As with any other resource, it is of critical
importance to ensure that information is effectively acquired, managed and used. Easy access to
information in a whole range of digital formats has brought with it problems such as information
overload and the need to assess the quality of information to ensure it is reliable, accurate and up
to date. Carrying out an information audit can help organizations to ensure that: › information
resources reflect business needs › decisions on investment in systems and resources are effective ›
there is a clear understanding of the organization’s information requirements › business critical
information is accessible to those who need it › gaps in provision that could affect the competitive
or innovative capacity of the organization or its ability to meet customer needs are identified ›
return on investment in information resources and systems is maximized › compliance with
legislation such as the Data Protection Act and the Freedom of Information Act is achieved. It can
also: › highlight the resources that are already available to the organization › raise awareness of
the value of information to an organization in fulfilling its mission › act as an organizational
learning process for effective information management › identify areas of information
management expertise within the organization › provide a basis for the development of an
organizational information policy. This checklist provides an outline for the process of carrying
out an information audit. Two common approaches to information auditing have generally been
used in the past. The first, from the perspective of the information professional, which is the
 approach taken in this checklist, and the second from the perspective of the financial auditor.
Some writers are now suggesting combining these approaches to form a single methodology

“A systematic examination of information use, resources and flows, with a verification by

reference to both people and existing documents, in order to establish the extent to which they are
contributing to an organization’s objectives.”

An IT audit is the examination and evaluation of an organization's information technology

infrastructure, policies and operations.

Information technology audits determine whether IT controls protect corporate assets, ensure data
integrity and are aligned with the business's overall goals. IT auditors examine not only physical
security controls, but also overall business and financial controls that involve information
technology systems.

Information Security –

• Information security, sometimes shortened to InfoSec, is the practice of

defending information from unauthorized access, use, disclosure, disruption, modification,
perusal, inspection, recording or destruction. It is a general term that can be used regardless of the
form the data may take (electronic, physical, etc...)

• Security is a broad topic and covers a multitude of sins. In its simplest form, it is concerned with
making sure that people cannot read, or worse yet, secretly modify messages intended for other
recipients.

• Most security problems are intentionally caused by malicious people trying to gain some benefit,
get attention, or to harm someone.

The CIA triad (confidentiality, integrity and availability) is one of the core principles of information
security.

Information Security is not all about securing information from unauthorized access. Information
Security is basically the practice of preventing unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction of information. Information can be physical or
electrical one. Information can be anything like your details or we can say your profile on social media,
your data in mobile phone, your biometrics etc. Thus Information Security spans so many research areas
like Cryptography, Mobile Computing, Cyber Forensics, Online Social Media etc.

During First World War, Multi-tier Classification System was developed keeping in mind sensitivity of
information. With the beginning of Second World War formal alignment of Classification System was
done. Alan Turing was the one who successfully decrypted Enigma Machine which was used by Germans
to encrypt warfare data.

Information Security programs are built around 3 objectives, commonly known as CIA – Confidentiality,
Integrity, Availability.
Principles of information security

InfoSec programs are built around the core objectives of the CIA triad: maintaining
the confidentiality, integrity and availability of IT systems and business data. These objectives ensure that
sensitive information is only disclosed to authorized parties (confidentiality), prevent unauthorized
modification of data (integrity) and guarantee the data can be accessed by authorized parties when
requested (availability).

The first security consideration, confidentiality, usually requires the use of encryption and encryption
keys. The second consideration, integrity, implies that when data is read back, it will be exactly the same
as when it was written. (In some cases, it may be necessary to send the same data to two different
locations in order to protect against data corruption at one place.) The third part of the CIA is availability.
This part of the triad seeks to ensure that new data can be used in a timely manner and backup data can be
restored in an acceptable recovery time.

Emerging trends in technology & their impact on film & media industry -

• Processing power has increased, software is getting more and more integrated and complex,
hardware that is needed to run programs is getting smaller and cost-effective
• For the industry this means new editing software, more powerful digital imaging programs and
new formats like digital projection, DVDs and Blue-ray disks.
 • Digital cinema provides a clearer picture, a better cinematographic experience and faster and
easier distribution and is now becoming an industry standard
• People meters used by Indian Television Audience Measurement
• The media integration and convergence encourages increased intertextuality and franchising
video games, special edition DVDs, theme park rides, action figures

For example, movies like Quantum of Solace & Avatar used XBOX 360 & UbiSoft video game
developers, respectively, for creating a pre-launch hype in the consumer market. Games like tombraider
& hitman gave a platform to scriptwriters in turning a successful gaming concept into a blockbuster.
Universal studio has had created Jurassic Theme Park which boosted the success of the sequels of the
movie. Special edition DVDs were launched by the distribution house of Lord Of The Ring. Automated
action figures & merchandise have always been captured the teen market. With 4D theatres technology
has equipped the consumer for getting a better experience from the engaged time.

the development of recent and emerging technology has affected society in the way we communicate,
work, learn and function. As technology becomes smarter, opportunities of rapid technological
advancements are becoming seemingly endless, but so are their ethical implications.

This report evaluates the emergence of Artificial Emotional Intelligence (A.E.I.) and its potential impact
on the UK media and entertainment (M&E) industry, while examining ethical issues and trade-offs
associated with the disruption. Based on the research, an opportunity area was identified and a prototype
developed and tested for the video on demand platform Netflix, which can be found in the above video.

Netflix — Disrupting the Media & Entertainment Industry

The M&E industry is comprised of a number of sub-sectors, including but not limited to: TV production
and distribution, advertising, information publishing and events as well as social media and many more
(Deloitte, 2017a).

The emergence of Netflix has not only fundamentally changed the way in which viewers consume
television, but also the way it is made. In 2013 Netflix produced its first own show — House of Cards —
and released all episodes of the first season on the day of the launch. Not being tied down by a traditional
TV schedule of releasing one episode per week means that lengths of an episode can vary to suit plotlines.
Furthermore, with the amount of data Netflix is able to collect on their subscribers, they are able to
analyze which shows are being watched and what sort of content the audiences want to see in the future
(Wilson, 2016).

Technology Trends Affecting the M&E industry

The two technology trends that will have the greatest impact on the online video industry are the
emergence of fast and reliable fifth generation (5G) data networks and Artificial Emotional Intelligence,
which are examined more closely below.

5G Data Network — Intelligently Connecting and Sensing

The fifth generation (5G) of wireless networks is predicted to disrupt the E&M industry due to radical
increases in transmission speeds, quality and reliability. 5G will deliver up to 50 to 100 times faster data
speeds than current 4G networks, meaning it would take seconds to download an HD movie with 5G as
opposed to six minutes on a 4G network (Granados, 2017). It is expected to be available in countries such
as the USA and China by 2020, rolling out to the UK no later than 2025, see figure 1 (Auchard & Nellis,
2018; Woods, 2017).

The Impact of Artificial Intelligence on Entertainment

Artificial Intelligence (A.I.) is already integrated into the technology that we use on a daily basis. Devices
such as Amazon’s Alexa and Siri on our iPhones are making our lives simpler and frictionless. Netflix
and other VOD platforms use A.I. algorithms to analyze their subscribers viewing behavior, which forms
the basis for investment opportunities as well as feeding their recommendation system data. In fact, more
than 80% of the TV shows users watch on Netflix are discovered through the recommendation system
(Plummer, 2017). IBM (2016) recently used A.I. to produce a movie trailer for the film Morgan based on
machine learning and big data. The machine was able to create the trailer in 24 hours when it typically
takes a human between 10–30 days, posing a potential risk for job displacements in the post-production
industry. Despite Netflix using complex algorithms to predict their consumers’ behavior, the horror
show Hemlock Grove failed to connect with its audience, surprisingly revealing flaws in the
sophistication of the computational intelligence.

Despite rapid advancements in A.I., one major limitation has hindered widespread industry and consumer
adoption: emotional intelligence (Beck and Libert, 2017). Human-machine interaction has made great
strides, and the interpretation of emotional reactions is what can lead to machines interacting in a more
this report investigated 5G and Artificial Emotional Intelligence as two of the dominant emerging
technologies that will likely disrupt the M&E industry in the coming years. While A.E.I.’s application in
industries such as education and medicine will have a positive impact on the wellbeing of society, the use
of A.E.I. in the media industry is likely to cause concern about stricter privacy regulations, as it will be
utilized mainly to further individualize advertising content, contributing to a new ‘emotion economy’.
While the adoption of A.E.I. and 5G by Netflix carry a number of ethical risks for society, in order for
Netflix to remain the leader in online video streaming, they will need to keep on top of these new
developments in technology. Natural way with their users and thus to true machine intelligence (Johnson,
2017; Mok, 2017).

Q2. What is technological convergence? What are the various solutions and discuss with examples.

Technological convergence is the tendency for different technological systems to evolve toward
performing similar tasks. Convergence can refer to previously separate technologies such as voice (and
telephony features), data (and productivity applications), and video that now share resources and interact
with each other synergistically.

Telecommunications convergence, network convergence or simply convergence are broad terms used to
describe emerging telecommunications technologies, and network architecture used to migrate multiple
communications services into a single network. This involves the converging of previously distinct media
such as telephony and data communications into common interfaces on single devices.

Technological convergence is important for consumers as it helps to ensure greater price transparency.
Convergence also presents us with the potential to choose from and access a far wider and more diverse
range of films in different media. Convergence gives a boost to the market of animation designers &
offers an aesthetic choice to filmmakers by creating films that look like videogames - 300 (2006), Sin
City (2005), Avatar (2009) and vice versa. Just as the audience’s ability to choose between different ways
of consuming TV programmes is greatly enhanced by digital technology (e.g. the emergence of BBC’s
iPlayer), so too is the ability of institutions to create different ways to make films and to deliver them to
audiences. The ability to create and distribute content in a much larger variety of ways will accelerate the
segmentation of the film industry.

Convergence in this instance can defined as the interlinking of computing and other information
technologies, media content, and communication networks that have risen as the result of the evolution
and popularization of the Internet as well as the activities, products and services that have emerged in the
digital media space.

Technological convergence, in general, refers to the trend or phenomenon where two or more independent
technologies integrate and form a new outcome. One example is the smartphone. A smartphone integrated
several independent technologies—such as telephone, computer, camera, music player, television (TV),
and geolocation and navigation tool—into a single device. The smartphone has become its own,
identifiable category of technology, establishing a $350 billion industry.

Of the three closely associated convergences—technological convergence, media convergence, and

network convergence—consumers most often directly engage with technological convergence.
Technological convergent devices share three key characteristics. First, converged devices can execute
multiple functions to serve blended purpose. Second, converged devices can collect and use data in
various formats and employ machine learning techniques to deliver enhanced user experience. Third,
converged devices are connected to a network directly and/or are interconnected with other devices to
offer ubiquitous access to users.

Technological convergence may present a range of issues where Congress may take legislative and/or
oversight actions. Three selected issue areas associated with technological convergence are regulatory
jurisdiction, digital privacy, and data security. First, merging and integrating multiple technologies from
distinct functional categories into one converged technology may pose challenges to defining regulatory
policies and responsibilities. Determining oversight jurisdictions and regulatory authorities for converged
technologies can become unclear as the boundaries that once separated single-function technologies blend
together. A challenge for Congress may be in delineating which government agency has jurisdiction over
various converged technologies. Defining policies that regulate technological convergence industry may
not be simple or straightforward. This may further complicate how Congress oversees government
agencies and converged industries due to blending boundaries of existing categories.

Second, converged technologies collect and use personal and machine data which may raise digital
privacy concerns for consumers. Data collection and usage are tied to digital privacy issues because a
piece or aggregation of information could identify an individual or reveal patterns in one’s activities.
Converged or smart technologies leverage large volumes of data to try to improve the user experience by
generating more tailored and anticipatory results. However, such data can potentially identify, locate,
track, and monitor an individual without the person’s knowledge. Such data can also potentially be sold to
third-party entities without an individual’s awareness. As the use of converged technologies continues to
propagate, digital privacy issues will likely remain central.

Third, data security concerns are often associated with smart devices’ convenient ubiquitous features that
may double as vulnerabilities exploited by malicious actors. Data security, a component of cybersecurity,
protects data from unauthorized access and use. Along with digital privacy, data security is a pertinent
issue to technological convergence. As converged devices generate and consume large volumes of data,
multiple data security concerns have emerged: potentially increased number of access points susceptible
to cyberattacks, linkage to physical security, and theft of data.

Relatively few policies are in place for specifically overseeing technological convergence, and current
federal data protection laws have varied privacy and data security provisions for different types of
personal data. To address regulatory, digital privacy, and data security issues, Congress may consider the
role of the federal government in an environment where technological evolution changes quickly and
continues to disrupt existing regulatory frameworks. Regulating technological convergence may entail
policies for jurisdictional DE confliction, harmonization, and expansion to address blended or new
categories of technology. One approach could be for Congress to define the role of federal government
oversight of digital privacy and data security by introducing new legislation that comprehensively
addresses digital privacy and data security issues or by expanding the current authorities of federal
agencies. When considering new legislation or expanding the authorities of federal agencies, three
potential policy decisions are (1) whether data privacy and data security should be addressed together or
separately, (2) whether various types of personal data should be treated equally or differently, and (3)
which agencies should be responsible for implementing any new laws.

Examples –

Convergent solutions include both fixed-line and mobile technologies:

• Using Internet for voice telephony

• Video on demand
• Fixed-mobile convergence
• Mobile-to-mobile convergence
• Location-based services
• Integrated products and bundles
• IP Multimedia Subsystem
• Session Initiation Protocol
• IPTV
• Voice over IP
• Voice call continuity
• Digital video broadcasting - handheld
Q3. What are the different methods for film piracy? Explain the pros and cons. Discuss various
methods with examples.

Piracy refers to the unauthorized duplication of copyrighted content that is then sold at substantially lower
prices in the 'grey' market. The ease of access to technology has meant that over the years, piracy has
become more rampant. For example, CD writers are available off the shelf at very low prices, making
music piracy a simple affair.

Different methods

1. Pre sell of movie cd and DVD’s

2. Launch of movies on different torrent websites.

3. Sharing of cam version through illegal websites.

4. sharing of movies on video apps like videoed and Dtv.

5. Sharing of movies through piracy in distribution network.

Cons for institutions –

• It costs millions to create films and the aim of creating them, amongst other things, is to make a
profit. If people are recording the films themselves in cinemas and distributing them online or
otherwise, they are making no money for the institution that has made the film.
• The quality of films that are illegally filmed and obtained is also usually much worse than the real
quality. This can reflect badly on the film creators and also dissatisfies the viewer where ever
they may be watching it.
• The money incoming from the sales of piracy market is usually fluxed back in the piracy chain
leading to the obvious growth of cybercrimes.
• The Guilt – By pirating a movie you’re essentially stealing straight from the hardworking
filmmakers who poured their heart, sweat, and tears into it. Well, except if you’re stealing a
Michael Bay movie. The only things he seems to pour into his films are lighter fluid and Axe
body spray.
• The Consequences – While millions might get away with tormenting every day, a few unlucky
individuals have faced serious legal repercussions. Do you really want to be the guy who gets
sued for downloading Bucky Larson: Born to Be a Star?
• Shaky Camera Bootlegs – Getting to see a film for free might make it seem like you’re sticking it
to greedy movie producers and hiked-up ticket prices, but if you still have to stare at the back of
some guy’s head, what battle have you really won?
• Mislabeled Files – There’s nothing worse than expecting to download Danny Boyle’s acclaimed
horror flick 28 Days Later, only to load up the file and discover that it’s actually the Sandra
 Bullock romantic dramedy 28 Days. Though, I imagine the other way around is probably pretty
jarring too…
• You Get to Be a Pirate but Without All the Eyeliner – On second thought, what’s the point of
getting to call yourself a pirate if you don’t get to wear the eye patch, makeup, funny hat, and
puffy shirt too?! Those are like the main selling points of piracy.

Impact of increased download speeds on the online movie download rate -

As the download speed increased, the time taken to download online files of bigger sizes decreased &
downloading a movie online became as easy as sharing it with a portable drive. With, assured searches of
keywords asked, intermediaries like media share, files tube, rapid share, bit & utorrents such accesses
became even simpler.

Pros for the audience -

• The obvious advantage of watching a pirated film rather than an officially bought copy of it is
that you most probably have to pay a less charge.
• Also, often it is easy to get hold of early copies of the movies that may not be out on DVD yet.
For many people, these advantages often weigh out the disadvantage of the quality not being as
good as the original print of the movie.
• It’s Free – This one’s pretty obvious. Since you’re stealing, you don’t actually have to pay for
anything! Which means, if the movie sucks, you aren’t stuck with the nagging knowledge that
you just self-financed your own bitter disappointment.
 • The Thrill – Traveling to your local Cineplex can be fun, but when was the last time a trip to the
movies came with the risk of a lawsuit? What about actual jail time? With its potential legal
penalties, Bit Torrent downloading can make even watching The Notebook dangerous and edgy.
• The Selection of Rare Titles – Your local Best Buy might have plenty of copies of the 2005 big
budget Fantastic Four film — but does it have the infamous, unreleased low budget 1994 version
produced by Roger Corman? Didn’t think so.
• Early Leaks and Work print Releases – Do you want to watch upcoming blockbusters months in
advance? Do you want to watch upcoming blockbusters months in advance and with
unintentionally hilarious incomplete special effects? Of course you do

Q4. What is information security, audit and privacy? What are the different methods used for
effective security, audit and privacy?

Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized

access, use, disclosure, disruption, modification, inspection, recording or destruction
of information.

The Information Audit (IA) extends the concept of auditing holistically from a traditional scope
of accounting and finance to the organisational information management system.

Information privacy, is the aspect of information technology (IT) that deals with the ability an
organization or individual has to determine what data in a computer system can be shared with
third parties.

The word "audit" can send shivers down the spine of the most battle-hardened executive. It means
that an outside organization is going to conduct a formal written examination of one or more
crucial components of the organization. Financial audits are the most common examinations a
business manager encounters. This is a familiar area for most executives: they know that financial
auditors are going to examine the financial records and how those records are used. They may
even be familiar with physical security audits. However, they are unlikely to be acquainted with
information security audits; that is, an audit of how the confidentiality, availability and integrity
of an organization's information is assured. They should be. An information security audit is one
of the best ways to determine the security of an organization's information without incurring the
cost and other associated damages of a security incident.

What is an Information Security Audit?

You may see the phrase "penetration test" used interchangeably with the phrase "computer
security audit". They are not the same thing. A penetration test (also known as a pen-test) is a
very narrowly focused attempt to look for security holes in a critical resource, such as a firewall
or Web server. Penetration testers may only be looking at one service on a network resource.
They usually operate from outside the firewall with minimal inside information in order to more
realistically simulate the means by which a hacker would attack the site.
 On the other hand, a computer security audit is a systematic, measurable technical assessment of
how the organization's security policy is employed at a specific site. Computer security auditors
work with the full knowledge of the organization, at times with considerable inside information,
in order to understand the resources to be audited.

Security audits do not take place in a vacuum; they are part of the on-going process of defining
and maintaining effective security policies. This is not just a conference room activity. It involves
everyone who uses any computer resources throughout the organization. Given the dynamic
nature of computer configurations and information storage, some managers may wonder if there
is truly any way to check the security ledgers, so to speak. Security audits provide such a tool, a
fair and measurable way to examine how secure a site really is.

Computer security auditors perform their work though personal interviews, vulnerability scans,
examination of operating system settings, analyses of network shares, and historical data. They
are concerned primarily with how security policies - the foundation of any effective
organizational security strategy - are actually used. There are a number of key questions that
security audits should attempt to answer:

• Are passwords difficult to crack?

• Are there access control lists (ACLs) in place on network devices to control who has access to
shared data?

• Are there audit logs to record who accesses data?

• Are the audit logs reviewed?

• Are the security settings for operating systems in accordance with accepted industry security
practices?

• Have all unnecessary applications and computer services been eliminated for each system?

• Are these operating systems and commercial applications patched to current levels?

• How is backup media stored? Who has access to it? Is it up-to-date?

• Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the
disaster recovery plan?

• Are there adequate cryptographic tools in place to govern data encryption, and have these tools
been properly configured?

• Have custom-built applications been written with security in mind?

• How have these custom applications been tested for security flaws?

• How are configuration and code changes documented at every level? How are these records
reviewed and who conducts the review?
These are just a few of the kind of questions that can and should be assessed in a security audit. In
answering these questions honestly and rigorously, an organization can realistically assess how
secure its vital information is.

Security Policy Defined

As stated, a security audit is essentially an assessment of how effectively the organization's

security policy is being implemented. Of course, this assumes that the organization has a security
policy in place which, unfortunately, is not always the case. Even today, it is possible to find a
number of organizations where a written security policy does not exist. Security policies are a
means of standardizing security practices by having them codified (in writing) and agreed to by
employees who read them and sign off on them. When security practices are unwritten or
informal, they may not be generally understood and practiced by all employees in the
organization. Furthermore, until all employees have read and signed off on the security policy,
compliance of the policy cannot be enforced. Written security policies are not about questioning
the integrity and competency of employees; rather, they ensure that everyone at every level
understands how to protect company data and agrees to fulfill their obligations in order to do so.

Natural tensions frequently exist between workplace culture and security policy. Even with the
best of intentions, employees often choose convenience over security. For example, users may
know that they should choose difficult-to-guess passwords, but they may also want those
passwords to be close at hand. So every fledgling auditor knows to check for sticky notes on the
monitor and to pick up the keyboard and look under it for passwords. IT staff may know that
every local administrator account should have a password; yet, in the haste to build a system, they
may just bypass that step, intending to set the password later, and therefore place an insecure
system on the network.

The security audit should seek to measure security policy compliance and recommend solutions
to deficiencies in compliance. The policy should also be subject to scrutiny. Is it a living
document, accurately reflecting how the organization protects IT assets on a daily basis? Does the
policy reflect industry standards for the type of IT resources in use throughout the organization?

Pre-Audit Homework

Before the computer security auditors even begin an organizational audit, there's a fair amount of
homework that should be done. Auditors need to know what they're auditing. In addition to
reviewing the results of any previous audits that may have been conducted, there may be several
tools they will use or refer to before. The first is a site survey. This is a technical description of
the system's hosts. It also includes management and user demographics. This information may be
out of date, but it can still provide a general framework. Security questionnaires may be used as
to follow up the site survey. These questionnaires are, by nature, subjective measurements, but
they are useful because they provide a framework of agreed-upon security practices. The
respondents are usually asked to rate the controls used to govern access to IT assets. These
controls include: management controls, authentication/access controls, physical security, outsider
access to systems, system administration controls and procedures, connections to external
networks, remote access, incident response, and contingency planning.
Site surveys and security questionnaires should be clearly written with quantifiable responses of
specific requirements. They should offer a numerical scale from least desired (does not meet
requirements) to most desired (meets requirements and has supporting documentation). Both
should include electronic commerce considerations if appropriate to the client organization. For
instance, credit card companies have compliance templates listing specific security considerations
for their products. These measure network, operating system, and application security as well as
physical security.

Auditors, especially internal auditors, should review previous security incidents at the client
organization to gain an idea of historical weak points in the organization's security profile. It
should also examine current conditions to ensure that repeat incidents cannot occur. If auditors
are asked to examine a system that allows Internet connections, they may also want to know
about IDS/Firewall log trends. Do these logs show any trends in attempts to exploit weaknesses?
Could there be an underlying reason (such as faulty firewall rules) that such attempts are taking
place on an ongoing basis. How can this be tested?

Because of the breadth of data to be examined, auditors will want to work with the client to
determine the scope of the audit. Factors to consider include: the site business plan, the type of
data being protected and the value/importance of that data to the client organization, previous
security incidents, the time available to complete the audit and the talent/expertise of the auditors.
Good auditors will want to have the scope of the audit clearly defined, understood and agreed to
by the client.

Next, the auditors will develop audit plan. This plan will cover how will audit be executed, with
which personnel, and using what tools. They will then discuss the plan with the requesting
agency. Next they discuss the objective of the audit with site personnel along with some of the
logistical details, such as the time of the audit, which site staff may be involved and how the audit
will affect daily operations. Next, the auditors should ensure audit objectives are understood.

At the Audit Site

When the auditors arrive at the site, their aim is to not to adversely affect business transactions
during the audit. They should conduct an entry briefing where they again outline the scope of the
audit and what they are going to accomplish. Any questions that site management may have
should be addressed and last minute requests considered within the framework of the original
audit proposal.

The auditors should be thorough and fair, applying consistent standards and procedures
throughout the audit. During the audit, they will collect data about the physical security of
computer assets and perform interviews of site staff. They may perform network vulnerability
assessments, operating system and application security assessments, access controls assessment,
and other evaluations. Throughout this process, the auditors should follow their checklists, but
also keep eyes open for unexpected problems. Here they get their noses off the checklist and start
to sniff the air. They should look beyond any preconceived notions or expectations of what they
should find and see what is actually there.
Conduct Outgoing Briefing

After the audit is complete, the auditors will conduct an outgoing briefing, ensuring that
management is aware of any problems that need immediate correction. Questions from
management are answered in a general manner so as not to create a false impression of the audit's
outcome. It should be stressed that the auditors may not be in a position to provide definitive
answers at this point in time. Any final answers will be provided following the final analysis of
the audit results.

Back in the Office

Once back in the home office, the auditors will begin to comb their checklists and analyze data
discovered through vulnerability assessment tools. There should be an initial meeting to help
focus the outcome of the audit results. During this meeting, the auditors can identify problem
areas and possible solutions. The audit report can be prepared in a number of formats, but
auditors should keep the report simple and direct, containing concrete findings with measurable
ways to correct the discovered deficiencies.

The audit report can follow a general format of executive summary, detailed findings and
supporting data, such as scan reports as report appendices. When you write the report, develop
executive summary first, as you may have to brief management soon after return. It's important to
realize that strengths as well as deficiencies can be addressed in the executive summary to help
give an overall balance to the audit report. Next, the auditors can provide detailed report based on
audit checklists. The audit findings should be organized in a simple and logical manner on one-
page worksheets for each discovered problem. This worksheet outlines the problem, its
implications, and how it can be corrected. Space should be left on the worksheet to allow the site
to document corrective steps and a comment block to dispute the finding if appropriate.

Don't Keep Them Waiting

Finally, the audit staff should prepare the report as speedily as accuracy allows so that the site
staff can correct the problems discovered during the audit. Depending on company policy,
auditors should be ready to guide the audited site staff in correcting deficiencies and help them
measure the success of these efforts. Management should continually supervise deficiencies that
are turned up by the audit until they are completely corrected. The motto for higher management
armed with the audit report should be, "follow up, follow up, and follow up."

The Audit - Not an Event but a Process

It must be kept in mind that as organizations evolve, their security structures will change as well.
With this in mind, the computer security audit is not a one-time task, but a continual effort to
improve data protection. The audit measures the organization's security policy and provides an
analysis of the effectiveness of that policy within the context of the organization's structure,
objectives and activities. The audit should build on previous audit efforts to help refine the policy
and correct deficiencies that are discovered through the audit process. Whereas tools are an
important part of the audit process, the audit is less about the use of the latest and greatest
vulnerability assessment tool, and more about the use of organized, consistent, accurate, data
collection and analysis to produce findings that can be measurably corrected.

In an interconnected world of instant information, information privacy and security are elements
under crossfire: while there’s increasingly a demand for access to personal information in order
generate products more adjusted to the tastes of people, and security requires a knowledge of
records and movements of transactions as a prerequisite for monitoring and control by the state.

However, that crossfire does not stop the flow of information.

Both security and privacy set different and complementary domains of action, requiring a
particular specialty level to develop a set of practices that conceptualize and materialize the
exercise of access and control. Information security and privacy create a challenge for
engineering and corporate practice that should attend the statements of a company’s corporate
governance where the information is defined as a strategic asset and a source of value to
capitalize new and renewed business strategies.

In establishing the limits of the performance of the privacy professional and the Information
security manager, it’s necessary to understand in detail the basics of each of the roles and
confront the current dynamics of the organization where these two job descriptions appear to
comply with a legal requirement or conform with some good international practice required to
compete in a particular market.

Understanding that privacy is not confidentiality and information security is not privacy is,
therefore, a reflection to be undertaken.

Privacy is a connotation of larger organizations, which requires a detailed understanding of the

law that assists citizens against the law of nations, while security is a practice of the protection of
information that provides care for the declared strategic asset.

Privacy and Information Security: The Territorial Challenges

In reason with that, we can see there will be practices of information security that apply to the
exercise of privacy, and privacy concepts similar to the principles in information security.

Information Security and Privacy: Two Different Domains

After reviewing the annotations of Prof. Konstantinos Lambrinoudakis in the Department of

Digital Systems of the University of Piraeus in Greece, it is clear that information security and
information privacy belong to different domains.

While the security of information refers to the protection of information stored, processed and
transmitted to comply with the functions and purposes of the information systems in an
organization, the privacy of information is related to the protection of the information related to a
subject's identity. Similarly, the security of information is an important tool to protect information
assets and business objectives, while privacy is focused on the safeguarding of individual’s rights
when it comes to the same information.
Currently, information privacy has been addressed as a legal issue, which has not been handled
properly by information security standards. While the principle of confidentiality seeks to prevent
the disclosure of sensitive data to unauthorized entities, it doesn't focus on hiding the identity of
the owner of the data or making it impossible to link the data and its owner. So the principles of
information security such as confidentiality, integrity and availability are not equivalent to the
features that should be secured in information privacy, such as anonymity, the inability to link,
the inability to distinguish, the inability to track and the pseudonym. Therefore, while the exercise
of information protection strategies ensures correct access, privacy protection demands the
blurring of data to avoid identifying it, dismantling all kinds of links between data and its owner,
facilitating the use of pseudonyms and alternate names and allowing access anonymously.

Information systems that meet security and control mechanisms do not necessarily meet the
demands of privacy compliance. In this sense, the information privacy, like the establishment of
rules governing the treatment of personal information, demand companies to design alternative
mechanisms to safeguard the identity of persons and access to sensitive information in order to
prevent discrimination or affect privacy.

So, designing an information system with privacy by default cannot be done exclusively with
information-security mechanisms. You will need to integrate the conditions listed previously,
among other actions, to:

• Inform the state of privacy in the information system.

• Establish operations and simple language to learn and understand about the privacy options that
it has available.

• Confirm options that should check before proceeding with actions that may be contrary to their
privacy.

• Provide effective outputs of any selected option at any time during the implementation to
protect your privacy.

• Destroy any personal information that has been used in development of a working session.