Confidentiality and Privacy Controls

Chapter 9

Copyright © 2015 Pearson Education, Inc.

9-1
 Learning Objectives
• Identify and explain controls designed to protect the
confidentiality of sensitive information.

• Identify and explain controls designed to protect the privacy of

customers’ personal information.

• Explain how the two basic types of encryption systems work.

Copyright © 2015 Pearson Education, Inc.

9-2
 Protecting Confidentiality and Privacy of Sensitive
Information
• Identify and classify information to protect
• Where is it located and who has access?
• Classify value of information to organization
• Encryption
• Protect information in transit and in storage
• Access controls
• Controlling outgoing information (confidentiality)
• Digital watermarks (confidentiality)
• Data masking (privacy)
• Training
Copyright © 2015 Pearson Education, Inc.
9-3
 Generally Accepted Privacy Principles
• Management
▫ Procedures and policies with assigned
responsibility and accountability
• Notice
▫ Provide notice of privacy policies and
practices prior to collecting data
• Choice and consent
▫ Opt-in versus opt-out approaches
• Collection
▫ Only collect needed information
• Use and retention
▫ Use information only for stated business
purpose
• Access
▫ Customer should be able to review,
correct, or delete information collected on
them
• Disclosure to third parties
• Security
• Protect from loss or unauthorized access
• Quality
• Monitoring and enforcement
• Procedures in responding to complaints
• Compliance

Copyright © 2015 Pearson Education, Inc.

9-4
 Encryption

• Preventative control

• Factors that influence encryption strength:

▫ Key length (longer = stronger)
▫ Algorithm
▫ Management policies
 Stored securely

Copyright © 2015 Pearson Education, Inc.

9-5
 Encryption Steps
• Takes plain text and with an
encryption key and algorithm,
converts to unreadable ciphertext
(sender of message)

• To read ciphertext, encryption key

reverses process to make
information readable (receiver of
message)

Copyright © 2015 Pearson Education, Inc.

9-6
 Types of Encryption

Symmetric
• Uses one key to encrypt and decrypt
• Both parties need to know the key
▫ Need to securely communicate the
shared key
▫ Cannot share key with multiple parties,
they get their own (different) key from
the organization
Asymmetric
• Uses two keys
▫ Public—everyone has access
▫ Private—used to decrypt (only known by
you)
▫ Public key can be used by all your
trading partners
• Can create digital signatures

9-7
Copyright © 2015 Pearson Education, Inc.
 Virtual Private Network

• Securely transmits encrypted data between sender and receiver

▫ Sender and receiver have the appropriate encryption and decryption
keys.

Copyright © 2015 Pearson Education, Inc.

9-8
 Key Terms
• Information rights management (IRM) • Asymmetric encryption systems
• Data loss prevention (DLP) • Public key
• Digital watermark • Private key
• Data masking • Key escrow
• Spam • Hashing
• Identity theft • Hash
• Cookie • Nonrepudiation
• Encryption • Digital signature
• Plaintext • Digital certificate
• Ciphertext • Certificate of authority
• Decryption • Public key infrastructure (PKI)
• Symmetric encryption systems • Virtual private network (VPN)
Copyright © 2015 Pearson Education, Inc.
9-9
 Processing Integrity and Availability
Controls
Chapter 10

Copyright © 2015 Pearson Education, Inc.

10-10
 Learning Objectives

• Identify and explain controls designed to ensure processing

integrity.

• Identify and explain controls designed to ensure systems

availability.

Copyright © 2015 Pearson Education, Inc.

10-11
 Processing Integrity Controls

• Input
▫ Forms design
 Sequentially prenumbered
▫ Turnaround documents

Copyright © 2015 Pearson Education, Inc.

10-12
 Processing Integrity: Data Entry Controls

• Field check • Size check

▫ Characters in a field are proper type ▫ Input data fits into the field
• Sign check • Completeness check
▫ Data in a field is appropriate sign ▫ Verifies that all required data is entered
(positive/negative) • Validity check
• Limit check ▫ Compares data from transaction file to
▫ Tests numerical amount against a fixed that of master file to verify existence
value • Reasonableness test
• Range check ▫ Correctness of logical relationship
▫ Tests numerical amount against lower and between two data items
upper limits • Check digit verification
▫ Recalculating check digit to verify data
Copyright © 2015 Pearson Education, Inc. entry error has not been made 10-13
 Additional Data Entry Controls

• Batch processing • Prompting

▫ Sequence check ▫ System prompts you for input (online
 Test of batch data in proper numerical or completeness check)
alphabetical sequence • Closed-loop verification
▫ Batch totals ▫ Checks accuracy of input data by using it
 Summarize numeric values for a batch of to retrieve and display other related
input records information (e.g., customer account #
 Financial total retrieves the customer name)
 Hash total
 Record count

Copyright © 2015 Pearson Education, Inc.

10-14
 Processing Controls
• Data matching
▫ Two or more items must be matched
before an action takes place
• File labels
▫ Ensures correct and most updated file is
used
• Recalculation of batch totals
Copyright © 2015 Pearson Education, Inc.
• Cross-footing
▫ Verifies accuracy by comparing two
alternative ways of calculating the same
total
• Zero-balance tests
▫ For control accounts (e.g., payroll
clearing)
• Write-protection mechanisms
▫ Protect against overwriting or erasing data
• Concurrent update controls
▫ Prevent error of two or more users
updating the same record at the same time
10-15
 Output Controls

• User review of output

• Reconciliation
▫ Procedures to reconcile to control reports (e.g., general ledger A/R
account reconciled to Accounts Receivable Subsidiary Ledger)
▫ External data reconciliation
• Data transmission controls

Copyright © 2015 Pearson Education, Inc.

10-16
 Availability Controls
• Preventive maintenance • Backup procedures
• Fault tolerance ▫ Incremental
▫ Use of redundant components  Copies only items that have changed since
• Data center location and design last partial backup
▫ ▫ Differential backup
Raised floor
 Copies all changes made since last full
▫ Fire suppression
backup
▫ Air conditioning
• Disaster recovery plan (DRP)
▫ Uninterruptible power supply (UPS)
▫ Procedures to restore organization’s IT
▫ Surge protection
function
• Patch management and antivirus software  Cold site
 Hot site
• Business continuity plan (BCP)
▫ How to resume all operations, not just IT
Copyright © 2015 Pearson Education, Inc.
10-17
 Key Terms

• Turnaround document • Sequence check

• Field check • Batch totals
• Sign check • Financial total
• Limit check • Hash total
• Range check • Record count
• Size check • Prompting
• Completeness check • Closed-loop verification
• Validity check • Header record
• Reasonableness test • Trailer record
• Check digit • Transposition error
• Check digit verification • Cross-footing balance test
• Zero-balance test
Copyright © 2015 Pearson Education, Inc.
10-18
 Key Terms (continued)

• Concurrent update controls • Recovery time objective (RTO)

• Checksum • Real-time mirroring
• Parity bit • Full backup
• Parity checking • Incremental backup
• Fault tolerance • Differential backup
• Redundant arrays of independent drives • Archive
(RAID) • Disaster recovery plan (DRP)
• Uninterruptible power supply (UPS) • Cold site
• Backup • Hot site
• Recovery point objective (RPO) • Business continuity plan (BCP)

Copyright © 2015 Pearson Education, Inc.

10-19