2 Learning ObjectivesIdentify and explain controls designed to protect the confidentiality of sensitive information.Identify and explain controls designed to protect the privacy of customers’ personal information.Explain how the two basic types of encryption systems work.
3 CONFIDENTIALITYSYSTEMSRELIABILITYAccording to the Trust Services framework, reliable systems satisfy five principles:Security (discussed in Chapter 8)ConfidentialityPrivacyProcessing integrityAvailabilityCONFIDENTIALITYPRIVACYPROCESSING INTEGRITYAVAILABILITYSECURITY
4 Protecting Confidentiality of Sensitive Information Identify and classify information to protectWhere is it located and who has access?Classify value of information to organizationEncryptionProtect information in transit and in storageAccess controlsInformation rights management (IRM)Controlling outgoing information - DLPDigital watermarksTraining
5 Identification and Classification Intellectual Property (IP)Strategic plansTrade secretsCost informationLegal documentsProcess improvementsAll need to be secured
6 EncryptionEncryption alone is not sufficient to protect confidentiality. Given enough time, many encryption schemes can be broken.Access controls are also neededStrong authentication techniques are necessary.
7 Controlling Access Information Rights Management (IRM) software Can limit the actions (read, write, change, delete, copy, etc.) that authorized users can perform when accessing confidential informationData Loss Prevention (DLP) softwareDigital watermarksPhysical access controlsSystem outputsMagnetic and optical mediaVoice-over-the-Internet (VoIP) technologyVirtualization and cloud computing
8 TrainingEmployee use of , instant messaging (IM), blogs and social media represent some of the greatest threats to the confidentiality of sensitive information.Use of encryption softwareLeaving workstations unattendedCode reports to reflect importanceClean desk policy
9 PRIVACYSYSTEMSRELIABILITYIn the Trust Services framework, the privacy principle is closely related to the confidentiality principle.Primary difference is that privacy focuses on protecting personal information about customers rather than organizational data.CONFIDENTIALITYPRIVACYPROCESSING INTEGRITYAVAILABILITYSECURITY
10 Privacy Same controls as confidentiality Identification and classificationEncryptionAccess controlTraining
11 Privacy ConcernsSPAMUnsolicited that contains either advertising or offensive contentControlling the Assault of Non-Solicited Pornography and Marketing Act. CAN-SPAM (2003)Criminal and civil penalties for spamming
12 Privacy ConcernsOrganizations must carefully follow the CAN-SPAM guidelines, which include:The sender’s identity must be clearly displayed in the message header.The subject field in the header must clearly identify the message as an advertisement or solicitation.The body must provide recipients with a working link that can be used to “opt out” of future .The body must include the sender’s valid postal address.Organizations should not:Send to randomly generated addresses.Set up websites designed to harvest addresses of potential customers.
13 Privacy Concerns Identity Theft The unauthorized use of someone’s personal information for the perpetrator’s benefit.Companies have access to and thus must control customer’s personal information.
14 Privacy Regulatory Acts A number of regulations, including the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and the Financial Services Modernization Act (aka, Gramm-Leach-Billey Act) require organizations to protect the privacy of customer information.
15 ENCRYPTIONEncrypting sensitive stored data provides one last barrier that must be overcome by an intruder.Encryption plays an essential role in ensuring and verifying the validity of e-business transactions.Therefore, accountants, auditors, and systems professionals need to understand encryption.
16 Encryption StepsTakes plaintext and with an encryption key and algorithm, converts to unreadable ciphertext (sender of message)To read ciphertext, an encryption key reverses the process to make information readable (receiver of message)To encrypt or decrypt, both a key and an algorithm are needed
17 Encryption Strength Key length (longer=stronger) Algorithm Number of bits (characters) used to convert text into blocks256 is commonAlgorithmManner in which key and text is combined to create scrambled textPolicies concerning encryption keysStored securely with strong access codes
18 Types of Encryption Uses one key to encrypt and decrypt SymmetricAsymmetricUses one key to encrypt and decryptBoth parties need to know the keyNeed to securely communicate the shared keyCannot share key with multiple parties, they get their own (different) key from the organizationSince both sides of the transaction share the key there is no way to prove which party created a document.Uses two keysPublic—everyone has accessPrivate—used to decrypt (only known by you)Public key can be used by all your trading partnersCan create digital signatures
19 ENCRYPTION Hybrid Solution Use symmetric for encrypting information Use asymmetric for encrypting symmetric key for decryption
20 Hashing Converts information into a “hashed” code of fixed length. The code can not be converted back to the text.If any change is made to the information the hash code will change, thus enabling verification of information.
21 Digital SignatureHash of a document that is encrypted using document creators’ private keyProvides proof:That document has not been alteredOf the creator of the document
22 Digital CertificateElectronic document that contains an entity’s public keyCertifies the identity of the owner of that particular public keyIssued by Certificate AuthorityPublic Key Infrastructure (PKI)
23 Virtual Private Network (VPN) The internet provides inexpensive transmission, but data is easily intercepted.Encryption solves the interception issue.If data is encrypted before sending it, a virtual private network (VPN) is created.Provides the functionality of a privately owned networkBut uses the Internet
24 Virtual Private Network Securely transmits encrypted data between sender and receiverSender and receiver have the appropriate encryption and decryption keys.