1 / 136

Information Systems Controls for System Reliability: Confidentiality, Privacy, Processing Integrity, and Availability

This chapter explores the controls used to protect the confidentiality, privacy, and processing integrity of sensitive information in information systems, as well as ensuring availability. Topics include encryption, VPNs, access controls, and secure disposal of information resources.

moraleswilliam
Télécharger la présentation

Information Systems Controls for System Reliability: Confidentiality, Privacy, Processing Integrity, and Availability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HAPTER 8 Information Systems Controls for System Reliability Part 2: Confidentiality, Privacy, Processing Integrity, and Availability

  2. INTRODUCTION • Questions to be addressed in this chapter include: • What controls are used to protect the confidentiality of sensitive information? • What controls are designed to protect privacy of customers’ personal information? • What controls ensure processing integrity? • How are information systems changes controlled to ensure that the new system satisfies all five principles of systems reliability?

  3. INTRODUCTION • Reliable systems satisfy five principles: • Information Security (discussed in Chapter 7) • Confidentiality • Privacy • Processing integrity • Availability SYSTEMS RELIABILITY CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY AVAILABILITY SECURITY

  4. CONFIDENTIALITY • Reliable systems maintain the confidentiality of sensitive information. SYSTEMS RELIABILITY CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY AVAILABILITY SECURITY

  5. CONFIDENTIALITY • Maintaining confidentiality requires that management identify which information is sensitive. • Each organization will develop its own definitions of what information needs to be protected. • Most definitions will include: • Business plans • Pricing strategies • Client and customer lists • Legal documents • COBIT control objective PO 2.3 specifies the need to identify and to properly label potentially sensitive information, to assign responsibility for its protection, and to implement appropriate controls.

  6. CONFIDENTIALITY • Table 8-1 in your textbook summaries key controls to protect confidentiality of information:

  7. CONFIDENTIALITY • Encryption is a fundamental control procedure for protecting the confidentiality of sensitive information. • Confidential information should be encrypted: • While stored • Whenever transmitted

  8. CONFIDENTIALITY • The Internet provides inexpensive transmission, but data is easily intercepted. • Encryption solves the interception issue. • If data is encrypted before sending it, a virtual private network (VPN)is created. • Provides the functionality of a privately owned network • But uses the Internet

  9. CONFIDENTIALITY • Use of VPN software creates private communication channels, often referred to as tunnels. • The tunnels are accessible only to parties who have the appropriate encryption and decryption keys. • Cost of the VPN software is much less than costs of leasing or buying a privately-owned, secure communications network. • Also, makes it much easier to add or remove sites from the “network.” • In accordance with COBIT DS 5.11, VPNs include controls to authenticate the parties exchanging information and to create an audit trail of the exchange.

  10. CONFIDENTIALITY • It is critical to encrypt any sensitive information stored in devices that are easily lost or stolen, such as laptops, PDAs, cell phones, and other portable devices. • Many organizations have policies against storing sensitive information on these devices. • 81% of users admit they do so anyway.

  11. CONFIDENTIALITY • Encryption alone is not sufficient to protect confidentiality. Given enough time, many encryption schemes can be broken. • Access controls are also needed: • To prevent unauthorized parties from obtaining the encrypted data; and • Because not all confidential information can be encrypted in storage. • Strong authentication techniques are necessary. • Strong authorization controls should be used to limit the actions (read, write, change, delete, copy, etc.) that authorized users can perform when accessing confidential information.

  12. CONFIDENTIALITY • Access to system outputs should also be controlled: • Do not allow visitors to roam through buildings unsupervised. • Require employees to log out of any application before leaving their workstation unattended, so other employees do not have unauthorized access. • Workstations should use password-protected screen savers that automatically engage when there is no activity for a specified period. • Access should be restricted to rooms housing printers and fax machines. • Reports should be coded to reflect the importance of the information therein, and employees should be trained not to leave reports with sensitive information laying in plain view.

  13. CONFIDENTIALITY • It is especially important to control disposal of information resources. • Printed reports and microfilm with sensitive information should be shredded. • COBIT control objective DS 11.4 addresses the need to define and implement procedures governing the disposal of sensitive data and any hardware on which that data was stored.

  14. CONFIDENTIALITY • Special procedures are needed for information stored on magnet and optical media. • Using built-in operating system commands to delete the information does not truly delete it, and utility programs will often be able to recover these files. • De-fragmenting a disk may actually create multiple copies of a “deleted” document. • Consequently, special software should be used to “wipe” the media clean by repeatedly overwriting the disk with random patterns of data (sometimes referred to as “shredding” a disk). • Magnetic disks and tapes can be run through devices to demagnetize them. • The safest alternative may be to physically destroy disks with highly sensitive data.

  15. CONFIDENTIALITY • Controls to protect confidentiality must be continuously reviewed and modified to respond to new threats created by technological advances. • Many organizations now prohibit visitors from using cell phones while touring their facilities because of the threat caused by cameras in these phones. • Because these devices are easy to hide, some organizations use jamming devices to deactivate their imaging systems while on company premises.

  16. CONFIDENTIALITY • Phone conversations have also been affected by technology. • The use of voice-over-the-Internet (VoIP) technology means that phone conversations are routed in packets over the Internet. • Because this technology makes wiretapping much easier, conversations about sensitive topics should be encrypted.

  17. CONFIDENTIALITY • Employee use of email and instant messaging (IM) probably represents two of the greatest threats to the confidentiality of sensitive information. • It is virtually impossible to control its distribution once held by the recipient. • Organizations need to develop comprehensive policies governing the appropriate and allowable use of these technologies for business purposes. • Employees need to be trained on what type of information they can and cannot share, especially with IM.

  18. CONFIDENTIALITY • Many organizations are taking steps to address the confidentiality threats created by email and IM. • One response is to mandate encryption of all email with sensitive information. • Some organizations prohibit use of freeware IM products and purchase commercial products with security features, including encryption. • Users sending emails must be trained to be very careful about the identity of their addressee. • EXAMPLE: The organization may have two employees named Allen Smith. It’s critical that sensitive information go to the correct Allen Smith.

  19. PRIVACY • In the Trust Services framework, the privacy principle is closely related to the confidentiality principle. • Primary difference is that privacy focuses on protecting personal information about customers rather than organizational data. • Key controls for privacy are the same that were previously listed for confidentiality. SYSTEMS RELIABILITY CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY AVAILABILITY SECURITY

  20. PRIVACY • COBIT section DS 11 addresses the management of data and specifies the need to comply with regulatory requirements. • A number of regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Services Modernization Act (aka, Gramm-Leach-Billey Act) require organizations to protect the privacy of customer information.

  21. PRIVACY • The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: • Management • The organization establishes a set of procedures and policies for protecting privacy of personal information it collects. • Assigns responsibility and accountability for those policies to a specific person or group.

  22. PRIVACY • The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: • Management • Notice • Provides notice about its policies and practices when it collects the information or as soon as practicable thereafter.

  23. Describes the choices available to individuals and obtains their consent to the collection and use of their personal information. • Choices may differ across countries. • United States—The default is “opt out,” i.e., organizations can collect personal information about customers unless the customer explicitly objects. • Europe—The default is “opt in,” i.e., they can’t collect the information unless customers explicitly give them permission. • Collection • The organization collects only that information needed to fulfill the purposes stated in its privacy policies. PRIVACY • The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: • Management • Notice • Choice and consent

  24. PRIVACY • The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: • Management • Notice • Choice and consent • Collection • The organization collects only that information needed to fulfill the purposes stated in its privacy policies.

  25. PRIVACY • The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: • Management • Notice • Choice and consent • Collection • Use and retention • The organization uses its customers’ personal information only according to stated policy and retains that information only as long as needed.

  26. PRIVACY • The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: • Management • Notice • Choice and consent • Collection • Use and retention • Access • The organization provides individuals with the ability to access, review, correct, and delete the personal information stored about them.

  27. PRIVACY • The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: • Management • Notice • Choice and consent • Collection • Use and retention • Access • Disclosure to Third Parties • The organization discloses customers’ personal information to third parties only per stated policy and only to third parties who provide equivalent protection.

  28. The organization takes reasonable steps to protect customers’ personal information from loss or unauthorized disclosure. • Issues that are sometimes overlooked: • Disposal of computer equipment • Should follow the suggestions presented on section regarding protection of confidentiality. • Email • If you send emails to a list of recipients, each recipient typically knows who the other recipients are. • If the email regards a private issue, e.g., perhaps it pertains to their AIDS treatment, then the privacy of all recipients has been violated. • One remedy might be to address the recipients on the “bcc” line of the email, rather than as original addresses. • Release of electronic documents. • When physical documents are exchanged, sometimes portions are blacked out (redacted) to protect privacy. • Similar procedures are needed for the exchange of electronic documents. PRIVACY • The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: • Management • Notice • Choice and consent • Collection • Use and retention • Access • Disclosure to Third Parties • Security

  29. PRIVACY • The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: • Management • Notice • Choice and consent • Collection • Use and retention • Access • Disclosure to Third Parties • Security • Quality • The organization maintains the integrity of its customers’ personal information.

  30. PRIVACY • The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: • Management • Notice • Choice and consent • Collection • Use and retention • Access • Disclosure to Third Parties • Security • Quality • Monitoring and enforcement • The organization assigns one or more employees to be responsible for assuring and verifying compliance with its stated policies. • Also provides for procedures to respond to customer complaints, including third-party dispute-resolution processes.

  31. PRIVACY • As with confidentiality, encryption and access controls are the two basic mechanisms for protecting consumers’ personal information. • It is common practice to use SSL to encrypt all personal information transmitted between individuals and the organization’s Website. • However, SSL only protects the information in transit. • Consequently, strong authentication controls are needed to restrict Website visitors’ access to individual accounts.

  32. PRIVACY • Organizations should consider encrypting customers’ personal information in storage. • May be economically justified, because some state laws require companies to notify all customers of security incidents. • The notification process is costly but may be waived if the information was encrypted while in storage. • California SB 1386 effectively requires companies to notify all their customers whenever a security incident may have led to the compromise of personally identifiable information.

  33. PRIVACY • Organizations need to train employees on how to manage personal information collected from customers. • Especially important for medical and financial information. • Intentional misuse or unauthorized disclosure can have serious economic consequences, including: • Drop in stock price • Significant lawsuits • Government suspension of the organization’s business activity

  34. PRIVACY • One topic of concern is cookies used on Web sites. • A cookie is a text file created by a Website and stored on a visitor’s hard drive. It records what the visitor has done on the site. • Most Websites create multiple cookies per visit to make it easier for visitors to navigate the site. • Browsers can be configured to refuse cookies, but it may make the Website inaccessible. • Cookies are text files and cannot “do” anything other store information, but many people worry that they violate privacy rights.

  35. PRIVACY • Another privacy-related issue that is of growing concern is identity theft. • Organizations have an ethical and moral obligation to implement controls to protect databases that contain their customers’ personal information.

  36. PRIVACY • Steps that individuals can take to minimize the risk of becoming a victim of identity theft include: • Shred all documents that contain personal information, especially unsolicited credit card offers. Cross-cut shredders are more effective. • Never send personally identifying information in unencrypted email. • Beware of email, phone, and print requests to “verify” personal information that the requesting party should already possess. • Credit card companies won’t ask for your security code. • The IRS won’t email you for identifying information in response to an audit.

  37. PRIVACY • Do not carry your social security card with you or comply with requests to reveal the last 4 digits. • Limit the amount of identifying information preprinted on checks and consider eliminating it. • Do not place outgoing mail with checks or personal information in your mailbox for pickup. • Don’t carry more than a few blank checks with you. • Use special software to thoroughly clean any digital media before disposal, or physically destroy the media. It is especially important to thoroughly erase or destroy hard drives before donating or disposing of equipment.

  38. PRIVACY • Monitor your credit reports regularly. • File a police report as soon as you discover that your purse or wallet was stolen. • Make photocopies of driver’s licenses, passports, and credit cards. Store them with phone numbers for all the credit cards in a safe location to facilitate notifying authorities if they are stolen. • Immediately cancel any lost or stolen credit cards.

  39. PRIVACY • A related concern involves the overwhelming volume of spam. • Spam is unsolicited email that contains either advertising or offensive content. • Reduces the efficiency benefits of email. • Is a source of many viruses, worms, spyware, and other malicious content.

  40. PRIVACY • In 2003, the U.S. Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. • Provides criminal and civil penalties for violation of the law. • Applies to commercial email, which is any email with a primary purpose of advertising or promotion. • Covers most legitimate email sent by organizations to customers, suppliers, or donors to non-profits.

  41. PRIVACY • Consequently, organizations must carefully follow the CAN-SPAM guidelines, which include: • The sender’s identity must be clearly displayed in the message header.

  42. PRIVACY • Consequently, organizations must carefully follow the CAN-SPAM guidelines, which include: • The sender’s identity must be clearly displayed in the message header. • The subject field in the header must clearly identify the message as an advertisement or solicitation.

  43. PRIVACY • Consequently, organizations must carefully follow the CAN-SPAM guidelines, which include: • The sender’s identity must be clearly displayed in the message header. • The subject field in the header must clearly identify the message as an advertisement or solicitation. • The body must provide recipients with a working link that can be used to “opt out” of future email. • Organizations have 10 days after receipt of an “opt out” request to ensure they do not send additional unsolicited email to that address. • Means someone must be assigned responsibility for processing these requests.

  44. PRIVACY • Consequently, organizations must carefully follow the CAN-SPAM guidelines, which include: • The sender’s identity must be clearly displayed in the message header. • The subject field in the header must clearly identify the message as an advertisement or solicitation. • The body must provide recipients with a working link that can be used to “opt out” of future email. • The body must include the sender’s valid postal address. • Best practice (not required) would be to provide full street address, telephone, and fax numbers.

  45. PRIVACY • Consequently, organizations must carefully follow the CAN-SPAM guidelines, which include: • The sender’s identity must be clearly displayed in the message header. • The subject field in the header must clearly identify the message as an advertisement or solicitation. • The body must provide recipients with a working link that can be used to “opt out” of future email. • The body must include the sender’s valid postal address. • Organizations should not: • Send email to randomly generated addresses. • Set up Websites designed to harvest email addresses of potential customers. • Experts recommend that organizations redesign their own Websites to include a visible means for visitors to “opt in” to receive email.

  46. PROCESSING INTEGRITY • COBIT control objective DS 11.1 addresses the need for controls over the input, processing, and output of data. • Identifies six categories of controls that can be used to satisfy that objective. • Six categories are grouped into three for discussion. SYSTEMS RELIABILITY CONFIDENTIALITY PROCESSING INTEGRITY PRIVACY AVAILABILITY SECURITY

  47. PROCESSING INTEGRITY • Three categories/groups of integrity controls are designed to meet the preceding objectives: • Input controls • Processing controls • Output controls

  48. PROCESSING INTEGRITY • Three categories of integrity controls are designed to meet the preceding objectives: • Input Controls • Processing controls • Output controls

  49. PROCESSING INTEGRITY • Input Controls • If the data entered into a system is inaccurate or incomplete, the output will be, too. (Garbage in  garbage out.) • Companies must establish control procedures to ensure that all source documents are authorized, accurate, complete, properly accounted for, and entered into the system or sent to their intended destination in a timely manner.

  50. PROCESSING INTEGRITY • The following input controls regulate integrity of input: • Forms design • Source documents and other forms should be designed to help ensure that errors and omissions are minimized (Chapter 18).

More Related