Confidentiality and Privacy Controls

Chapter 9

Copyright © 2015 Pearson Education, Inc.

9-1
 Learning Objectives
• Identify and explain controls designed to protect the
confidentiality of sensitive information.

• Identify and explain controls designed to protect the privacy of

customers’ personal information.

• Explain how the two basic types of encryption systems work.

Copyright © 2015 Pearson Education, Inc.

9-2
 Protecting Confidentiality and Privacy of Sensitive
Information
• Identify and classify information to protect
• Where is it located and who has access?
• Classify value of information to organization
• Encryption
• Protect information in transit and in storage
• Access controls
• Controlling outgoing information (confidentiality)
• Digital watermarks (confidentiality)
• Data masking (privacy)
• Training
Copyright © 2015 Pearson Education, Inc.
9-3
 Generally Accepted Privacy Principles
• Management • Access
▫ Procedures and policies with assigned ▫ Customer should be able to review,
responsibility and accountability correct, or delete information collected on
• Notice them
▫ Provide notice of privacy policies and
• Disclosure to third parties
practices prior to collecting data
• Choice and consent • Security
▫ Opt-in versus opt-out approaches • Protect from loss or unauthorized access
• Collection • Quality
▫ Only collect needed information
• Use and retention • Monitoring and enforcement
▫ Use information only for stated business • Procedures in responding to complaints
purpose • Compliance

Copyright © 2015 Pearson Education, Inc.

9-4
 Encryption

• Preventative control

• Factors that influence encryption strength:

▫ Key length (longer = stronger)
▫ Algorithm
▫ Management policies
 Stored securely

Copyright © 2015 Pearson Education, Inc.

9-5
 Encryption Steps
• Takes plain text and with an
encryption key and algorithm,
converts to unreadable ciphertext
(sender of message)

• To read ciphertext, encryption key

reverses process to make
information readable (receiver of
message)

Copyright © 2015 Pearson Education, Inc.

9-6
 Types of Encryption

Symmetric Asymmetric
• Uses one key to encrypt and decrypt • Uses two keys
• Both parties need to know the key ▫ Public—everyone has access
▫ Need to securely communicate the ▫ Private—used to decrypt (only known by
shared key you)
▫ Cannot share key with multiple parties, ▫ Public key can be used by all your
they get their own (different) key from trading partners
the organization • Can create digital signatures

9-7
Copyright © 2015 Pearson Education, Inc.
 Virtual Private Network

• Securely transmits encrypted data between sender and receiver

▫ Sender and receiver have the appropriate encryption and decryption
keys.

Copyright © 2015 Pearson Education, Inc.

9-8
 Key Terms
• Information rights management (IRM) • Asymmetric encryption systems
• Data loss prevention (DLP) • Public key
• Digital watermark • Private key
• Data masking • Key escrow
• Spam • Hashing
• Identity theft • Hash
• Cookie • Nonrepudiation
• Encryption • Digital signature
• Plaintext • Digital certificate
• Ciphertext • Certificate of authority
• Decryption • Public key infrastructure (PKI)
• Symmetric encryption systems • Virtual private network (VPN)
Copyright © 2015 Pearson Education, Inc.
9-9
 Processing Integrity and Availability
Controls
Chapter 10

Copyright © 2015 Pearson Education, Inc.

10-10
 Learning Objectives

• Identify and explain controls designed to ensure processing

integrity.

• Identify and explain controls designed to ensure systems

availability.

Copyright © 2015 Pearson Education, Inc.

10-11
 Processing Integrity Controls

• Input
▫ Forms design
 Sequentially prenumbered
▫ Turnaround documents

Copyright © 2015 Pearson Education, Inc.

10-12
 Processing Integrity: Data Entry Controls

• Field check • Size check

▫ Characters in a field are proper type ▫ Input data fits into the field
• Sign check • Completeness check
▫ Data in a field is appropriate sign ▫ Verifies that all required data is entered
(positive/negative) • Validity check
• Limit check ▫ Compares data from transaction file to
▫ Tests numerical amount against a fixed that of master file to verify existence
value • Reasonableness test
• Range check ▫ Correctness of logical relationship
▫ Tests numerical amount against lower and between two data items
upper limits • Check digit verification
▫ Recalculating check digit to verify data
Copyright © 2015 Pearson Education, Inc. entry error has not been made 10-13
 Additional Data Entry Controls

• Batch processing • Prompting

▫ Sequence check ▫ System prompts you for input (online
 Test of batch data in proper numerical or completeness check)
alphabetical sequence • Closed-loop verification
▫ Batch totals ▫ Checks accuracy of input data by using it
 Summarize numeric values for a batch of to retrieve and display other related
input records information (e.g., customer account #
 Financial total retrieves the customer name)
 Hash total
 Record count

Copyright © 2015 Pearson Education, Inc.

10-14
 Processing Controls

• Data matching • Cross-footing

▫ Two or more items must be matched ▫ Verifies accuracy by comparing two
before an action takes place alternative ways of calculating the same
• File labels total
▫ Ensures correct and most updated file is • Zero-balance tests
used ▫ For control accounts (e.g., payroll
• Recalculation of batch totals clearing)
• Write-protection mechanisms
▫ Protect against overwriting or erasing data
• Concurrent update controls
▫ Prevent error of two or more users
updating the same record at the same time
Copyright © 2015 Pearson Education, Inc.
10-15
 Output Controls

• User review of output

• Reconciliation
▫ Procedures to reconcile to control reports (e.g., general ledger A/R
account reconciled to Accounts Receivable Subsidiary Ledger)
▫ External data reconciliation
• Data transmission controls

Copyright © 2015 Pearson Education, Inc.

10-16
 Availability Controls
• Preventive maintenance • Backup procedures
• Fault tolerance ▫ Incremental
▫ Use of redundant components  Copies only items that have changed since
• Data center location and design last partial backup
▫ ▫ Differential backup
Raised floor
 Copies all changes made since last full
▫ Fire suppression
backup
▫ Air conditioning
• Disaster recovery plan (DRP)
▫ Uninterruptible power supply (UPS)
▫ Procedures to restore organization’s IT
▫ Surge protection
function
• Patch management and antivirus software  Cold site
 Hot site
• Business continuity plan (BCP)
▫ How to resume all operations, not just IT
Copyright © 2015 Pearson Education, Inc.
10-17
 Key Terms

• Turnaround document • Sequence check

• Field check • Batch totals
• Sign check • Financial total
• Limit check • Hash total
• Range check • Record count
• Size check • Prompting
• Completeness check • Closed-loop verification
• Validity check • Header record
• Reasonableness test • Trailer record
• Check digit • Transposition error
• Check digit verification • Cross-footing balance test
• Zero-balance test
Copyright © 2015 Pearson Education, Inc.
10-18
 Key Terms (continued)

• Concurrent update controls • Recovery time objective (RTO)

• Checksum • Real-time mirroring
• Parity bit • Full backup
• Parity checking • Incremental backup
• Fault tolerance • Differential backup
• Redundant arrays of independent drives • Archive
(RAID) • Disaster recovery plan (DRP)
• Uninterruptible power supply (UPS) • Cold site
• Backup • Hot site
• Recovery point objective (RPO) • Business continuity plan (BCP)

Copyright © 2015 Pearson Education, Inc.

10-19