Chapter 9: Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy

Chapter 9Information Systems Controls for System Reliability— Part 2: Confidentiality and PrivacyCopyright © 2012 Pearson Education9-1Learning ObjectivesIdentify and explain controls designed to protect the confidentiality of sensitive corporate information.Identify and explain controls designed to protect the privacy of customers’ personal information.Explain how the two basic types of encryption systems work.Copyright © 2012 Pearson Education9-2Trust Services FrameworkSecurity (Chapter 8)Access to the system and its data is controlled and restricted to legitimate users.Confidentiality (Chapter 8)Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.PrivacyPersonal information about customers is collected, used, disclosed, and maintained only in compliance with internal policies and external regulatory requirements and is protected from unauthorized disclosure. Processing Integrity (Chapter 10)Data are processed accurately, completely, in a timely manner, and only with proper authorization.Availability (Chapter 10)System and its information are available to meet operational and contractual obligations.Copyright © 2012 Pearson Education9-3Intellectual Property (IP)Strategic plansTrade secretsCost informationLegal documentsProcess improvementsAll need to be securedCopyright © 2012 Pearson Education9-4Steps in Securing IPCopyright © 2012 Pearson Education9-5Where is the information, who has access to it?Classify value of informationThe process of obscuring information to make it unreadable without special knowledge, key files, or passwords.Information rights management: control who can read, write, copy , delete, or download information.Most important! Employees need to know what can or can’t be read, written, copied, deleted, or downloadedPrivacyDeals with protecting customer information vs. internal company informationSame controlsIdentification and classificationEncryptionAccess controlTrainingCopyright © 2012 Pearson Education9-6Privacy ConcernsSPAMUnsolicited e-mail that contains either advertising or offensive contentCAN-SPAM (2003)Criminal and civil penalties for spammingIdentity TheftThe unauthorized use of someone’s personal information for the perpetrator’s benefit.Companies have access to and thus must control customer’s personal information.Copyright © 2012 Pearson Education9-7Privacy Regulatory ActsHealth Insurance Portability and Accountability Act (HIPAA)Health Information Technology for Economic and Clinical Health Act (HITECH)Financial Services Modernization ActCopyright © 2012 Pearson Education9-8Generally Accepted Privacy PrinciplesManagementProcedures and policiesAssignment of responsibilityNoticeTo customers of policiesChoice and ConsentAllow customers consent over information provided, storedCollectionOnly what is necessary and stated in policyUse and RetentionBased on policy and only for as long as needed for the businessAccessCustomers should be capable of reviewing, editing, deleting informationDisclosure to 3rd PartiesBased on policy and only if 3rd party has same privacy policy standardSecurityProtection of personal informationQualityAllow customer reviewInformation needs to be reasonably accurateMonitor and EnforceEnsure compliance with policyCopyright © 2012 Pearson Education9-9EncryptionPreventive controlProcess of transforming normal content, called plaintext, into unreadable gibberishDecryption reverses this processCopyright © 2012 Pearson Education9-10Encryption StrengthKey lengthNumber of bits (characters) used to convert text into blocks256 is commonAlgorithmManner in which key and text is combined to create scrambled textPolicies concerning encryption keysStored securely with strong access codesCopyright © 2012 Pearson Education9-11Types of EncryptionSymmetricOne key used to both encrypt and decryptPro: fastCon: vulnerableAsymmetricDifferent key used to encrypt than to decryptPro: very secureCon: very slowHybrid SolutionUse symmetric for encrypting informationUse asymmetric for encrypting symmetric key for decryptionCopyright © 2012 Pearson Education9-12HashingConverts information into a “hashed” code of fixed length.The code can not be converted back to the text.If any change is made to the information the hash code will change, thus enabling verification of information.Copyright © 2012 Pearson Education9-13Digital SignatureHash of a documentUsing document creators keyProvides proof:That document has not been alteredOf the creator of the documentCopyright © 2012 Pearson Education9-14Digital CertificateElectronic document that contains an entity’s public keyCertifies the identity of the owner of that particular public keyIssued by Certificate AuthorityCopyright © 2012 Pearson Education9-15Virtual Private Network (VPN)Private communication channels, often referred to as tunnels, which are accessible only to those parties possessing the appropriate encryption and decryption keys.Copyright © 2012 Pearson Education9-16