INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY PART II: CONFIDENTIALITY, PRIVACY, PROCESSING I

1
INFORMATION SYSTEMS CONTROLS FOR SYSTEMS
RELIABILITY PART IICONFIDENTIALITY, PRIVACY,
PROCESSING INTEGRITY, AND AVAILABILITY

• Chapter 8

2
Review
SYSTEMS RELIABILITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SECURITY
3
Confidentiality

• Confidential information includes sensitive data
  produced internally as well as that shared by
  business partners
• Typically will include information from
• Business plans
• Pricing strategies
• Client and customer lists
• Legal documents

4
Confidentiality

• Key controls to protect confidentiality

5
Confidentiality

• Virtual private network (VPN)
• Provides the functionality of a privately owned
  network
• Creates tunnels
• Accessible only to parties who have the
  appropriate encryption and decryption keys
• Cost of the VPN software is much less than costs
  of leasing or buying a privately-owned, secure
  communications network

6
Confidentiality

• Access to system outputs
• No unsupervised visitors
• Require employees to log out of any applications
• Workstations should use password-protected screen
  savers
• Access should be restricted to rooms housing
  printers and fax machines
• Reports should be coded to reflect the importance
  of the information

7
Confidentiality

• Information stored on magnet and optical media
• Super-erase utilities
• Demagnetize disks
• Physically destroy disks

8
Confidentiality

• Voice-over-the-Internet (VoIP) technology
• Makes wiretapping much easier
• Email and instant messaging (IM)
• Mandate encryption of all email with sensitive
  information

9
Privacy

• The Trust Services privacy framework of the AICPA
  and CICA lists ten internationally recognized
  best practices for protecting the privacy of
  customers personal information
• Management
• Notice
• Choice and consent
• Collection
• Use and retention
• Access
• Disclosure to Third Parties
• Security
• Quality
• Monitoring and enforcement

10
Privacy

• Encryption and access controls
• SSL
• Strong authentication controls are also needed

11
Privacy

• Cookies
• Text file created by a website and stored on a
  visitors hard drive that records what the
  visitor has done on that site
• Cannot do anything other store information
• Spam
• Unsolicited email that contains either
  advertising or offensive content
• Source of many viruses, worms, spyware, and other
  malicious content

12
Privacy

• CAN-SPAM guidelines
• The senders identity must be clearly displayed
  in the message header.
• The subject field in the header must clearly
  identify the message as an advertisement or
  solicitation.
• The body must provide recipients with a working
  link that can be used to opt out of future
  email.
• The body must include the senders valid postal
  address.
• Organizations should not
• Send email to randomly generated addresses.
• Set up websites designed to harvest email
  addresses of potential customers.

13
Privacy

• Identity theft
• Shred all documents that contain personal
  information
• Never send personally identifying information in
  unencrypted email
• Beware of email, phone, and print requests to
  verify personal information
• Do not carry your social security card with you
• Limit the amount of identifying information
  preprinted on checks
• Do not place outgoing mail with checks or
  personal information in your mailbox for pickup
• Dont carry more than a few blank checks with
  you.
• Use special software to thoroughly clean any
  digital media before disposal, or physically
  destroy the media
• Monitor your credit reports regularly
• File a police report as soon as you discover that
  your purse/ wallet was stolen.
• Make photocopies of drivers licenses, passports,
  and credit cards. Store them with phone numbers
  for all the credit cards in a safe location
• Immediately cancel any lost or stolen credit cards

14
Processing Integrity

• Reliability implies information is
• Accurate
• Timely
• Authorized
• Complete
• Integrity controls that meet these objectives
• Source data controls
• Data entry controls
• Processing controls
• Data transmission controls
• Output controls

15
Processing Integrity

• Source data controls
• Forms design
• Pre-numbered forms sequence test
• Turnaround documents
• Cancellation and storage of documents
• Authorization and segregation of duties
• Visual scanning
• Check digit verification
• RFID security

16
Processing Integrity

• Data entry controls
• Field check
• Sign check
• Limit check
• Range check
• Size (or capacity) check
• Completeness check
• Validity check
• Reasonableness test

17
Processing Integrity

• Additional Batch Processing Data Entry Controls
• Sequence check
• Error log
• Batch totals

18
Processing Integrity

• Additional online data entry controls
• Automatic entry of data
• Prompting
• Pre-formatting
• Closed-loop verification
• Transaction logs
• Error messages

19
Processing Integrity

• Processing Controls
• Data matching
• File labels
• Recalculation of batch totals
• Cross-footing balance test
• Write-protection mechanisms
• Database processing integrity procedures
• Data conversion controls

20
Processing Integrity

• Data Transmission Controls
• Parity checking
• Message acknowledgment techniques
• Echo check
• Trailer record
• Numbered batches

21
Processing Integrity

• Output Controls
• User review of output
• Reconciliation procedures
• External data reconciliation

22
Availability

• Minimizing Risk of System Downtime
• Physical and logical access controls
• Preventive maintenance
• Use of redundant components
• Surge protection devices
• Uninterruptible power supply (UPS)

23
Availability

• Proper location and design of rooms housing
  mission-critical servers and databases
• Training
• Anti-virus software
• New software and disks, CDs, or DVDs should be
  scanned and tested first on a machine that is
  isolated from the main network

24
Availability

• Disaster Recovery and Business Continuity
  Planning
• Minimize the extent of the disruption, damage,
  and loss
• Temporarily establish an alternative means of
  processing information
• Resume normal operations as soon as possible
• Train and familiarize personnel with emergency
  operations

25
Availability

• Key components of effective disaster recovery and
  business continuity plans
• Data backup procedures
• Provisions for access to replacement
  infrastructure (equipment, facilities, phone
  lines, etc.)
• Thorough documentation
• Periodic testing
• Adequate insurance

26
Availability

• Data Backup Procedures
• Full backup -- an exact copy of the data recorded
  on another physical media (tape, magnetic disk,
  CD, DVD, etc.)
• Two types of partial backups
• Incremental backup
• Differential backup

27
Availability

• Infrastructure Replacement Options
• Reciprocal agreements
• Cold sites
• Hot sites

28
Availability

• Thorough documentation
• Includes
• Disaster recovery plan
• Assignment of responsibility
• Vendor documentation of hardware and software
• Documentation of modifications made to the
  default configuration
• Detailed operating instructions.

29
Availability

• Periodic testing
• Plans should be tested on at least an annual
  basis
• Plan documentation needs to be updated to reflect
  any changes

30
Availability

• Adequate insurance
• Defray part or all of the expenses

31
Change Management Controls

• All change requests should be documented in a
  standard format that identifies
• Nature of the change
• Reason for the change
• Date of the request
• All changes should be approved by appropriate
  levels of management
• Changes should be thoroughly tested prior to
  implementation
• All documentation should be updated to reflect
  authorized changes to the system
• Emergency changes or deviations from policy
  must be documented, reviewed and approved
• Backout plans should be developed
• User rights and privileges should be carefully
  monitored

32
Change Management Controls

• Adequate monitoring and review by top management
• Objective Be sure the system continues to
  effectively support the organizations strategy.

33
Summary

• We have
• Defined the controls used to protect the
  confidentiality of sensitive information
• Defined the controls used to protect the privacy
  of customer information
• Defined the controls that help ensure processing
  integrity
• Defined the controls to ensure that the system is
  available when needed