INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY PART II: CONFIDENTIALITY, PRIVACY, PROCESSING I - PowerPoint PPT Presentation

Loading...

PPT – INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY PART II: CONFIDENTIALITY, PRIVACY, PROCESSING I PowerPoint presentation | free to view - id: 2822e-YWNkY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY PART II: CONFIDENTIALITY, PRIVACY, PROCESSING I

Description:

INFORMATION SYSTEMS CONTROLS FOR SYSTEMS ... Confidential information includes sensitive data produced ... use password-protected screen savers ... – PowerPoint PPT presentation

Number of Views:467
Avg rating:3.0/5.0

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY PART II: CONFIDENTIALITY, PRIVACY, PROCESSING I


1
INFORMATION SYSTEMS CONTROLS FOR SYSTEMS
RELIABILITY PART IICONFIDENTIALITY, PRIVACY,
PROCESSING INTEGRITY, AND AVAILABILITY
  • Chapter 8

2
Review
SYSTEMS RELIABILITY
CONFIDENTIALITY
PRIVACY
PROCESSING INTEGRITY
AVAILABILITY
SECURITY
3
Confidentiality
  • Confidential information includes sensitive data
    produced internally as well as that shared by
    business partners
  • Typically will include information from
  • Business plans
  • Pricing strategies
  • Client and customer lists
  • Legal documents

4
Confidentiality
  • Key controls to protect confidentiality

5
Confidentiality
  • Virtual private network (VPN)
  • Provides the functionality of a privately owned
    network
  • Creates tunnels
  • Accessible only to parties who have the
    appropriate encryption and decryption keys
  • Cost of the VPN software is much less than costs
    of leasing or buying a privately-owned, secure
    communications network

6
Confidentiality
  • Access to system outputs
  • No unsupervised visitors
  • Require employees to log out of any applications
  • Workstations should use password-protected screen
    savers
  • Access should be restricted to rooms housing
    printers and fax machines
  • Reports should be coded to reflect the importance
    of the information

7
Confidentiality
  • Information stored on magnet and optical media
  • Super-erase utilities
  • Demagnetize disks
  • Physically destroy disks

8
Confidentiality
  • Voice-over-the-Internet (VoIP) technology
  • Makes wiretapping much easier
  • Email and instant messaging (IM)
  • Mandate encryption of all email with sensitive
    information

9
Privacy
  • The Trust Services privacy framework of the AICPA
    and CICA lists ten internationally recognized
    best practices for protecting the privacy of
    customers personal information
  • Management
  • Notice
  • Choice and consent
  • Collection
  • Use and retention
  • Access
  • Disclosure to Third Parties
  • Security
  • Quality
  • Monitoring and enforcement

10
Privacy
  • Encryption and access controls
  • SSL
  • Strong authentication controls are also needed

11
Privacy
  • Cookies
  • Text file created by a website and stored on a
    visitors hard drive that records what the
    visitor has done on that site
  • Cannot do anything other store information
  • Spam
  • Unsolicited email that contains either
    advertising or offensive content
  • Source of many viruses, worms, spyware, and other
    malicious content

12
Privacy
  • CAN-SPAM guidelines
  • The senders identity must be clearly displayed
    in the message header.
  • The subject field in the header must clearly
    identify the message as an advertisement or
    solicitation.
  • The body must provide recipients with a working
    link that can be used to opt out of future
    email.
  • The body must include the senders valid postal
    address.
  • Organizations should not
  • Send email to randomly generated addresses.
  • Set up websites designed to harvest email
    addresses of potential customers.

13
Privacy
  • Identity theft
  • Shred all documents that contain personal
    information
  • Never send personally identifying information in
    unencrypted email
  • Beware of email, phone, and print requests to
    verify personal information
  • Do not carry your social security card with you
  • Limit the amount of identifying information
    preprinted on checks
  • Do not place outgoing mail with checks or
    personal information in your mailbox for pickup
  • Dont carry more than a few blank checks with
    you.
  • Use special software to thoroughly clean any
    digital media before disposal, or physically
    destroy the media
  • Monitor your credit reports regularly
  • File a police report as soon as you discover that
    your purse/ wallet was stolen.
  • Make photocopies of drivers licenses, passports,
    and credit cards. Store them with phone numbers
    for all the credit cards in a safe location
  • Immediately cancel any lost or stolen credit cards

14
Processing Integrity
  • Reliability implies information is
  • Accurate
  • Timely
  • Authorized
  • Complete
  • Integrity controls that meet these objectives
  • Source data controls
  • Data entry controls
  • Processing controls
  • Data transmission controls
  • Output controls

15
Processing Integrity
  • Source data controls
  • Forms design
  • Pre-numbered forms sequence test
  • Turnaround documents
  • Cancellation and storage of documents
  • Authorization and segregation of duties
  • Visual scanning
  • Check digit verification
  • RFID security

16
Processing Integrity
  • Data entry controls
  • Field check
  • Sign check
  • Limit check
  • Range check
  • Size (or capacity) check
  • Completeness check
  • Validity check
  • Reasonableness test

17
Processing Integrity
  • Additional Batch Processing Data Entry Controls
  • Sequence check
  • Error log
  • Batch totals

18
Processing Integrity
  • Additional online data entry controls
  • Automatic entry of data
  • Prompting
  • Pre-formatting
  • Closed-loop verification
  • Transaction logs
  • Error messages

19
Processing Integrity
  • Processing Controls
  • Data matching
  • File labels
  • Recalculation of batch totals
  • Cross-footing balance test
  • Write-protection mechanisms
  • Database processing integrity procedures
  • Data conversion controls

20
Processing Integrity
  • Data Transmission Controls
  • Parity checking
  • Message acknowledgment techniques
  • Echo check
  • Trailer record
  • Numbered batches

21
Processing Integrity
  • Output Controls
  • User review of output
  • Reconciliation procedures
  • External data reconciliation

22
Availability
  • Minimizing Risk of System Downtime
  • Physical and logical access controls
  • Preventive maintenance
  • Use of redundant components
  • Surge protection devices
  • Uninterruptible power supply (UPS)

23
Availability
  • Proper location and design of rooms housing
    mission-critical servers and databases
  • Training
  • Anti-virus software
  • New software and disks, CDs, or DVDs should be
    scanned and tested first on a machine that is
    isolated from the main network

24
Availability
  • Disaster Recovery and Business Continuity
    Planning
  • Minimize the extent of the disruption, damage,
    and loss
  • Temporarily establish an alternative means of
    processing information
  • Resume normal operations as soon as possible
  • Train and familiarize personnel with emergency
    operations

25
Availability
  • Key components of effective disaster recovery and
    business continuity plans
  • Data backup procedures
  • Provisions for access to replacement
    infrastructure (equipment, facilities, phone
    lines, etc.)
  • Thorough documentation
  • Periodic testing
  • Adequate insurance

26
Availability
  • Data Backup Procedures
  • Full backup -- an exact copy of the data recorded
    on another physical media (tape, magnetic disk,
    CD, DVD, etc.)
  • Two types of partial backups
  • Incremental backup
  • Differential backup

27
Availability
  • Infrastructure Replacement Options
  • Reciprocal agreements
  • Cold sites
  • Hot sites

28
Availability
  • Thorough documentation
  • Includes
  • Disaster recovery plan
  • Assignment of responsibility
  • Vendor documentation of hardware and software
  • Documentation of modifications made to the
    default configuration
  • Detailed operating instructions.

29
Availability
  • Periodic testing
  • Plans should be tested on at least an annual
    basis
  • Plan documentation needs to be updated to reflect
    any changes

30
Availability
  • Adequate insurance
  • Defray part or all of the expenses

31
Change Management Controls
  • All change requests should be documented in a
    standard format that identifies
  • Nature of the change
  • Reason for the change
  • Date of the request
  • All changes should be approved by appropriate
    levels of management
  • Changes should be thoroughly tested prior to
    implementation
  • All documentation should be updated to reflect
    authorized changes to the system
  • Emergency changes or deviations from policy
    must be documented, reviewed and approved
  • Backout plans should be developed
  • User rights and privileges should be carefully
    monitored

32
Change Management Controls
  • Adequate monitoring and review by top management
  • Objective Be sure the system continues to
    effectively support the organizations strategy.

33
Summary
  • We have
  • Defined the controls used to protect the
    confidentiality of sensitive information
  • Defined the controls used to protect the privacy
    of customer information
  • Defined the controls that help ensure processing
    integrity
  • Defined the controls to ensure that the system is
    available when needed
About PowerShow.com