Confidentiality and Privacy Controls

Slides:



Advertisements
Similar presentations
Public Key Infrastructure and Applications
Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Chapter 17 Controls and Security Measures
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Cryptographic Technologies
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter 9 1.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Copyright © 2015 Pearson Education, Inc. Confidentiality and Privacy Controls Chapter
Encryption Methods By: Michael A. Scott
Cryptographic Security Cryptographic Mechanisms 1Mesbah Islam– Operating Systems.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.
Chapter 31 Network Security
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 Cryptography Basics. 2 Cryptography Basic terminologies Symmetric key encryption Asymmetric key encryption Public Key Infrastructure Digital Certificates.
Copyright ©1997 NetDox, Inc. All Rights Reserved. CONFIDENTIAL 1 DATE HERE Julie Grace - NetDox, Inc. Emerging Internet Commerce.
Chapter 13 Network Security. Contents Definition of information security Role of network security Vulnerabilities, threats and controls Network security.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
Types of Electronic Infection
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 50 Cryptography, Privacy, and Digital Certificates.
11-Basic Cryptography Dr. John P. Abraham Professor UTPA.
Encryption. What is Encryption? Encryption is the process of converting plain text into cipher text, with the goal of making the text unreadable.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
DIGITAL SIGNATURE.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
Intellectual Property. Confidential Information Duty not to disclose confidential information about a business that would cause harm to the business or.
Network Security Celia Li Computer Science and Engineering York University.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
LESSON 12 Business Internet. Electronic business, or e-business, is the application of information and communication technologies (ICT) in support of.
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
e-Health Platform End 2 End encryption
Confidentiality and Privacy Controls
INFORMATION SYSTEMS SECURITY and CONTROL
Public-Key, Digital Signatures, Management, Security
Instructor Materials Chapter 5: Ensuring Integrity
10/7/2019 Created by Omeed Mustafa 1 st Semester M.Sc (Computer Science department) Cyber-Security.
Presentation transcript:

Confidentiality and Privacy Controls Chapter 9

Learning Objectives Identify and explain controls designed to protect the confidentiality of sensitive information. Identify and explain controls designed to protect the privacy of customers’ personal information. Explain how the two basic types of encryption systems work.

CONFIDENTIALITY SYSTEMS RELIABILITY According to the Trust Services framework, reliable systems satisfy five principles: Security (discussed in Chapter 8) Confidentiality Privacy Processing integrity Availability CONFIDENTIALITY PRIVACY PROCESSING INTEGRITY AVAILABILITY SECURITY

Protecting Confidentiality of Sensitive Information Identify and classify information to protect Where is it located and who has access? Classify value of information to organization Encryption Protect information in transit and in storage Access controls Information rights management (IRM) Controlling outgoing information - DLP Digital watermarks Training

Identification and Classification Intellectual Property (IP) Strategic plans Trade secrets Cost information Legal documents Process improvements All need to be secured

Encryption Encryption alone is not sufficient to protect confidentiality. Given enough time, many encryption schemes can be broken. Access controls are also needed Strong authentication techniques are necessary.

Controlling Access Information Rights Management (IRM) software Can limit the actions (read, write, change, delete, copy, etc.) that authorized users can perform when accessing confidential information Data Loss Prevention (DLP) software Digital watermarks Physical access controls System outputs Magnetic and optical media Voice-over-the-Internet (VoIP) technology Virtualization and cloud computing

Training Employee use of email, instant messaging (IM), blogs and social media represent some of the greatest threats to the confidentiality of sensitive information. Use of encryption software Leaving workstations unattended Code reports to reflect importance Clean desk policy

PRIVACY SYSTEMS RELIABILITY In the Trust Services framework, the privacy principle is closely related to the confidentiality principle. Primary difference is that privacy focuses on protecting personal information about customers rather than organizational data. CONFIDENTIALITY PRIVACY PROCESSING INTEGRITY AVAILABILITY SECURITY

Privacy Same controls as confidentiality Identification and classification Encryption Access control Training

Privacy Concerns SPAM Unsolicited e-mail that contains either advertising or offensive content Controlling the Assault of Non-Solicited Pornography and Marketing Act. CAN-SPAM (2003) Criminal and civil penalties for spamming

Privacy Concerns Organizations must carefully follow the CAN-SPAM guidelines, which include: The sender’s identity must be clearly displayed in the message header. The subject field in the header must clearly identify the message as an advertisement or solicitation. The body must provide recipients with a working link that can be used to “opt out” of future email. The body must include the sender’s valid postal address. Organizations should not: Send email to randomly generated addresses. Set up websites designed to harvest email addresses of potential customers.

Privacy Concerns Identity Theft The unauthorized use of someone’s personal information for the perpetrator’s benefit. Companies have access to and thus must control customer’s personal information.

Privacy Regulatory Acts A number of regulations, including the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and the Financial Services Modernization Act (aka, Gramm-Leach-Billey Act) require organizations to protect the privacy of customer information.

ENCRYPTION Encrypting sensitive stored data provides one last barrier that must be overcome by an intruder. Encryption plays an essential role in ensuring and verifying the validity of e-business transactions. Therefore, accountants, auditors, and systems professionals need to understand encryption.

Encryption Steps Takes plaintext and with an encryption key and algorithm, converts to unreadable ciphertext (sender of message) To read ciphertext, an encryption key reverses the process to make information readable (receiver of message) To encrypt or decrypt, both a key and an algorithm are needed

Encryption Strength Key length (longer=stronger) Algorithm Number of bits (characters) used to convert text into blocks 256 is common Algorithm Manner in which key and text is combined to create scrambled text Policies concerning encryption keys Stored securely with strong access codes

Types of Encryption Uses one key to encrypt and decrypt Symmetric Asymmetric Uses one key to encrypt and decrypt Both parties need to know the key Need to securely communicate the shared key Cannot share key with multiple parties, they get their own (different) key from the organization Since both sides of the transaction share the key there is no way to prove which party created a document. Uses two keys Public—everyone has access Private—used to decrypt (only known by you) Public key can be used by all your trading partners Can create digital signatures

ENCRYPTION Hybrid Solution Use symmetric for encrypting information Use asymmetric for encrypting symmetric key for decryption

Hashing Converts information into a “hashed” code of fixed length. The code can not be converted back to the text. If any change is made to the information the hash code will change, thus enabling verification of information.

Digital Signature Hash of a document that is encrypted using document creators’ private key Provides proof: That document has not been altered Of the creator of the document

Digital Certificate Electronic document that contains an entity’s public key Certifies the identity of the owner of that particular public key Issued by Certificate Authority Public Key Infrastructure (PKI)

Virtual Private Network (VPN) The internet provides inexpensive transmission, but data is easily intercepted. Encryption solves the interception issue. If data is encrypted before sending it, a virtual private network (VPN) is created. Provides the functionality of a privately owned network But uses the Internet

Virtual Private Network Securely transmits encrypted data between sender and receiver Sender and receiver have the appropriate encryption and decryption keys.