CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Slides:



Advertisements
Similar presentations
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
Advertisements

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Dr. Mohamed A. Hamada Lecturer of Accounting Information Systems Advanced Auditing Lecture 1 Assurance and Attestation Services.
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports.
March 6, 2012 SOC Reporting: What is New in the Audit Guides?
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Other Assurance & Attestation Services By David N. Ricchiute
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Jeff Williams Information Security Officer CSU, Sacramento
Security Controls – What Works
Information Security Policies and Standards
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
The Demand for Audit and Other Assurance Services Chapter 1.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.
Why Comply with PCI Security Standards?
Payment Card Industry (PCI) Data Security Standard
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
PCI requirements in business language What can happen with the cardholder data?
Service Organization Control (SOC) Reporting Options and Information
PCI: As complicated as it sounds? Gerry Lawrence CTO
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
Introduction to Payment Card Industry Data Security Standard
Chapter Three IT Risks and Controls.
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
1 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Demand for Audit and Other Assurance Services Chapter 1.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Secure e-Business Chartered Accountants of Canada Comptables agréés du Canada Overview of WebTrust TM.
Chapter 18: Doing Business on the Internet Business Data Communications, 4e.
Chapter 18: Doing Business on the Internet Business Data Communications, 4e.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens//Elder/Beasley Other Assurance Services Chapter 25.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
1 Topic# 7 – Auditing with Technology Readings, Chapter 10 A – COMPUTERIZED AUDIT TOOLS –Electronic Spreadsheets –Automated Working Papers –Generalized.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
SAS No. 70, Service Organizations A standard for reporting on a service organization’s controls affecting user entities' financial statements. Only for.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
©2005 Prentice Hall Business Publishing, Auditing and Assurance Services 10/e, Arens/Elder/Beasley Other Assurance Services Chapter 25.
Service Organization Control Reports What Have We Learned? Chris Bruhn DIRECTOR, IT RISK SERVICES, BKD, LLP SAS 70 ENDS EXIT TO SSAE 16.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Payment Card Industry (PCI) Rules and Standards
Performing Risk Analysis and Testing: Outsource or In-house
Session 11 Other Assurance Services
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
The Demand for Audit and Other Assurance Services
Internet Payment.
Session 11 Other Assurance Services
Secure Electronic Transaction
Service Organization Control (SOC)
Session 11 Other Assurance Services
BY GAWARE S.R. DEPT.OF COMP.SCI
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Other Assurance Services
Presentation transcript:

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust

CSE 4482, 2009 Personal Information Protection and Electronic Documents Act Governs the collection, use and disclosure of personal information in a manner that balances the right of privacy of all individuals Requires each organization to designate a responsible officer

CSE 4482, 2009 Personal Information Information about a person that originates from the person, e.g., social insurance number given to an employer, age. Does not include business information generated for a person, e.g., salary within the employer’s possession or grade within the school’s possession.

CSE 4482, 2009 PIPEDA Principles Accountability – needs a chief privacy officer Identifying purpose Consent Limiting collection

CSE 4482, 2009 PIPEDA Principles Limiting use, retention and disclosure. Accuracy Safeguards Openness

CSE 4482, 2009 PIPEDA Principles Individual access Challenge

CSE 4482, 2009 Web Trust A Web site assurance service developed by American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) Reviews have been on large e-commerce sites to gain customer confidence

CSE 4482, 2009 Main Web Trust Principles The Availability Principle addresses accessibility to the defined system, products, or services as advertised or committed by contract, service-level, or other agreements. The Security Principle requires an entity to meet high standards for the protection of the system components from unauthorized access, both logical and physical.

CSE 4482, 2009 Main Web Trust Principles Processing Integrity Principle requires an entity to meet high standards for the completeness, accuracy, timeliness, and authorization of system processing including the processing of electronic commerce transactions. All three principles must be satisfied.

CSE 4482, 2009 Secondary Web Trust Principles Confidentiality – no unauthorized viewing Privacy – confidentiality of personal info

CSE 4482, 2009 Web Trust Review The reviewer has to be licensed by AICPA or CICA. The outcome of the review consists of a report and the Web Trust seal if the client passes the selected criteria. The seal can be placed on the Web site. The seal is accompanied by a report of controls with an audit opinion from the reviewer.

CSE 4482, 2009 Control Criteria Management of the web site develops criteria (objectives) to satisfy each main principle and each selected secondary principle. Each control criterion is supported by control activities (procedures), which can be manual or automated.

CSE 4482, 2009 Web Trust Seal Auditor (reviewer) provides an opinion on the effectiveness (including comprehensiveness) of control activities for each criterion and the comprehensiveness of the criteria for each principle.

CSE 4482, 2009 Process of a Web Trust Review E-commerce company decides to pursue a Web Trust seal. E-commerce company engages an accounting firm to do the review. E-commerce company selects the optional principles.

CSE 4482, 2009 Process of a Web Trust Review E-commerce company develops control criteria for each principle. E-commerce company develops control procedures for each criterion. Accounting firm assess adequacy of control procedures for each criterion and adequacy of criteria for each principle.

CSE 4482, 2009 Process of Web Trust Review Accounting firm conducts testing. Accounting firm provides audit opinion. If opinion is unqualified, accounting firm creates a seal and send to a certificate authority for digital signature to authenticate.

CSE 4482, 2009 Process of a Web Trust Review Accounting firm sends the signed seal and audit report to the client. The audit report is hosted in E-commerce company puts the seal on the web site.

CSE 4482, 2009 SysTrust A system assurance service developed by American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) Reviews have been on new systems in an organization or systems shared by a number of partner organizations

CSE 4482, 2009 Main SysTrust Principles Availability Security Processing integrity Must be covered to get an unqualified opinion.

CSE 4482, 2009 Secondary SysTrust Principles Confidentiality Privacy

CSE 4482, 2009 Control Criteria Management of the web site develops criteria (objectives) to satisfy each main principle and each selected secondary principle. Each control criterion is supported by control activities (procedures), which can be manual or automated.

CSE 4482, 2009 Sys Trust Seal Auditor (reviewer) provides an opinion on the effectiveness (including comprehensiveness) of control activities for each criterion and the comprehensiveness of the criteria for each principle.

CSE 4482, 2009 Components of System Infrastructure Software People Procedures Data

CSE 4482, 2009 SysTrust Review The reviewer has to be licensed by AICPA or CICA The review is reported with an opinion against management’s assertion about the system

CSE 4482, 2009 SysTrust Users Management Customers Trading partners Financial statement auditors

CSE 4482, 2009 SysTrust Users Internal and legislative auditors Software vendors Service providers

CSE 4482, 2009 SysTrust Report An opinion on management’s asserted controls. Opinion does not cover system description, although system description is often included in the report. But if reviewer knows that system description is misleading, s/he should not issue an opinion on the controls. Opinion covers the reporting period of not more than one year.

CSE 4482, 2009 Drivers for SysTrust Review The potential conflict of interest between the system operator and system user or owner. The complexity of systems, requiring expertise to conduct an audit that would provide a reasonable degree of assurance about their conformity with system reliability principles and criteria.

CSE 4482, 2009 Drivers for SysTrust Review The remoteness of users from systems requiring an independent objective representative to observe the system on their behalf. The consequences of system unreliability. The four conditions above may contribute individually to the need for assurance services related to the reliability of an entity’s key information system(s) and they may also interact to increase the need for such assurance.

CSE 4482, 2009CITM 595, Fall 2007, D Chan Symptoms of System Unreliability Frequent system failures Failure to prevent unauthorized access Loss of data integrity Serious maintenance problems

CSE 4482, 2009 Process of a Sys Trust Review System hosting organization decides to pursue a Sys Trust Review. System hosting organization hires an accounting firm. System hosting organization selects optional principles, develops control criteria and control procedures.

CSE 4482, 2009 Process of a Sys Trust Review Accounting firm assesses the adequacy of control criteria and procedures. Accounting firm conducts testing. Accounting firm provides report to system hosting organization. System hosting organization shares report with user organizations.

CSE 4482, 2009 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers like Visa, MasterCard and American Express. Requires agent financial institutions and major merchants (over 6 million transactions annually) to have an annual external audit for compliance. Failure to comply can lead to a fine of $500,000.

CSE 4482, 2009 PCI Standards 1.Install and maintain a firewall to protect cardholder data 2. Do not use vendor supplied defaults for system passwords and other security parameters. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across the Internet

CSE 4482, 2009 PCI Standards 5. Use regularly updated anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business on a need-to-know basis 8. Assign a unique ID to each person with computer access

CSE 4482, 2009 PCI Standards 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security