© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 136 C HAPTER 8 Information Systems Controls for System Reliability Part 2: Confidentiality, Privacy, Processing Integrity, and Availability

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart2 of 136 INTRODUCTION Questions to be addressed in this chapter include: –What controls are used to protect the confidentiality of sensitive information? –What controls are designed to protect privacy of customers’ personal information? –What controls ensure processing integrity? –How are information systems changes controlled to ensure that the new system satisfies all five principles of systems reliability?

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart3 of 136 INTRODUCTION Reliable systems satisfy five principles: –Information Security (discussed in Chapter 7) –Confidentiality –Privacy –Processing integrity –Availability SECURITY CONFIDENTIALITY PRIVACY PROCESSING INTEGRITY AVAILABILITY SYSTEMS RELIABILITY

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart4 of 136 CONFIDENTIALITY Maintaining confidentiality requires that management identify which information is sensitive. Each organization will develop its own definitions of what information needs to be protected. Most definitions will include: –Business plans –Pricing strategies –Client and customer lists –Legal documents

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart5 of 136 CONFIDENTIALITY  Table 8-1 in your textbook summaries key controls to protect confidentiality of information: SituationControls StorageEncryption and access controls TransmissionEncryption DisposalShredding, thorough erasure, physical destruction OverallCategorization to reflect value and training in proper work practices

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart6 of 136 CONFIDENTIALITY It is critical to encrypt any sensitive information stored in devices that are easily lost or stolen, such as laptops, PDAs, cell phones, and other portable devices. –Many organizations have policies against storing sensitive information on these devices. –81% of users admit they do so anyway.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart7 of 136 CONFIDENTIALITY Access to system outputs should also be controlled: –Do not allow visitors to roam through buildings unsupervised. –Require employees to log out of any application before leaving their workstation unattended, so other employees do not have unauthorized access. –Workstations should use password-protected screen savers that automatically engage when there is no activity for a specified period. –Access should be restricted to rooms housing printers and fax machines. –Reports should be coded to reflect the importance of the information therein, and employees should be trained not to leave reports with sensitive information laying in plain view.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart8 of 136 CONFIDENTIALITY Many organizations are taking steps to address the confidentiality threats created by and IM. –One response is to mandate encryption of all with sensitive information. –Some organizations prohibit use of freeware IM products and purchase commercial products with security features, including encryption. –Users sending s must be trained to be very careful about the identity of their addressee. EXAMPLE: The organization may have two employees named Allen Smith. It’s critical that sensitive information go to the correct Allen Smith.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart9 of 136 PRIVACY In the Trust Services framework, the privacy principle is closely related to the confidentiality principle. Primary difference is that privacy focuses on protecting personal information about customers rather than organizational data. Key controls for privacy are the same that were previously listed for confidentiality. SECURITY CONFIDENTIALITY PRIVACY PROCESSING INTEGRITY AVAILABILITY SYSTEMS RELIABILITY

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart10 of 136 PRIVACY C OBI T section DS 11 addresses the management of data and specifies the need to comply with regulatory requirements. A number of regulations, including the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Services Modernization Act (aka, Gramm-Leach-Billey Act) require organizations to protect the privacy of customer information.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart11 of 136 PRIVACY The Trust Services privacy framework of the AICPA and CICA lists ten internationally recognized best practices for protecting the privacy of customers’ personal information: –Management –Notice –Choice and consent –Collection –Use and retention –Access –Disclosure to Third Parties –Security –Quality –Monitoring and enforcement The organization assigns one or more employees to be responsible for assuring and verifying compliance with its stated policies. Also provides for procedures to respond to customer complaints, including third-party dispute- resolution processes.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart12 of 136 PRIVACY One topic of concern is cookies used on Web sites. –A cookie is a text file created by a Website and stored on a visitor’s hard drive. It records what the visitor has done on the site. –Most Websites create multiple cookies per visit to make it easier for visitors to navigate the site. –Browsers can be configured to refuse cookies, but it may make the Website inaccessible. –Cookies are text files and cannot “do” anything other store information, but many people worry that they violate privacy rights.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart13 of 136 PRIVACY Another privacy-related issue that is of growing concern is identity theft. –Organizations have an ethical and moral obligation to implement controls to protect databases that contain their customers’ personal information.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart14 of 136 PRIVACY Consequently, organizations must carefully follow the CAN-SPAM guidelines, which include: –The sender’s identity must be clearly displayed in the message header. –The subject field in the header must clearly identify the message as an advertisement or solicitation. –The body must provide recipients with a working link that can be used to “opt out” of future . –The body must include the sender’s valid postal address. –Organizations should not: Send to randomly generated addresses. Set up Websites designed to harvest addresses of potential customers. Experts recommend that organizations redesign their own Websites to include a visible means for visitors to “opt in” to receive .

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart15 of 136 PROCESSING INTEGRITY C OBI T control objective DS 11.1 addresses the need for controls over the input, processing, and output of data. Identifies six categories of controls that can be used to satisfy that objective. Six categories are grouped into three for discussion. SECURITY CONFIDENTIALITY PRIVACY PROCESSING INTEGRITY AVAILABILITY SYSTEMS RELIABILITY

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart16 of 136 PROCESSING INTEGRITY Three categories/groups of integrity controls are designed to meet the preceding objectives: –Input controls –Processing controls –Output controls

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart17 of 136 PROCESSING INTEGRITY Once data is collected, data entry control procedures are needed to ensure that it’s entered correctly. Common tests to validate input include: –Field check –Sign check –Limit check –Range check –Size (or capacity) check –Completeness check –Validity check –Reasonableness test –Check digit verification

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart18 of 136 PROCESSING INTEGRITY Processing Controls –Processing controls to ensure that data is processed correctly include: Data matching File labels Recalculation of batch totals Cross-footing balance test Write-protection mechanisms Database processing integrity procedures

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart19 of 136 AVAILABILITY Reliable systems are available for use whenever needed. Threats to system availability originate from many sources, including: –Hardware and software failures –Natural and man-made disasters –Human error –Worms and viruses –Denial-of-service attacks and other sabotage SECURITY CONFIDENTIALITY PRIVACY PROCESSING INTEGRITY AVAILABILITY SYSTEMS RELIABILITY

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart20 of 136 AVAILABILITY C OBI T control objectives DS 12.1 and 12.4 address the importance of proper location and design of rooms housing mission-critical servers and databases. –Raised floors protect from flood damage. –Fire protection and suppression devices reduce likelihood of fire damage. –Adequate air conditioning reduces likelihood of damage from over-heating or humidity. –Cables with special plugs that cannot be easily removed reduce risk of damage due to accidentally unplugging.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart21 of 136 AVAILABILITY –An uninterruptible power supply (UPS) provides protection from a prolonged power outage and buys the system enough time to back up critical data and shut down safely.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart22 of 136 AVAILABILITY Training is especially important. –Well-trained operators are less likely to make mistakes and more able to recover if they do. –Security awareness training, particularly concerning safe and Web-browsing practices, can reduce risk of virus and worm infection. Anti-virus software should be installed, run, and kept current. should be scanned for viruses at both the server and desktop levels. Newly acquired software and disks, CDs, or DVDs should be scanned and tested first on a machine that is isolated from the main network. C OBI T control objective DS 13.1 stresses the importance of defining and documenting operational procedures and ensuring that operations staff understand their responsibilities.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart23 of 136 AVAILABILITY Key components of effective disaster recovery and business continuity plans include: –Data backup procedures –Provisions for access to replacement infrastructure (equipment, facilities, phone lines, etc.) –Thorough documentation –Periodic testing –Adequate insurance

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart24 of 136 CHANGE MANAGEMENT CONTROLS Organizations constantly modify their information systems to reflect new business practices and to take advantage of advances in IT. Controls are needed to ensure such changes don’t negatively impact reliability. Existing controls related to security, confidentiality, privacy, processing integrity, and availability should be modified to maintain their effectiveness after the change. Change management controls need to ensure adequate segregation of duties is maintained in light of the modifications to the organizational structure and adoption of new software.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart25 of 136 CHANGE MANAGEMENT CONTROLS Important change management controls include: –All change requests should be documented in a standard format that identifies: Nature of the change Reason for the change Date of the request –All changes should be approved by appropriate levels of management. Approvals should be clearly documented to provide an audit trail. Management should consult with the CSO and other IT managers about impact of the change on reliability.