Upload
tyra-perkinson
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
Copyright © 2015 Pearson Education, Inc.
Learning Objectives
•Identify and explain controls designed to protect the confidentiality of sensitive information.
•Identify and explain controls designed to protect the privacy of customers’ personal information.
•Explain how the two basic types of encryption systems work.
9-2
Copyright © 2015 Pearson Education, Inc.
CONFIDENTIALITY•According to the Trust
Services framework, reliable systems satisfy five principles:▫Security (discussed in
Chapter 8)▫Confidentiality ▫Privacy▫Processing integrity▫Availability
SECURITY
CO
NF
IDE
NT
IAL
ITY
PR
IVA
CY
PR
OC
ES
SIN
G I
NT
EG
RIT
Y
AV
AIL
AB
ILIT
Y
SYSTEMSRELIABILITY
Copyright © 2015 Pearson Education, Inc.
Protecting Confidentiality of Sensitive Information
• Identify and classify information to protect• Where is it located and who has access?• Classify value of information to organization
• Encryption• Protect information in transit and in storage
• Access controls• Information rights management (IRM)• Controlling outgoing information - DLP• Digital watermarks
• Training9-4
Copyright © 2015 Pearson Education, Inc.
Identification and Classification
•Intellectual Property (IP)▫Strategic plans▫Trade secrets▫Cost information▫Legal documents▫Process improvements▫All need to be secured
Copyright © 2015 Pearson Education, Inc.
Encryption
•Encryption alone is not sufficient to protect confidentiality. Given enough time, many encryption schemes can be broken.
•Access controls are also needed•Strong authentication techniques are necessary.
Copyright © 2015 Pearson Education, Inc.
Controlling Access• Information Rights Management (IRM) software
▫ Can limit the actions (read, write, change, delete, copy, etc.) that authorized users can perform when accessing confidential information
• Data Loss Prevention (DLP) software• Digital watermarks• Physical access controls• System outputs
▫ Magnetic and optical media• Voice-over-the-Internet (VoIP) technology• Virtualization and cloud computing
Copyright © 2015 Pearson Education, Inc.
Training•Employee use of email, instant messaging (IM), blogs
and social media represent some of the greatest threats to the confidentiality of sensitive information.
•Use of encryption software•Leaving workstations unattended•Code reports to reflect importance•Clean desk policy
Copyright © 2015 Pearson Education, Inc.
PRIVACY •In the Trust Services framework, the privacy principle is closely related to the confidentiality principle.
•Primary difference is that privacy focuses on protecting personal information about customers rather than organizational data.
SECURITY
CO
NF
IDE
NT
IAL
ITY
PR
IVA
CY
PR
OC
ES
SIN
G I
NT
EG
RIT
Y
AV
AIL
AB
ILIT
Y
SYSTEMSRELIABILITY
Copyright © 2015 Pearson Education, Inc.
Privacy
•Same controls as confidentiality▫Identification and classification▫Encryption▫Access control▫Training
Copyright © 2015 Pearson Education, Inc.
Privacy Concerns•SPAM
▫Unsolicited e-mail that contains either advertising or offensive content
▫Controlling the Assault of Non-Solicited Pornography and Marketing Act. CAN-SPAM (2003) Criminal and civil penalties for spamming
Copyright © 2015 Pearson Education, Inc.
Privacy Concerns• Organizations must carefully follow the CAN-
SPAM guidelines, which include:▫ The sender’s identity must be clearly displayed in the
message header.▫ The subject field in the header must clearly identify the
message as an advertisement or solicitation.▫ The body must provide recipients with a working link
that can be used to “opt out” of future email.▫ The body must include the sender’s valid postal address.▫ Organizations should not:
Send email to randomly generated addresses. Set up websites designed to harvest email addresses
of potential customers.
Copyright © 2015 Pearson Education, Inc.
Privacy Concerns•Identity Theft
▫The unauthorized use of someone’s personal information for the perpetrator’s benefit.
▫Companies have access to and thus must control customer’s personal information.
Copyright © 2015 Pearson Education, Inc.
Privacy Regulatory Acts•A number of regulations, including the
Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health Act (HITECH), and the Financial Services Modernization Act (aka, Gramm-Leach-Billey Act) require organizations to protect the privacy of customer information.
Copyright © 2015 Pearson Education, Inc.
ENCRYPTION• Encrypting sensitive stored data
provides one last barrier that must be overcome by an intruder.
• Encryption plays an essential role in ensuring and verifying the validity of e-business transactions.
• Therefore, accountants, auditors, and systems professionals need to understand encryption.
Copyright © 2015 Pearson Education, Inc.
Encryption Steps
• Takes plaintext and with an encryption key and algorithm, converts to unreadable ciphertext (sender of message)
• To read ciphertext, an encryption key reverses the process to make information readable (receiver of message)
• To encrypt or decrypt, both a key and an algorithm are needed
9-16
Copyright © 2015 Pearson Education, Inc.
Encryption Strength
•Key length (longer=stronger)▫Number of bits (characters) used to convert text into blocks▫256 is common
•Algorithm▫Manner in which key and text is combined to create scrambled
text•Policies concerning encryption keys
▫Stored securely with strong access codes
Copyright © 2015 Pearson Education, Inc.
Types of Encryption
Symmetric Asymmetric
• Uses one key to encrypt and decrypt• Both parties need to know the key
▫ Need to securely communicate the shared key
▫ Cannot share key with multiple parties, they get their own (different) key from the organization
▫ Since both sides of the transaction share the key there is no way to prove which party created a document.
• Uses two keys▫ Public—everyone has access▫ Private—used to decrypt (only
known by you)▫ Public key can be used by all your
trading partners• Can create digital signatures
9-18
Copyright © 2015 Pearson Education, Inc.
ENCRYPTION
•Hybrid Solution▫Use symmetric for encrypting information▫Use asymmetric for encrypting symmetric key for
decryption
Copyright © 2015 Pearson Education, Inc.
Hashing
•Converts information into a “hashed” code of fixed length.
•The code can not be converted back to the text.•If any change is made to the information the hash code
will change, thus enabling verification of information.
Copyright © 2015 Pearson Education, Inc.
Digital Signature• Hash of a document that is encrypted using
document creators’ private key• Provides proof:
▫ That document has not been altered▫ Of the creator of the document
Copyright © 2015 Pearson Education, Inc.
Digital Certificate
•Electronic document that contains an entity’s public key•Certifies the identity of the owner of that particular
public key•Issued by Certificate Authority•Public Key Infrastructure (PKI)
Copyright © 2015 Pearson Education, Inc.
Virtual Private Network (VPN)•The internet provides inexpensive
transmission, but data is easily intercepted.
•Encryption solves the interception issue.•If data is encrypted before sending it, a
virtual private network (VPN) is created.▫Provides the functionality of a privately owned
network▫But uses the Internet