Information Systems Controls For System Reliability - Part 2: Confidentiality and Privacy
Information Systems Controls For System Reliability - Part 2: Confidentiality and Privacy
Information Systems Controls For System Reliability - Part 2: Confidentiality and Privacy
Information Systems Controls for System Reliability Part 2: Confidentiality and Privacy
9-1
Copyright 2012 Pearson Education
Learning Objectives
Identify and explain controls designed to protect the
confidentiality of sensitive corporate information.
Identify and explain controls designed to protect the
privacy of customers personal information.
9-2
Confidentiality (Chapter 8)
Sensitive organizational information (e.g., marketing plans, trade secrets) is
protected from unauthorized disclosure.
Privacy
Personal information about customers is collected, used, disclosed, and
maintained only in compliance with internal policies and external regulatory
requirements and is protected from unauthorized disclosure.
9-3
Legal documents
Process improvements
All need to be secured
9-4
Steps in Securing IP
Identification
and
Classification
Encryption
Controlling
Access
Trainingj
9-5
Privacy
Deals with protecting customer information vs. internal
company information
Same controls
Identification and classification
Encryption
Access control
Training
9-6
Privacy Concerns
SPAM
Unsolicited e-mail that contains either advertising or
offensive content
CAN-SPAM (2003)
Criminal and civil penalties for spamming
Identity Theft
The unauthorized use of someones personal information for
the perpetrators benefit.
9-7
9-8
Management
Procedures and policies
Assignment of responsibility
2.
Notice
To customers of policies
3.
4.
5.
6.
Access
Customers should be capable
of reviewing, editing, deleting
information
7.
8.
Collection
Only what is necessary and
stated in policy
Security
Protection of personal
information
9.
Quality
Allow customer review
Information needs to be
reasonably accurate
Encryption
Preventive control
Process of transforming
normal content, called
plaintext, into unreadable
gibberish
Decryption reverses this
process
9-10
Encryption Strength
Key length
Number of bits (characters) used to convert text into blocks
256 is common
Algorithm
Manner in which key and text is combined to create
scrambled text
9-11
Types of Encryption
Symmetric
One key used to both encrypt and decrypt
Pro: fast
Con: vulnerable
Asymmetric
Different key used to encrypt than to decrypt
Pro: very secure
Con: very slow
Hybrid Solution
Use symmetric for encrypting information
Use asymmetric for encrypting symmetric key for decryption
9-12
Hashing
Converts information into a hashed code of fixed
length.
The code can not be converted back to the text.
If any change is made to the information the hash code
will change, thus enabling verification of information.
9-13
Digital Signature
Hash of a document
Using document creators key
Provides proof:
That document has not been altered
Of the creator of the document
9-14
Digital Certificate
Electronic document that contains an entitys public key
Certifies the identity of the owner of that particular public
key
Issued by Certificate Authority
9-15
9-16