C HAPTER Information Systems Controls for System Reliability Part 2: Confidentiality, Privacy, Processing Integrity, and Availability © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 136 INTRODUCTION • Questions to be addressed in this chapter include: – What controls are used to protect the confidentiality of sensitive information? – What controls are designed to protect privacy of customers’ personal information? – What controls ensure processing integrity? – How are information systems changes controlled to ensure that the new system satisfies all five principles of systems reliability? © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 136 INTRODUCTION • Reliable systems satisfy five principles: AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY – Information Security (discussed in Chapter 7) – Confidentiality – Privacy – Processing integrity – Availability SECURITY © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 136 CONFIDENTIALITY AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY • Reliable systems maintain the confidentiality of sensitive information SECURITY © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 136 CONFIDENTIALITY • Maintaining confidentiality requires that management identify which information is sensitive • Each organization will develop its own definitions of what information needs to be • COBIT control objective PO 2.3 specifies the protected need to identify and to properly label potentially • Most definitions will include: sensitive information, to assign responsibility – – – – Businessfor plans its protection, and to implement appropriate controls Pricing strategies Client and customer lists Legal documents © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 136 CONFIDENTIALITY • Table 8-1 in your textbook summaries key controls to protect confidentiality of information: Situation Controls Storage Encryption and access controls Transmission Encryption Disposal Shredding, thorough erasure, physical destruction Overall Categorization to reflect value and training in proper work practices © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 136 CONFIDENTIALITY • Encryption is a fundamental control procedure for protecting the confidentiality of sensitive information • Confidential information should be encrypted: – While stored – Whenever transmitted © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 136 CONFIDENTIALITY • The Internet provides inexpensive transmission, but data is easily intercepted • Encryption solves the interception issue • If data is encrypted before sending it, a virtual private network (VPN) is created – Provides the functionality of a privately owned network – But uses the Internet © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 136 CONFIDENTIALITY • Use of VPN software creates private communication channels, often referred to as tunnels – The tunnels are accessible only to parties who have the appropriate encryption and decryption keys • In accordance with COBIT DS 5.11, VPNs include controls to authenticate the parties exchanging – Cost of the VPN software is much lesstrail than information and to create an audit of costs the of leasingexchange or buying a privately-owned, secure communications network – Also, makes it much easier to add or remove sites from the “network.” © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart of 136 CONFIDENTIALITY • It is critical to encrypt any sensitive information stored in devices that are easily lost or stolen, such as laptops, PDAs, cell phones, and other portable devices – Many organizations have policies against storing sensitive information on these devices – 81% of users admit they so anyway © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 10 of 136 AVAILABILITY • Organizations have three basic options for replacing computer and networking equipment • Most expensive solution but used by organizations like financial institutions and airlines which cannot survive any appreciable time without there IS • The hot site is a facility that is pre-wired for phone and Internet (like the cold site) but also contains the essential computing and office equipment • It is a backup infrastructure designed to provide fault tolerance in the event of a major disaster – Reciprocal agreements – Cold sites – Hot sites © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 122 of 136 AVAILABILITY • Key components of effective disaster recovery and business continuity plans include: – Data backup procedures – Provisions for access to replacement infrastructure (equipment, facilities, phone lines, etc.) – Thorough documentation – Periodic testing – Adequate insurance © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 123 of 136 AVAILABILITY • Documentation – An important and often overlooked component Should include: • The disaster recovery plan itself, including instructions for notifying appropriate staff and the steps to resume operation, needs to be well documented • Assignment of responsibility for the various activities • Vendor documentation of hardware and software • Documentation of modifications made to the default configuration (so replacement will have the same functionality) • Detailed operating instructions – Copies of all documentation should be stored both on-site and off-site © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 124 of 136 AVAILABILITY • Key components of effective disaster recovery and business continuity plans include: – Data backup procedures – Provisions for access to replacement infrastructure (equipment, facilities, phone lines, etc.) – Thorough documentation – Periodic testing – Adequate insurance © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 125 of 136 AVAILABILITY • Testing – Periodic testing and revision is probably the most important component of effective disaster recovery and business continuity plans • Most plans fail their initial test, because it’s impossible to anticipate everything that could go wrong • The time to discover these problems is before the actual emergency and in a setting where the weaknesses can be carefully analyzed and appropriate changes made © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 126 of 136 AVAILABILITY • Plans should be tested on at least an annual basis to ensure they reflect recent changes in equipment and procedures – Important to test procedures involved in executing reciprocal agreements or hot or cold sites – Backup restoration procedures also require practice © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 127 of 136 AVAILABILITY • Brainstorming sessions involving mock scenarios can be effective in identifying gaps and shortcomings – More realistic and detailed simulations or drills should also be performed, although not to the expense of completely performing every activity – Experts recommend testing individual components of the plans separately, because it is too difficult and costly to simulate and analyze every aspect simultaneously • The plan documentation needs to be updated to reflect any changes in procedure made in response to problems identified during testing © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 128 of 136 AVAILABILITY • Key components of effective disaster recovery and business continuity plans include: – Data backup procedures – Provisions for access to replacement infrastructure (equipment, facilities, phone lines, etc.) – Thorough documentation – Periodic testing – Adequate insurance © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 129 of 136 AVAILABILITY • Insurance – Organizations should acquire adequate insurance coverage to defray part or all of the expenses associated with implementing their disaster recovery and business continuity plans © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 130 of 136 CHANGE MANAGEMENT CONTROLS • Organizations constantly modify their information systems to reflect new business practices and to take advantage of advances in IT • Controls are needed to ensure such changes don’t negatively impact reliability • Existing controls related to security, confidentiality, privacy, processing integrity, and availability should be modified to maintain their effectiveness after the change • Change management controls need to ensure adequate segregation of duties is maintained in light of the modifications to the organizational structure and adoption of new software © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 131 of 136 CHANGE MANAGEMENT CONTROLS • Important change management controls include: – All change requests should be documented in a standard format that identifies: • Nature of the change • Reason for the change • Date of the request – All changes should be approved by appropriate levels of management • Approvals should be clearly documented to provide an audit trail • Management should consult with the CSO and other IT managers about impact of the change on reliability © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 132 of 136 CHANGE MANAGEMENT CONTROLS – Changes should be thoroughly tested prior to • When changing systems, data from old files and implementation – – are entered intoof new data structures • databases Includes assessing effect change on all five principles of systems reliability • Conversion controls help ensure that the new data • storage Should occur a separate, non-production mediain are free of errors environment • Old and new systems should be run in parallel at All documentation (program instructions, system least once and results compared to identify descriptions, backup and disaster recovery plans) discrepancies should be updated to reflect authorized changes • Internal auditors should review data conversion to the system processes forchanges accuracy or deviations from policy “Emergency” must be documented and subjected to a formal review and approval process as soon after implementation as practicable All such actions should be logged to provide an audit trail © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 133 of 136 CHANGE MANAGEMENT CONTROLS – “Backout” plans should be developed for reverting to the previous configuration if the approved changes need to be interrupted or aborted – User rights and privileges should be carefully monitored during the change process to ensure proper segregation of duties © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 134 of 136 CHANGE MANAGEMENT CONTROLS • The most important change management control is adequate monitoring and review by top management to ensure that the changes are consistent with the entity’s multiyear strategic plan • Objective: Be sure the system continues to effectively support the organization’s strategy • Steering committees are often created to perform this function © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 135 of 136 SUMMARY • In this chapter, you’ve learned about the controls used to protect the confidentiality of sensitive information and the controls used to protect the privacy of customer information • You’ve also learned about controls that help ensure processing integrity • Finally, you’ve learned about controls to ensure that the system is available when needed © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 136 of 136 ... CONFIDENTIALITY SYSTEMS RELIABILITY • Reliable systems maintain the confidentiality of sensitive information SECURITY © 2 008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/ Steinbart. .. sensitive information • Confidential information should be encrypted: – While stored – Whenever transmitted © 2 008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/ Steinbart. .. that sensitive information go to the correct Allen Smith © 2 008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/ Steinbart 18 of 136 PRIVACY SECURITY © 2 008 Prentice