Professional Documents
Culture Documents
Chapter 9 Bonus Assignment (1) (2)
Chapter 9 Bonus Assignment (1) (2)
Ahmed Alamri
900181435
CHAPTER 9
Bonus Assignment
Obtain a copy of Generally Accepted Privacy Principles from the AICPA’s web site
(www.aicpa.org). (You will find it by following this path: Under Interest Areas choose
Information Management and Technology Assurance then in the upper left portion of
that page in the box titled Resources select Privacy and scroll down the list until you
find GAPP). Use the GAPP document to answer the following questions:
Confidentiality refers to the organization's intellectual property and other information that
it acquires and shares with business partners. There are rules governing the obligations of
individuals to preserve their privacy; however, there are no such comprehensive
regulations governing confidentiality. The term "privacy" refers to data acquired about
identifiable persons. Private and personal information should be secured from other
parties so that other users cannot use it to commit illicit or malicious acts on the web.
There are two types of personal information: personal information and sensitive personal
information. Personal information is information about or that may be used to identify an
identifiable individual. It encompasses any data that may be used to directly or indirectly
identify a person. Individuals include potential, present, and past customers, employees,
and anybody else with whom the company has a connection for this purpose. If an
organization collects information on an individual, the majority of that information is
likely to be deemed personal information if it can be linked to an identifiable individual.
The following are some instances of personal information: A consumer's name; A
consumer's home or e-mail address; A consumer's identification number (for example, a
Social Security or Social Insurance number); A consumer's physical attributes Certain
types of personal information are deemed sensitive. According to some laws and
regulations, the following constitutes sensitive personal information: • Medical or health-
related information • Financial information • Race or ethnic origin • Political ideas •
9-1
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
3. In terms of the principle of choice and consent, what does GAPP recommend
concerning opt-in versus opt-out?
Consent is required for the collection of sensitive personal information (i.e., opt-in). Other
types of personal information may be gathered with the explicit (opt-in) or implicit (opt-
out) consent of the individual.
No. The section on "Outsourcing and Privacy" expressly emphasizes that when
organizations outsource the collection, use, and storage of personal information, they
cannot completely absolve themselves of their obligation to comply with privacy
requirements.
5. What does principle 1 state concerning top management’s and the Board of
Directors’ responsibility for privacy?
6. What does principle 1 state concerning the use of customers’ personal information
when testing new applications?
7. Obtain a copy of your university’s privacy policy statement. Does it satisfy GAPP
criterion 2.2.3? Why?
https://www.aucegypt.edu/privacy-statement
Yes, since AUC’s privacy notice is conspicuous and uses clear language.
In general, cookies are text files that are automatically saved whenever a visitor accesses
a web application. They also store information about the visitor's most recently visited
websites in the visitor's browser. Customer data must be secured in a way that prevents
others from gaining access to sensitive information. Businesses must implement policies
and processes to guarantee that if consumers want to deactivate cookies, the business
complies with their desires.
9. What are some examples of practices that violate management criterion 4.2.2?
To gather personal information about an individual through the use of tools such
as cookies and Web beacons on the entity's Web site without giving notice to the
individual. To connect information collected during an individual's visit to a Web
site with personal information from other sources without giving notice to the
individual. To collect information through the use of a third party in order to
avoid giving notice to individuals
10. What does management criterion 5.2.2 state concerning retention of customers’
personal information? How can organizations satisfy this criterion?
Organizations must have a retention policy and assess their data on a regular basis,
deleting those that are no longer relevant.
11. What does management criterion 5.2.3 state concerning the disposal of personal
information? How can organizations satisfy this criterion?
Organizations must delete media containing sensitive data. This may sometimes
necessitate the deletion of an entire file or database. Personal information must be
redacted before documents are released. Information security professionals should
9-3
© 2015 Pearson Education Limited.
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy
12. What does management criterion 6.2.2 state concerning access? What controls
should organizations use to achieve this objective?
13. According to GAPP principle 7, what should organizations do if they wish to share
personal information they collect with a third party?
9-4
© 2015 Pearson Education Limited.
Accounting Information
Systems
14. What does GAPP principle 8 state concerning the use of encryption?
The ninth principle emphasizes the critical need of preserving accurate records.
Principle Ten necessitates the existence of a method for resolving complaints.
One of the most common sources of complaints will likely be consumers finding
flaws and inconsistencies in their information that the organisation fails to address
on a timely manner when they are granted access according to principle 6.
9-5
© 2015 Pearson Education Limited.