Accounting Information Systems

Ahmed Alamri
900181435
CHAPTER 9

CONFIDENTIALITY AND PRIVACY CONTROLS

Bonus Assignment

Case 9-2 Generally Accepted Privacy Principles

Obtain a copy of Generally Accepted Privacy Principles from the AICPA’s web site
(www.aicpa.org). (You will find it by following this path: Under Interest Areas choose
Information Management and Technology Assurance then in the upper left portion of
that page in the box titled Resources select Privacy and scroll down the list until you
find GAPP). Use the GAPP document to answer the following questions:

1. What is the difference between confidentiality and privacy?

 Confidentiality refers to the organization's intellectual property and other information that
it acquires and shares with business partners. There are rules governing the obligations of
individuals to preserve their privacy; however, there are no such comprehensive
regulations governing confidentiality. The term "privacy" refers to data acquired about
identifiable persons. Private and personal information should be secured from other
parties so that other users cannot use it to commit illicit or malicious acts on the web.

2. How many categories of personal information exist? Why?

 There are two types of personal information: personal information and sensitive personal
information. Personal information is information about or that may be used to identify an
identifiable individual. It encompasses any data that may be used to directly or indirectly
identify a person. Individuals include potential, present, and past customers, employees,
and anybody else with whom the company has a connection for this purpose. If an
organization collects information on an individual, the majority of that information is
likely to be deemed personal information if it can be linked to an identifiable individual.
The following are some instances of personal information: A consumer's name; A
consumer's home or e-mail address; A consumer's identification number (for example, a
Social Security or Social Insurance number); A consumer's physical attributes Certain
types of personal information are deemed sensitive. According to some laws and
regulations, the following constitutes sensitive personal information: • Medical or health-
related information • Financial information • Race or ethnic origin • Political ideas •
9-1
© 2009 Pearson Education, Inc. Publishing as Prentice Hall
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy

Religious or philosophical beliefs • Union membership. Sensitive personal information

needs an additional layer of security and a greater degree of attention. Generally,
nonpersonal information is not protected by privacy laws since it cannot be connected to
an individual. However, some companies may continue to be subject to duties regarding
nonpersonal information as a result of other rules and agreements (for example, clinical
research and market research). The distinction is that sensitive personal information may
result in serious damage to an individual if it is mishandled.

3. In terms of the principle of choice and consent, what does GAPP recommend
concerning opt-in versus opt-out?

 Consent is required for the collection of sensitive personal information (i.e., opt-in). Other
types of personal information may be gathered with the explicit (opt-in) or implicit (opt-
out) consent of the individual.

4. Can organizations outsource their responsibility for privacy?

 No. The section on "Outsourcing and Privacy" expressly emphasizes that when
organizations outsource the collection, use, and storage of personal information, they
cannot completely absolve themselves of their obligation to comply with privacy
requirements.

5. What does principle 1 state concerning top management’s and the Board of
Directors’ responsibility for privacy?

 It is the obligation of top management to delegate privacy management to a specific

individual or team “management criterion 1.1.2.” The Board of Directors should examine
privacy policies at least annually as an exemplary control for this criteria.

6. What does principle 1 state concerning the use of customers’ personal information
when testing new applications?

 Whenever an application is being tested, all personal information associated with a

consumer must be erased. While testing the systems, some unauthorised users may abuse
the customer's personal information without the knowledge of the legitimate users.
Finally, personal client information must be rendered anonymously and erased prior to
doing new system testing.
9-2
© 2015 Pearson Education Limited.
 Accounting Information
Systems

7. Obtain a copy of your university’s privacy policy statement. Does it satisfy GAPP
criterion 2.2.3? Why?

 https://www.aucegypt.edu/privacy-statement
 Yes, since AUC’s privacy notice is conspicuous and uses clear language.

8. What does GAPP principle 3 say about the use of cookies?

 In general, cookies are text files that are automatically saved whenever a visitor accesses
a web application. They also store information about the visitor's most recently visited
websites in the visitor's browser. Customer data must be secured in a way that prevents
others from gaining access to sensitive information. Businesses must implement policies
and processes to guarantee that if consumers want to deactivate cookies, the business
complies with their desires.

9. What are some examples of practices that violate management criterion 4.2.2?

 To gather personal information about an individual through the use of tools such
as cookies and Web beacons on the entity's Web site without giving notice to the
individual. To connect information collected during an individual's visit to a Web
site with personal information from other sources without giving notice to the
individual. To collect information through the use of a third party in order to
avoid giving notice to individuals

10. What does management criterion 5.2.2 state concerning retention of customers’
personal information? How can organizations satisfy this criterion?

 Organizations must have a retention policy and assess their data on a regular basis,
deleting those that are no longer relevant.

11. What does management criterion 5.2.3 state concerning the disposal of personal
information? How can organizations satisfy this criterion?

 Organizations must delete media containing sensitive data. This may sometimes
necessitate the deletion of an entire file or database. Personal information must be
redacted before documents are released. Information security professionals should
9-3
© 2015 Pearson Education Limited.
Ch. 9: Information Systems Controls for System Reliability – Part 2: Confidentiality and Privacy

be employed to ensure the protection of highly sensitive personal information.

Sensitive information may cause panic in a crisis, and so suitable and effective
security measures must be done to accomplish the organization's objective.

12. What does management criterion 6.2.2 state concerning access? What controls
should organizations use to achieve this objective?

 Organizations must verify the identification of individuals seeking access to their

personal data. Employees are appropriately trained to verify an individual's
identification prior to giving the following: Obtaining access to their personally
identifiable information. Requests to amend or delete sensitive or other personally
identifiable information (for example, to update information such as an address or
bank details). The entity does not authenticate using government issued IDs (for
example, Social Security or Social Insurance numbers). It sends information about
a change request simply to the address on file, or to both the old and new
addresses in the event of a change of address. It requires online access to user
account information to be protected by a unique user identifier and password (or
similar).

13. According to GAPP principle 7, what should organizations do if they wish to share
personal information they collect with a third party?

 Organizations should disclose to third parties their intention to share information

(management criteria 7.1.1). Provide information about the organization's privacy
practises to third parties (management criterion 7.1.2). Share information with
other parties only if they have in place measures that offer the same degree of
privacy protection as the sharing organization (management criterion 7.2.2). Take
corrective action against third parties that misuse personally identifiable
information that has been supplied to them (management criterion 7.2.4).

9-4
© 2015 Pearson Education Limited.
 Accounting Information
Systems

14. What does GAPP principle 8 state concerning the use of encryption?

 Personal information must be encrypted whenever it is transferred or stored on port

able media (management criterion 8.2.5). (management criterion 8.2.6)

15. What is the relationship between GAPP principles 9 and 10?

 The ninth principle emphasizes the critical need of preserving accurate records.
Principle Ten necessitates the existence of a method for resolving complaints.
One of the most common sources of complaints will likely be consumers finding
flaws and inconsistencies in their information that the organisation fails to address
on a timely manner when they are granted access according to principle 6.

9-5
© 2015 Pearson Education Limited.