Accounting Information Systems

Fourteenth Edition

Chapter 9
Confidentiality and Privacy
Controls

Copyright © 2018 Pearson Education, Inc. All Rights Reserved

Learning Objectives
• Describe the controls that can be used to protect the
confidentiality of sensitive information.
• Explain the controls that organization’s use to protect the
privacy of personal information they collect from
customers, suppliers, and employees, and discuss how the
Generally Accepted Privacy Principles (GAPP) framework
provides guidance in developing a comprehensive
approach to protecting privacy.
• Discuss how different types of encryption systems work,
and explain how digital signatures provide the means for
creating legally-enforceable contracts.

Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 2
Protecting Confidentiality and Privacy of
Sensitive Information
• Identify and classify information to protect
• Where is it located and who has access?
• Classify value of information to organization
• Encryption
• Protect information in transit and in storage
• Access controls
• Information Rights Management (IRM)
• Data loss prevention (DLP)
• Digital watermarks
• Training
Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 3
Privacy Concerns
1. Spam-unsolicited e-mail that contains either advertising
or offensive content.
2. Identity theft-assuming someone’s identity, usually for
financial gain.

Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 4
Generally Accepted Privacy Principles
• Management • Access
– Procedures and policies with – Customer should be able to
assigned responsibility and review, correct, or delete
accountability information collected on them
• Notice • Disclosure to third parties
– Provide notice of privacy policies and • Security
practices prior to collecting data
– Protect from loss or
• Choice and consent unauthorized access
– Opt-in versus opt-out approaches • Quality
• Collection • Monitoring and enforcement
– Only collect needed information – Procedures in responding to
• Use, retention, and disposal complaints
– Use information only for stated – Compliance
business purpose. When no longer
useful, dispose in a secure manner.
Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 5
Encryption
• Preventative control

• Factors that influence encryption strength:

– Key length (longer = stronger)
– Algorithm
– Management policies
 Stored securely

Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 6
 Encryption Steps
• Takes plain text and with an
encryption key and algorithm,
converts to unreadable
ciphertext (sender of message)
• To read ciphertext, encryption
key reverses process to make
information readable (receiver of
message)

Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 7
Types of Encryption
Symmetric Asymmetric

• Uses one key to encrypt and • Uses two keys

decrypt – Public—everyone has access
• Both parties need to know the – Private—used to decrypt (only
key known by you)
– Public key can be used by all your
– Need to securely communicate the
trading partners
shared key
– Cannot share key with multiple • Can create digital signatures
parties, they get their own (different)
key from the organization

Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 8
Digital Signatures
Used to create legally binding agreements (two steps to
create)
1. Document creator uses a hashing algorithm to generate
a hash of the original document
2. Document creator uses private key to encrypt step 1
above

Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 9
Virtual Private Network
• Securely transmits encrypted data between sender and
receiver
– Sender and receiver have the appropriate encryption and
decryption keys.

Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 10
Key Terms
• Information rights management (IRM) • Asymmetric encryption systems
• Data loss prevention (DLP) • Public key
• Digital watermark • Private key
• Data masking • Key escrow
• Tokenization • Hashing
• Spam • Hash
• Identity theft • Nonrepudiation
• Cookie • Digital signature
• Encryption • Digital certificate
• Plaintext • Certificate authority
• Ciphertext • Public key infrastructure (PKI)
• Decryption • Virtual private network (VPN)
• Symmetric encryption systems

Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 11
Copyright © 2018 Pearson Education, Inc. Chapter 9: Confidentiality and Privacy Controls Slide 1 - 12