Ch 9

Question 1

four basic actions must be taken to preserve confidentiality:

Answer 1

information: (1) identify and classify the information
to be protected, (2) encrypt the information, (3) control access to the information, and (4) train
employees to properly handle the information.

Question 2

What type of software rovides an extra layer of protection to electric information that is sensitive?

Answer 2

information rights management
(IRM) - Software that offers
the capability not only to limit
access to specific files or documents, but also to specify the
actions (read, copy, print, download, etc.) that individuals who
are granted access to that resource can perform. Some Irm
software even has the capability
to limit access privileges to a
specific period of time and to
remotely erase protected files.

Question 3

DLP is a preventive control. what is dlp?

Answer 3

data loss prevention (dlP) - 
Software which works like 
antivirus programs in reverse, 
blocking outgoing messages 
(e-mail, instant messages, 
etc.) that contain key words or 
phrases associated with intellectual property or other sensitive 
data the organization wants to 
protect.

Question 4

VOIP and Telephone conversations should or should not be encrypted?

Answer 4

Should, especially if about sensitive information. Nowadays with icnrease use over internet, this si getting more and more vulnerable to interception.

Question 5

What is data masking?

Answer 5

• a program that
  protects privacy by replacing
  personal information with fake
  values. (e.g., replace a real social security number with a different set of
  numbers that have the same characteristics, such as 123-45-6789) before sending that data to the program development and testing system.

.

Question 6

CAN-SPAM, gov. regulation against spam, key provisions

Answer 6

●The sender’s identity must be clearly displayed in the header of the message.
●The subject field in the header must clearly identify the message as an advertisement or
solicitation.
●The body of the message must provide recipients with a working link that can be used to
opt out of future e-mail. After receiving an opt-out request, organizations have 10 days
to implement steps to ensure they do not send any additional unsolicited e-mail to that
address. This means that organizations need to assign someone the responsibility for
processing opt-out requests.
●The body of the message must include the sender’s valid postal address. Although not
required, best practice would be to also include full street address, telephone, and fax
numbers.
●Organizations should not send commercial e-mail to randomly generated addresses, nor
should they set up websites designed to “harvest” e-mail addresses of potential customers. Experts recommend that organizations redesign their own websites to include a visible means for visitors to opt in to receive e-mail, such as checking a box.

Question 7

List out the ten points of the GAPP framework - (1-5)

Answer 7

1. Managment - Orgs need to esp be careful with ifno from customer’s credit bureaus.
2. Notice - org should provide clear detail about what they take and do on its privacy policies and practices before or soon after
3. Choice and consent - orgs should explain the choice and obtain prior consent GAPP reccomends to opt-in and ask first. but in the US, defualt policy is opt out which means companies collect info unless the customer objects.
4. Collection of info - only get necessary stuff to fulfill purposes stated in policy.
5. use and retention - companeis need to create retention policies

Question 8

Recently there ahs eben a lot more identity fraud in regards to

Answer 8

Medical indentity theft, tax theft (use of social security)

Question 9

The ten best practives for protectting the privacy of customer’s personal information is known as

Answer 9

gapp (generally acceptd privacy principles

Question 10

Cookies are

Answer 10

- a text file created by 
a Web site and stored on a visitor’s hard drive. Cookies store 
information about who the user 
is and what the user has done 
on the site.

Question 11

6-10 of GAPP

Answer 11

6, access - org should provite individuals to access the information so they may correct/delete/see it

7. Disclosure to 3rd parties - orgs should disclose the info to a third party only if it complie with their stated privacy policy, and as long as that comany has the same level of protection. This should always be encrypted.
8. Security - must take reasonable steps to protect its customers’ personal ifnormation from loss or unathorized disclsure. Must: train employees, use the controls (prevenctice,corrective,detective). Must correct employees until they properly learnn to delete all info off media. Also need to watch out with e-mails (make sure empoloyees dont accidentally cc all)
9. Quality - maintain itnegrity of customer’s personal info and make sure its reasonably accuraye. how? provide a way for customers to access it
10. Monitoring and enforcement - assign one or more emplyoees to be repsonsible for ensuring compliance with its stated privacy policiies. Orgs must periodically verify that there is compliance.

Question 12

Three factros that influence encryption strength?

Answer 12

1. encryption algorithym- A strong algorithm purchased by a product whose widely-accepted algorrythym has been proven
2. policies for managing cryptographic keys -
3. key length - Longer keys provide stronger encryption by reducing the number of repeating
   blocks in the ciphertext. This makes it harder to spot patterns in the ciphertext

Question 13

In summary, what does the framework of GAPP accomplish, and who is repsonsible to be knowledgable?

Answer 13

first implementing a combination of policies, procedures, and technology, then
training everyone in the organization to act in accordance with those plans, and subsequently
monitoring compliance. Only senior management possesses the authority and the resources to accomplish this, thus mangerial issue and IT issue (of course.)

Because accountants and auditors serve as trusted
advisers to senior management, they too need to be knowledgeable about these issues.

Question 14

___ provides one
last barrier that must be overcome by an intruder who has obtained unauthorized access to
stored information.

Answer 14

Encryption

Question 15

What is Plaintext?

Answer 15

plaintext - normal text that has

not been encrypted.

Question 16

Ciphertext?

Answer 16

ciphertext - Plaintext that was
transformed into unreadable
gibberish using encryption.

Question 17

What is encryption?

Answer 17

the process of
transforming normal text, called
plaintext, into unreadable
gibberish, called ciphertext.

Question 18

Decryption?

Answer 18

decryption - transforming

ciphertext back into plaintext.

Question 19

Difference between symmetric and asymmetric encryptoion

Answer 19

Symmetric - encryption methods that use the same ket to both encrypt and decrypt

asymmetric - two keys - one public and private. Either can encrypt, but the other must be the only one that decryprts

Question 20

see figure 9-4 to see how digital signature usage occurs

Answer 20

see figure 9-4 to see how digital signature usage occurs

Question 21

What is the public key?

Answer 21

one of the keys
used in asymmetric encryption
systems. It is widely distributed
and available to everyone.

Question 22

To keep a key from being lost, comoanies undergo “key escrow”. Wtf is that?

Answer 22

the process of
storing a copy of an encryption
key in a secure location.

Question 23

What is the private key?

Answer 23

one of the keys 
used in asymmetric encryption 
systems. It is kept secret and 
known only to the owner of that 
pair of public and private keys.

Question 24

Once can make a document legally binding with a digital signature. How is a digital signature created?

Answer 24

The document
creator first generates a hash of the document (or file) and then encrypts that hash using his
or her private key. The resulting encrypted hash is a digital signature that provides assurance
about two important issues: (1) that a copy of a document or file has not been altered, and
(2)who created the original version of a digital document or file. Thus, digital signatures
provide assurance that someone cannot enter into a digital transaction and then subsequently
deny they had done so and refuse to fulfill their side of the contract.

Question 25

Hashing is NOT a way to protoect confidentiality or privacy. So what is it and what is it used for?

Answer 25

Transforming plaintext of any lenght into a short code called a hash. Two documents are ran to test integrity against the same hashing algorthm. If no differences, then they are the same. If there are, than one copy has been altered. Important for legally binding signatures especially

Question 26

What is nonrepudiation, and how is it solved?

Answer 26

Creating legally binding agreements that

cannot be unilaterally repudiated by either party.

Question 27

See p 271 for advantages of smmetric vs aymmetric

Answer 27

p 271

Main difference is symmetirc is faster but riskier, whereas assymetric is safer but much slower

Question 28

What is a VPN tunnel?

Answer 28

accessible only to
those parties possessing the appropriate encryption and decryption keys. VPNs also include
controls to authenticate the parties exchanging information and to create an audit trail of the
exchange. Thus, VPNs ensure that sensitive information is exchanged securely and in a manner that can provide proof of its authenticity.

Question 29

what is a VPN?

Answer 29

virtual private network (vPn) -
using encryption and authentication to securely transfer
information over the Internet,
thereby creating a “virtual”
private network. because it provides the functionality of a privately owned secure network without the associated costs of leased telephone lines, satellites, and other communication equipment.

Question 30

What is PKI?

Answer 30

the system for issuing pairs of

public and private keys and corresponding digital certificates.

Question 31

What is an digital certificate?

Answer 31

A digital certificate is an
electronic document that contains an entity’s public key and certifies the identity of the owner
of that particular public key. Thus, digital certificates function like the digital equivalent of
a driver’s license or passport. Just as passports and drivers licenses are issued by a trusted
independent party (the government) and employ mechanisms such as holograms and watermarks to prove that they are genuine, digital certificates are issued by an organization called a
certificate authority and contain the certificate authority’s digital signature to prove that they
are genuine.