Ch 9 Flashcards
four basic actions must be taken to preserve confidentiality:
information: (1) identify and classify the information
to be protected, (2) encrypt the information, (3) control access to the information, and (4) train
employees to properly handle the information.
What type of software rovides an extra layer of protection to electric information that is sensitive?
information rights management
(IRM) - Software that offers
the capability not only to limit
access to specific files or documents, but also to specify the
actions (read, copy, print, download, etc.) that individuals who
are granted access to that resource can perform. Some Irm
software even has the capability
to limit access privileges to a
specific period of time and to
remotely erase protected files.
DLP is a preventive control. what is dlp?
data loss prevention (dlP) - Software which works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect.
VOIP and Telephone conversations should or should not be encrypted?
Should, especially if about sensitive information. Nowadays with icnrease use over internet, this si getting more and more vulnerable to interception.
What is data masking?
- a program that
protects privacy by replacing
personal information with fake
values. (e.g., replace a real social security number with a different set of
numbers that have the same characteristics, such as 123-45-6789) before sending that data to the program development and testing system.
.
CAN-SPAM, gov. regulation against spam, key provisions
●The sender’s identity must be clearly displayed in the header of the message.
●The subject field in the header must clearly identify the message as an advertisement or
solicitation.
●The body of the message must provide recipients with a working link that can be used to
opt out of future e-mail. After receiving an opt-out request, organizations have 10 days
to implement steps to ensure they do not send any additional unsolicited e-mail to that
address. This means that organizations need to assign someone the responsibility for
processing opt-out requests.
●The body of the message must include the sender’s valid postal address. Although not
required, best practice would be to also include full street address, telephone, and fax
numbers.
●Organizations should not send commercial e-mail to randomly generated addresses, nor
should they set up websites designed to “harvest” e-mail addresses of potential customers. Experts recommend that organizations redesign their own websites to include a visible means for visitors to opt in to receive e-mail, such as checking a box.
List out the ten points of the GAPP framework - (1-5)
- Managment - Orgs need to esp be careful with ifno from customer’s credit bureaus.
- Notice - org should provide clear detail about what they take and do on its privacy policies and practices before or soon after
- Choice and consent - orgs should explain the choice and obtain prior consent GAPP reccomends to opt-in and ask first. but in the US, defualt policy is opt out which means companies collect info unless the customer objects.
- Collection of info - only get necessary stuff to fulfill purposes stated in policy.
- use and retention - companeis need to create retention policies
Recently there ahs eben a lot more identity fraud in regards to
Medical indentity theft, tax theft (use of social security)
The ten best practives for protectting the privacy of customer’s personal information is known as
gapp (generally acceptd privacy principles
Cookies are
- a text file created by a Web site and stored on a visitor’s hard drive. Cookies store information about who the user is and what the user has done on the site.
6-10 of GAPP
6, access - org should provite individuals to access the information so they may correct/delete/see it
- Disclosure to 3rd parties - orgs should disclose the info to a third party only if it complie with their stated privacy policy, and as long as that comany has the same level of protection. This should always be encrypted.
- Security - must take reasonable steps to protect its customers’ personal ifnormation from loss or unathorized disclsure. Must: train employees, use the controls (prevenctice,corrective,detective). Must correct employees until they properly learnn to delete all info off media. Also need to watch out with e-mails (make sure empoloyees dont accidentally cc all)
- Quality - maintain itnegrity of customer’s personal info and make sure its reasonably accuraye. how? provide a way for customers to access it
- Monitoring and enforcement - assign one or more emplyoees to be repsonsible for ensuring compliance with its stated privacy policiies. Orgs must periodically verify that there is compliance.
Three factros that influence encryption strength?
- encryption algorithym- A strong algorithm purchased by a product whose widely-accepted algorrythym has been proven
- policies for managing cryptographic keys -
- key length - Longer keys provide stronger encryption by reducing the number of repeating
blocks in the ciphertext. This makes it harder to spot patterns in the ciphertext
In summary, what does the framework of GAPP accomplish, and who is repsonsible to be knowledgable?
first implementing a combination of policies, procedures, and technology, then
training everyone in the organization to act in accordance with those plans, and subsequently
monitoring compliance. Only senior management possesses the authority and the resources to accomplish this, thus mangerial issue and IT issue (of course.)
Because accountants and auditors serve as trusted
advisers to senior management, they too need to be knowledgeable about these issues.
___ provides one
last barrier that must be overcome by an intruder who has obtained unauthorized access to
stored information.
Encryption
What is Plaintext?
plaintext - normal text that has
not been encrypted.
Ciphertext?
ciphertext - Plaintext that was
transformed into unreadable
gibberish using encryption.
What is encryption?
the process of
transforming normal text, called
plaintext, into unreadable
gibberish, called ciphertext.
Decryption?
decryption - transforming
ciphertext back into plaintext.
Difference between symmetric and asymmetric encryptoion
Symmetric - encryption methods that use the same ket to both encrypt and decrypt
asymmetric - two keys - one public and private. Either can encrypt, but the other must be the only one that decryprts
see figure 9-4 to see how digital signature usage occurs
see figure 9-4 to see how digital signature usage occurs
What is the public key?
one of the keys
used in asymmetric encryption
systems. It is widely distributed
and available to everyone.
To keep a key from being lost, comoanies undergo “key escrow”. Wtf is that?
the process of
storing a copy of an encryption
key in a secure location.
What is the private key?
one of the keys used in asymmetric encryption systems. It is kept secret and known only to the owner of that pair of public and private keys.
Once can make a document legally binding with a digital signature. How is a digital signature created?
The document
creator first generates a hash of the document (or file) and then encrypts that hash using his
or her private key. The resulting encrypted hash is a digital signature that provides assurance
about two important issues: (1) that a copy of a document or file has not been altered, and
(2)who created the original version of a digital document or file. Thus, digital signatures
provide assurance that someone cannot enter into a digital transaction and then subsequently
deny they had done so and refuse to fulfill their side of the contract.
