Complete
Solutions for Accounting Information System 12e by Marshall B. Romney Paul J. Steinbart
IF You Want To Purchase A+ Work Then Click The Link
Below , Instant Download
CHAPTER
9
INFORMATION SYSTEMS
CONTROLS FOR SYSTEMS RELIABILITY – Part 2: Confidentiality and Privacy
9.1 From the viewpoint of the customer, what are the advantages and
disadvantages to the opt-in versus the opt-out approaches to collecting
personal information? From the viewpoint of the organization desiring to
collect such information?
9.2 What risks, if any, does offshore outsourcing of various
information systems functions pose to satisfying the principles of
confidentiality and privacy?
9.3 Should
organizations permit personal use of e-mail systems by employees during working
hours?
9.4 What
privacy concerns might arise from the use of biometric authentication
techniques? What about the embedding of RFID tags in products such as clothing?
What other technologies might create privacy concerns?
9.5 What do you
think an organization’s duty or responsibility should be to protect the privacy
of its customers’ personal information? Why?
9.6 Assume you
have interviewed for a job online and now receive an offer of employment. The
job requires you to move across the country. The company sends you a digital
signature along with the contract. How does this provide you with enough
assurance to trust the offer so that you are willing to make the move?
9.1 Match the terms with
their definitions:
|
Virtual Private Network
(VPN)
|
a. A hash encrypted
with the creator’s private key
|
|
Data Loss Prevention
(DLP)
|
b. A company that
issues pairs of public and private keys and verifies the identity of the
owner of those keys.
|
|
Digital signature
|
c. A secret mark used
to identify proprietary information.
|
|
Digital certificate
|
d. An encrypted tunnel
used to transmit information securely across the Internet.
|
|
Data masking
|
e. Replacing real data
with fake data.
|
|
Symmetric encryption
|
f. Unauthorized use of
facts about another person to commit fraud or other crimes.
|
|
Spam
|
g. The process of
turning ciphertext into plaintext.
|
|
Plaintext
|
h. Unwanted e-mail.
|
|
Hashing
|
i. A document or file
that can be read by anyone who accesses it.
|
|
Ciphertext
|
j. Used to store an entity’s
public key, often found on web sites.
|
|
Information rights
management (IRM)
|
k. A procedure to
filter outgoing traffic to prevent confidential information from leaving.
|
|
Certificate authority
|
l. A process that
transforms a document or file into a fixed length string of data.
|
|
Non-repudiation
|
m. A document or file
that must be decrypted to be read.
|
|
Digital watermark
|
n. A copy of an
encryption key stored securely to enable decryption if the original
encryption key becomes unavailable.
|
|
Asymmetric encryption
|
o. An encryption
process that uses a pair of matched keys, one public and the other private.
Either key can encrypt something, but only the other key in that pair can
decrypt it.
|
|
Key escrow
|
p. An encryption
process that uses the same key to both encrypt and decrypt.
|
|
|
q. The inability to
unilaterally deny having created a document or file or having agreed to
perform a transaction.
|
|
|
r. Software that limits
what actions (read, copy, print, etc.) that users granted access to a file or
document can perform.
|
9.2 Cost-effective
controls to provide confidentiality require valuing the information that is to
be protected. This involves classifying information into discrete categories.
Propose a minimal classification scheme that could be used by any business, and
provide examples of the type of information that would fall into each of those
categories.
9.3 Download a hash calculator that can create hashes for both files
and text input. Use it to create SHA-256 (or any other hash algorithm your
instructor assigns) hashes for the following:
a. A document that contains this text: “Congratulations! You
earned an A+”
b. A document that contains this text: “Congratulations! You
earned an A-”
c. A document that contains this text: “Congratulations! You
earned an a-”
d. A document that contains this text: “Congratulations! You
earned an A+” (this message contains two spaces between the exclamation point
and the capital letter Y).
e. Make a copy of the document used in step a, and calculate its
hash value.
f. Hash any multiple-page text file on your computer.
9.4 Accountants often need to print financial statements with the
words “CONFIDENTIAL” or “DRAFT” appearing in light type in the background.
a. Create a watermark with the word “CONFIDENTIAL” in a Word
document. Print out a document that displays that watermark.
b. Create the same watermark in Excel and print out a spreadsheet
page that displays that watermark.
c. Can you make your
watermark “invisible” so that it can be used to detect whether a document
containing sensitive information has been copied to an unauthorized location?
How? How could you use that “invisible” watermark to detect violation of
copying policy?
9.5 Create a spreadsheet to compare current monthly mortgage payments
versus the new monthly payments if the loan were refinanced, as shown (you will
need to enter formulas into the two cells with solid borders like a box: D9 and
D14)
1. a. Restrict
access to the spreadsheet by encrypting it.
Further protect the spreadsheet by limiting users to only being
able to select and enter data in the six cells without borders.
9.6 Research the information rights
management software that may be available for your computer. What are its
capabilities for limiting access rights? Write a report of your findings.
Optional: If you can download and install IRM software, use it to
prevent anyone from being able to copy or print your report.
9.7 The principle of
confidentiality focuses on protecting an organization’s intellectual property.
The flip side of the issue is ensuring that employees respect the intellectual
property of other organizations. Research the topic of software piracy and
write a report that explains:
a. What software piracy is.
b. How organizations attempt to prevent their employees from
engaging in software piracy.
c. How software piracy violations are discovered.
d. The consequences to both individual employees and to
organizations who commit software piracy.
9.8 Practice encryption.
Required:
1. a. Use
your computer operating system’s built-in encryption capability to encrypt a
file.
In Windows, if you are working with an open document, you can
encrypt it by choosing that option under the “Prepare” menu:
b. TrueCrypt is one of several free software programs
that can be used to encrypt files stored on a USB drive. Download and install a
copy of TrueCrypt (or another program recommended by your professor). Use it to
encrypt some files on a USB drive. Compare its functionality to that of the
built-in encryption functionality provided by your computer’s operating system.
9.9 Research the problem of
identity theft and write a report that explains:
a. Whether the problem of identity theft is increasing or
decreasing
b. What kind of identity theft protection services or
insurance products are available. Compare and contrast at least two products.
9.10 Certificate authorities are an important
part of a public key infrastructure (PKI). Research at least two certificate
authorities and write a report that explains the different types of digital
certificates that they offer.
9.11 Obtain a copy of COBIT (available at www.isaca.org) and read the control objectives that relate to encryption (DS5.8
and DS5.11). What are the essential control procedures that organizations
should implement when using encryption?
SUGGESTED SOLUTIONS TO THE
CASES
Case 9-1 Protecting Privacy of Tax Returns
The department of taxation in your state is developing a new
computer system for processing individual and corporate income-tax returns. The
new system features direct data input and inquiry capabilities. Identification
of taxpayers is provided by using the Social Security number for individuals
and federal tax identification number for corporations. The new system should
be fully implemented in time for the next tax season.
The new system will serve three primary purposes:
1 Data will either be automatically input
directly into the system if the taxpayer files electronically or by a clerk at
central headquarters scanning a paper return received in the mail.
2 The returns will be processed using the main
computer facilities at central headquarters. Processing will include four
steps:
a. Verifying mathematical accuracy
b. Auditing the reasonableness of deductions, tax due,
and so on, through the use of edit routines, which also include a comparison of
current and prior years’ data.
c. Identifying returns that should be considered for
audit by department revenue agents
d. Issuing refund checks to taxpayers
3 Inquiry services. A taxpayer will be allowed
to determine the status of his or her return or get information from the last
three years’ returns by calling or visiting one of the department’s regional
offices, or by accessing the department’s web site and entering their social
security number.
The state commissioner of taxation and the state attorney general
are concerned about protecting the privacy of personal information submitted by
taxpayers. They want to have potential problems identified before the system is fully developed and
implemented so that the proper controls can be incorporated into the new
system.
Required
Describe the potential privacy problems that could arise in each
of the following three areas of processing, and recommend the corrective
action(s) to solve each problem identified:
a. Data input
b. Processing of returns
c. Data inquiry
Case 9-2 Generally Accepted Privacy Principles
Obtain the practitioner’s version of Generally Accepted Privacy
Principles from the AICPA’s web site (www.aicpa.org). You will find it
located under professional resources and then information technology. Use it to
answer the following questions:
1. 1. What is the
difference between confidentiality and privacy?
2. 2. How many
categories of personal information exist? Why?
3. 3. In terms of
the principle of choice and consent, what does GAPP recommend concerning opt-in
versus opt-out?
4. 4. Can
organizations outsource their responsibility for privacy?
5. 5. What does
principle 1 state concerning top management’s and the Board of Directors’
responsibility for privacy?
6. 6. What does
principle 1 state concerning the use of customers’ personal information when
testing new applications?
7. 7. Obtain a copy
of your university’s privacy policy statement. Does it satisfy GAPP criterion
2.2.3? Why?
8. 8. What does
GAPP principle 3 say about the use of cookies?
9. 9. What are some
examples of practices that violate management criterion 4.2.2?
10. 10. What
does management criterion 5.2.2 state concerning retention of customers’
personal information? How can organizations satisfy this criterion?
11. 11. What
does management criterion 5.2.3 state concerning the disposal of personal
information? How can organizations satisfy this criterion?
12. 12. What
does management criterion 6.2.2 state concerning access? What controls should
organizations use to achieve this objective?
13. 13. According
to GAPP principle 7, what should organizations do if they wish to share
personal information they collect with a third party?
14. 14. What
does GAPP principle 8 state concerning the use of encryption?
15. 15. What
is the relationship between GAPP principles 9 and 10?
No comments:
Post a Comment