WHAT DID YOU LEARN FOR CHAPTER 12 - ACCOUNTING INFORMATION SYSTEMS 

 

 

CHAPTER 12 :

The first step to protect confidentiality and privacy is to identify where such information resides and who has access to it. This sounds easy, but undertaking a thorough inventory of every digital and paper store of information is both time-consuming and costly because it involves examining more than just the contents of the organization's financial systems. For example, manufacturing firms typically employ large-scale factory automation. Those systems contain instructions that may provide significant cost advantages or product quality enhancements over those of competitors and therefore must be protected from unauthorized disclosure or tampering.

After the information that needs to be protected has been identified, the next step is to classify the information in terms of its value to the organization. Control Objectives for Information and Related Technology (COBIT) 2019 management practice APO01.07 points out that classification is the responsibility of information owners, not information security professionals, because only the former understand how the information is used. This classification process is critical because you must know the value of information in order to assess the relative costs and benefits of alternative solutions to protecting it.

Encryption (to be discussed later in this chapter) is an extremely important and effective tool to protect confidentiality and privacy. It is the only way to protect information in transit over the Internet. It is also a necessary part of defense-in-depth to protect information stored on websites or in a public cloud. For example, many accounting firms have created secure portals that they use to share sensitive audit, tax, or consulting information with clients. Encrypting the client's data that is stored on the portal provides an additional layer of protection in the event of unauthorized access to the portal. Similarly, encrypting information stored in a public cloud protects it from unauthorized access by employees of the cloud service provider or by anyone else who is using that same cloud. Encrypting customers' personal information not only protects it from unauthorized disclosure but also can save organizations money. Many states have passed data breach notification laws that require organizations to notify customers after any event, such as the loss or theft of a laptop or portable media device, that may have resulted in the unauthorized disclosure of customer personal information. This can be expensive for businesses that have hundreds of thousands or millions of customers. The costly notification requirement is usually waived, however, if the lost or stolen customer information was encrypted.

Encryption, however, is not a panacea. Encryption only protects information. 

Training is arguably the most important control for protecting confidentiality and privacy. Employees need to know what information they can share with outsiders and what information needs to be protected. For example, employees often do not realize the importance of information they possess, such as time-saving steps or undocumented features they have discovered when using a particular software program. Therefore, it is important for management to inform employees who will attend external training courses, trade shows, or conferences whether they can discuss such information or whether it should be protected because it provides the company a cost savings or quality improvement advantage over its competitors.

Employees also need to be taught how to protect sensitive data. Training should cover such topics as how to use encryption software and the importance of always logging out of applications and using a password-protected screen saver before leaving their laptop or workstation unattended to prevent other employees from obtaining unauthorized access to that information. Employees also need to know how to code reports they create to reflect the importance of the information contained therein so that other employees will know how to handle those reports. They also need to be taught not to leave reports containing sensitive information in plain view on their desks. Training is particularly important concerning the proper use of e-mail, instant messaging (chat), and blogs because it is impossible to control the subsequent distribution of information once it has been sent or posted through any of those methods. For example, it is important to teach employees not to routinely use the "reply all" option with e-mail because doing so may disclose sensitive information to people who should not see it.

With proper training, employees can play an important role in protecting the confidentiality of an organization's information and the privacy of sensitive personal information about suppliers, customers, and employees. For example, if employees understand their organization's data classification scheme, they may recognize situations in which sensitive information has not been properly protected and proactively take appropriate corrective actions.

One of the strictest and most far-reaching privacy regulations is the European Union's General Data Privacy Regulation (GDPR). The GDPR imposes huge fines (up to 4% of global revenues) for issues such as not properly obtaining consent to collect and use personal information or not being able to document that the organization has taken a proactive approach to protecting privacy (referred to as "privacy by design"). The GDPR affects an organization's security measures, particularly its incident response process, because it requires organizations to notify regulators within 72 hours of discovering a breach. The GDPR also grants people a number of new rights, including access to the data that organizations have about them, correction of errors in that stored data, deletion of personal information stored about them (referred to as the "right to be forgotten"), and revocation of consent to sell or share their information with other organizations. Although it is an EU regulation, the GDPR affects any organization that collects and stores information about European residents, which means, given that most companies do business globally, that it applies to virtually every organization. Likewise, the California Consumer Privacy Act (CCPA) of 2018, which contains provisions similar to the GDPR and applies to California residents, affects most organizations because almost every company has customers in California. In addition to the CCPA and other state disclosure laws, a number of federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Financial Services Modernization Act (commonly referred to as the Gramm-Leach-Bliley Act, representing the names of its three Congressional sponsors), impose specific requirements on organizations to protect the privacy of their customers' personal information.

To help organizations cost-effectively comply with these myriad requirements, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) jointly developed a framework called Generally Accepted Privacy Principles (GAPP). GAPP identifies and defines the following 10 internationally recognized best practices for protecting the privacy of customers' personal information:

1. Management. Organizations need to establish a set of procedures and policies for protecting the privacy of personal information they collect from customers as well as information about their customers obtained from third parties such as credit bureaus. They should assign responsibility and accountability for implementing those policies and procedures to a specific person or group of employees. Indeed, the GDPR requires that certain kinds of organizations must create the position of a Data Privacy Officer.
2. Notice. An organization should provide notice about its privacy policies and practices at or before the time it collects personal information from customers, or as soon as practicable thereafter. The notice should clearly explain what information is being collected, the reasons for its collection, and how the information will be used. The principle of notice should also apply to any monitoring and logging for security purposes.
3. Choice and consent. Organizations should explain the choices available to individuals and obtain their consent prior to  the collection and use of their personal information. The nature of the choices offered differs across countries. In the United States, the default policy is called opt-out, which allows organizations to collect personal information about customers unless the customer explicitly objects. In contrast, the default policy in Europe is opt-in, meaning that organizations cannot collect personally identifying information unless customers explicitly give them permission to do so. The GDPR further requires that consent must be demonstrated by a clear affirmative act (i.e., websites cannot use "pre-ticked boxes") and that people must truly have a "free choice" such that they can continue to interact with the organization or website, albeit in a more restricted manner, even when they withhold their consent. However, even in the United States, GAPP recommends that organizations follow the opt-in approach and obtain explicit positive consent prior to collecting and storing sensitive personal information, such as financial or health records, political opinions, religious beliefs, and prior criminal history.

• Collection. An organization should collect only the information needed to fulfill the purposes stated in its privacy policies. One particular issue of concern is the use of cookies on websites. A cookie is a text file created by a website and stored on a visitor's hard disk. Cookies store information about what the user has done on the site. Most websites create multiple cookies per visit to make it easier for visitors to navigate to relevant portions of the website. It is important to note that cookies are text files, which means they cannot "do" anything besides store information. They do, however, contain personal information that may increase the risk of identity theft and other privacy threats. Browsers can be configured to not accept cookies, and GAPP recommends that organizations employ procedures to accede to such requests and not surreptitiously use cookies.
• Use, retention, and disposal. Organizations should use customers' personal information only in the manner described in their stated privacy policies and retain that information only as long as it is needed to fulfill a legitimate business purpose. When the information is no longer useful, it should be disposed of in a secure manner. This means that organizations need to create policies to ensure that all devices (desktops, laptops, tablets, copiers, etc.) that have been used to store personal information are properly "sanitized" by securely wiping all information stored in the device before disposing of it. Organizations also need to assign someone responsibility for ensuring compliance with those policies. The need to focus on the final stage of the information life cycle (deletion) has become more important now that both the GDPR and the CCPA establish a right for customers to request that an organization securely delete information about them (referred to as a "right to be forgotten"). Note that deletion of data no longer used not only complies with regulations but also provides an economic benefit by reducing the potential costs from a data breach because the organization will need to notify and provide compensation, such as free credit monitoring, to fewer people affected by the incident.
• Access. An organization should provide individuals with the ability to access, review, and correct the personal information stored about them.
• Disclosure to third parties. Organizations should disclose their customers' personal information to third parties only in the situations and manners described in the organization's privacy policies and only to third parties who provide the same level of privacy protection as the organization that initially collected the information. This principle has implications for using cloud computing because storing customers' personal information in the cloud may make it accessible to the cloud provider's employees; hence, such information should be encrypted at all times.
• Security. An organization must take reasonable steps to protect its customers' personal information from loss or unauthorized disclosure. Indeed, it is not possible to protect privacy without adequate information security. Therefore, organizations must use the various preventive, detective, and corrective controls discussed in Chapter 11 to restrict access to their customers' personal information. However, achieving an acceptable level of information security is not sufficient to protect privacy because security only protects against unauthorized access to the data but does not control what authorized users do with that data. It is also necessary to train employees to avoid practices that can result in the unintentional or inadvertent breach of privacy. E-mail presents a threat vector to consider. For example, several years ago drug manufacturer Eli Lilly sent an e-mail about its antidepressant drug Prozac to 669 patients. However, because it used the cc: function to send the message to all patients, the e-mails revealed the identities of other patients. Another often-overlooked area concerns the release of electronic documents. Just as special procedures are used to black out (redact) personal information on paper documents, organizations should train employees to use procedures to remove such information on electronic documents in a manner that prevents the recipient of the document from recovering the redacted information.

1. Quality. Organizations should maintain the integrity of their customers' personal information and employ procedures to ensure it is reasonably accurate. Providing customers with a way to review the personal information stored by the organization (as required by the GDPR and discussed in GAPP principle 6) can be a cost-effective way to achieve this objective.
2. Monitoring and enforcement. Organizations must periodically verify that their employees are complying with stated privacy policies. In addition, organizations should establish procedures for responding to customer complaints, including the use of a thirdparty dispute resolution process.

374

In summary, GAPP shows that protecting the privacy of customers' personal information requires first implementing a combination of policies, procedures, and technology, then training everyone in the organization to act in accordance with those plans, and subsequently monitoring compliance. Only senior management possesses the authority and the resources to accomplish this, which reinforces that all aspects of systems reliability are, at bottom, a managerial issue and not just an IT issue. Because accountants and auditors serve as trusted advisors to senior management, they too need to be knowledgeable about these issues.

Identity Theft

One privacy-related issue of growing concern is identity theft. Identity theft is the unauthorized use of someone's personal information for the perpetrator's benefit. Often, identity theft is a financial crime, in which the perpetrator obtains loans or opens new credit cards in the victim's name and sometimes loots the victim's bank accounts. However, a growing proportion of identity theft cases involve fraudulently obtaining medical care and services. Medical identity theft can have life-threatening consequences because of errors it may create in the victim's medical records, such as changing information about drug allergies or prescriptions. It may even cause victims to lose their insurance coverage if the thief has used up their annual or lifetime cap for coverage of a specific illness. Tax identity theft is another growing problem. Perpetrators typically use the victim's social security number to file a fraudulent claim for a refund early in the tax-filing season. Victims only learn of the crime after filing their tax return and then receiving a letter from the IRS informing them that more than one return was filed using their social security number. It can take months for victims to resolve the problem and obtain any legitimate refund they are due.

Focus 12-1 discusses the steps that individuals should take to minimize the risk of becoming a victim of any of these forms of identity theft. Organizations, however, also have a role to play in preventing identity theft. Customers, employees, suppliers, and business partners entrust organizations with their personal information. Organizations economically benefit from having access to that information. Therefore, in addition to regulatory requirements, organizations have an ethical and moral obligation to implement controls to protect the personal information that they collect.

Encryption is a preventive control that can be used to protect both confidentiality and privacy. Encryption protects data while it is in transit over the Internet and provides one last barrier that must be overcome by an intruder who has obtained unauthorized access to stored information. As we will see later, encryption also strengthens authentication procedures and plays an essential role in ensuring and verifying the validity of e-business transactions. Therefore, it is important for accountants, auditors, and systems professionals to understand encryption.

 

Key Length

Longer keys provide stronger encryption by reducing the number of repeating blocks in the ciphertext. This makes it harder to spot patterns in the ciphertext that reflect patterns in the original plaintext. For example, a 24-bit key encrypts plaintext in blocks of 24 bits. It takes 8 bits to represent each letter in the English language. Thus, a 24-bit key encrypts English plaintext in chunks of three letters. This makes it easy to use information about relative word frequencies, such as the fact that the is one of the most common three-letter words in English, to "guess" that the most commonly recurring pattern of 24 bits in the ciphertext probably represents the word the and proceed to "break" the encryption. That's why most encryption keys are at least 256 bits long (corresponding to 32 English letters) and often 1,024 bits or longer.

 

Encryption Algorithm

The nature of the algorithm used to combine the key and the plaintext is important. A strong algorithm is difficult, if not impossible, to break by using brute-force guessing techniques. Secrecy is not necessary for strength. Indeed, the procedures used by the most accepted and widely used encryption algorithms are publicly available. Their strength is due not to the secrecy of their procedures but to the fact that they have been rigorously tested and demonstrated to resist brute-force guessing attacks. Therefore, organizations should not attempt to create their own "secret" encryption algorithm but instead should purchase products that use widely accepted standard algorithms whose strength has been proven.

 

Policies for Managing Cryptographic Keys

The management of cryptographic keys is often the most vulnerable aspect of encryption systems. No matter how long the keys are, or how strong an encryption algorithm is, if the keys have been stolen, the encryption can be easily broken. Therefore, cryptographic keys must be stored securely and protected with strong access controls. Best practices include (1) not storing cryptographic keys in a browser or any other file that other users of that system can readily access and (2) using a strong (and long) passphrase to protect the keys.

Organizations also need sound policies and procedures for issuing and revoking keys. Keys should be issued only to employees who handle sensitive data and need the ability to encrypt it. It is also important to promptly revoke (cancel) keys when an employee leaves or when there is reason to believe the key has been compromised and to notify everyone who has relied upon those keys that they are no longer valid.

 

Types of Encryption Systems

Table 12-1 compares the two basic types of encryption systems. Symmetric encryption systems use the same key both to encrypt and to decrypt. AES is an example of a symmetric encryption system. It is commonly included in most operating systems. Asymmetric encryption systems use two keys that are created as a matched pair. One key, called the public key, is widely distributed and made available to everyone; the other, called the private key, is kept secret and known only to the owner of that pair of keys. RSA and elliptic curve cryptography are examples of asymmetric encryption systems.

Either the public or the private asymmetric key can be used to encrypt, but only the other matching key in that pair can decrypt. Thus, anyone can use the public key to encrypt a file and securely send it to the owner of that key because only the owner possesses the corresponding private key and therefore is the only person who can decrypt that file. Conversely, encrypting something with your private key makes it possible for anyone to verify that you sent that file: If the recipient can successfully decrypt the file using your public key, it proves that the file must have been encrypted by you because you are (or should be) the only person with access to your private key.