Académique Documents
Professionnel Documents
Culture Documents
Confidentiality
Reliable systems protect confidential information from
unauthorized disclosure.
Types of information that need to be protected would include;
business plans, pricing strategies, client and customer lists, and
legal documents.
Encryption is a fundamental control procedure for protecting the
confidentiality of sensitive information.
It is easy to intercept information sent over the Internet.
Encryption solves this problem.
Encrypting information before sending it over the Internet creates
what is called a Virtual Private Network (VPN).
It is especially important to encrypt any sensitive information
stored in laptops, personal digital assistants (PDAs), cell
phones, and other portable devices.
It is also important to control access to system outputs.
Useful control procedures for doing to include the
following:
1. Do not allow visitors to roam through buildings
without supervision, to prevent them from seeing
sensitive information on workstation displays or
picking up and reading printed reports.
2. Require employees to log out of any applications prior
to leaving their workstation unattended.
3. Restrict access to rooms housing printers and fax
machines.
4. Code reports to reflect the importance of the
Page 1 of 9
Privacy
The Trust Services Framework privacy principle is closely related
to the confidentiality principle, differing primarily in that it
focuses on protecting personal information about customers rather
than organizational data.
Ten internationally recognized best practices for protecting the
privacy of customers personal information:
1. Management. The organization establishes a set of procedures
and policies for protecting the privacy of personal
information it collects and assigns responsibility and
accountability for those policies to a specific person or
group of employees.
2. Notice. The organization provides notice about its privacy
policies and practices at or before the time it collects
personal information from customers, or as soon as
practicable thereafter.
3. Choice and Consent. The organization describes the choices
available to individuals and obtains their consent to the
collection and use of their personal information.
4. Collection. The organization collects only that information
needed to fulfill the purposes stated in its privacy
policies.
Page 2 of 9
Page 3 of 9
2.
3.
4.
5.
Print only your initials and last name, rather than your
full name, on checks. This prevents a thief from knowing
how you sign your name.
6.
7.
8.
9.
Page 4 of 9
Encryption
Encryption is the final layer of preventive controls.
Encryption is the process of transforming normal text,
called plaintext, into unreadable gibberish, called
ciphertext.
The term cipher is sometimes used as a synonym for
ciphertext. In turn, a secret code is the same as a cipher.
Decryption reverses this process, transforming ciphertext
back into plaintext.
Figure 9-1 on page 258 shows that both a key and an
algorithm are used to encrypt plaintext into ciphertext and
to decrypt the ciphertext back into plaintext.
The key is also a string of binary digits of a fixed length.
The binary code either has a value of 1 or 0. This code is
written into successive powers of 2, rather then powers of
10 as in decimal. Thus a binary number 1101 means (from
right to left):
20
21
22
23
1
0
1
1
x
x
x
x
1
2
4
8
=
=
=
=
1
0
4
8
Decimal
Hexadecimal
Number
0001
Equivalent
1
Equivalent
1
0010
Page 5 of 9
0011
0100
0101
0110
0111
1000
1001
1010
10
1011
11
1100
12
1101
13
1110
14
1111
15
Page 6 of 9
Page 7 of 9
Hashing
Hashing is a process that takes plaintext of any length and
transforms it into a short code called a hash.
For example, the SHA-256 algorithm creates a 256-bit hash.
Table 9-1 on page 260 provides a comparison of encryption
and hashing
Digital Signatures
Asymmetric encryption and hashing are used to create digital
signatures.
A digital signature is information encrypted with the
creators private key.
This encrypted information can only be decrypted using
the corresponding public key
Using a hash of the original plaintext to create a digital
signature not only is efficient but also provides a means
for establishing that the message decrypted by the recipient
is exactly the same as the message created by the sender.
Page 8 of 9
Page 9 of 9