Post on 18-Jan-2016
Deck 10 Accounting Information Systems
Romney and SteinbartLinda BatchMarch 2012
Learning Objectives• IS Controls for System Reliability• Confidentiality and Availability
– Encryption– Process Controls – Input, Processing, Output– Availability
• Work on Assignment 4• Quiz (Chapter 7 and Chapter 8)
Chapter 9 – Preserving Confidentiality
• Intellectual property often is crucial to the to the organization’s long run competitive advantage
• Actions must be taken to preserve confidentiality:
– Identification and classification of information to be protected
– Encryption of sensitive information– Controlling access to sensitive information– Training
Chapter 9 – Encryption
• Encryption is a preventive control that can be used to protect both the confidentiality and privacy
• Encryption is the process of transforming normal content called plain text to unreadable gibberish, call ciphertext.
• Decryption reverses this process
Chapter 9 – Encryption
• Three factors determine the strength of the encryption– key length – longer keys provide stronger encryption by reducing the
number of repeating blocks– encryption algorithm – are designed to resist brute-force guessing
techniques– policies for managing the cryptographic keys – the most vulnerable
aspect of the encryption system hence cryptographic keys must be stored very securely
Chapter 9 – Encryption
• Cryptographic keys must be stored securely and protected with strong access controls.
• Best practices include not storing cryptographic keys in a browser or any other file that others users of that system can readily access and using a strong and long passphrase to protect the keys
• Organizations must have a way to decrypt data in the event the employee who encrypted it is no longer with the organization– Use software with a built in master key– Use key escrow – make copies of all encryption keys and used by
employees and store these copies securely
Chapter 9 – Encryption
• Types of Encryption Systems– Symmetric Encryption – use the same code to encrypt and decrypt
(DES and AES are examples)– Asymmetric Encryption – different system to encrypt an decrypt –
public key and private key (RSA and PGP)– Symmetric encryption is faster but it is less secure– Hashing
• takes plain text of any length and splits it into a short code called a hash• hashing algorithms will not recreate the document in the original plain text format• Good for verifying that the contents of a message have not been altered
Chapter 9 – Encryption
• Types of Encryption Systems Continued– Digital signatures
• Nonrepudiation – how to create legally binding agreements that cannot be unilaterally repudiated by either party
• Use hashing and asymmetric encryption simultaneously• Proof that a document has not been altered and proof of who created the file
– Digital Certificates• Electronic document that contains and entities public key and certifies the
integrity of the owner of that particular public key
– Public Key Infrastructure• Issuing pairs of public and private keys and corresponding digital certificates
Chapter 9 – Encryption
• Types of Encryption Systems Continued– Virtual Private Networks (VPN)
• Information must be encrypted within a system but also when it transmits over the internet
• Encrypted information, when it traverses the internet, creates a virtual private network (VPN)
• The VPN software that encrypts information while it transmits over the internet effectively creates private tunnels for those that have the keys
Chapter 10 – Processing Integrity
• Input Data integrity– Source documents should be prepared by authorized personnel– Forms Design– Cancellation and storage of source documents– Data entry controls
• Field check, sign check, limit check, range check, size check, completeness check, validity check, reasonableness check
– Additional batch processing and data entry controls• Sequence check, error log, batch totals
Chapter 10 – Processing Integrity
• Processing Controls– Data matching – two or more items of data must be matched prior to
processing– File labels – ensure the most current files are being updated– Recalculation of batch totals– Cross-footing and zero balance test– Write protection mechanisms that stop overwriting of data– Concurrent update controls – only one user update records at a time
Chapter 10 – Processing Integrity
• Output Controls– User review of output– Reconciliation procedures– External data reconciliation– Data transmission controls (check sums and parity bits)
Chapter 10 – System Availability
• Minimize downtime and ensure efficient return to normal operations
• Ensure there is a contingency plan to get the system running
Chapter 10 – System Availability
• Lost data needs to be considered plus the data that is not being collected while the system is down
• Recovery point objective (RPO) – how much data is the organization willing to lose
• Recovery time objective (RTO) – the length of time the organization is willing to operate without the AIS
• These feed into the data recovery plan and the business continuity plan
Week 9 – Summary
• We are still talking about controls for system reliability• This week’s specific topics are confidentiality and availability
– Encryption - what is it– What makes encryption strong– Various types of encryption systems
• Data input integrity• Data processing integrity• Information output integrity• System uptime (downtime)
– Recovery point objective, Recovery time objective
• Quiz Next Week on Chapter 9 and 10