CHAPTER 8 Information Systems Controls for System Reliability Part 2: Confidentiality, Privacy, Processing Integrity, and Availability

INTRODUCTION

SYSTEMS RELIABILITY PROCESSING INTEGRITY

CONFIDENTIALITY

SECURITY

AVAILABILITY

According to the Trust Services framework, reliable systems satisfy five principles: Security (discussed in Ch.7) Confidentiality Privacy Processing integrity Availability

PRIVACY

CONFIDENTIALITY Maintaining confidentiality requires that management identify which information is confidential. Confidential information includes sensitive data produced internally as well as that shared by business partners. Each organization will develop its own definitions. Most definitions will include: Business plans Pricing strategies Client and customer lists Legal documents

CONFIDENTIALITY
Situation Storage Transmission Disposal Overall Encryption Shredding, thorough erasure, physical destruction Categorization to reflect value and training in proper work practices Controls Encryption and access controls

CONFIDENTIALITY The internet provides inexpensive transmission, but data is easily intercepted. Encryption solves the interception issue. If data is encrypted before sending it, a virtual private network (VPN) is created. Provides the functionality of a privately owned network But uses the Internet

What is a VPN

Public networks are used to move information between trusted network segments using shared facilities like frame relay or atm

A VIRTUAL Private Network replaces all of the above utilizing the public Internet Performance and availability depend on your ISP and the Internet

Why?

Industries That May Use a VPN Healthcare: enables the transferring of confidential patient information within the medical facilities & health care provider Manufacturing: allow suppliers to view inventory & allow clients to purchase online safely Retail: able to securely transfer sales data or customer info between stores & the headquarters Banking/Financial: enables account information to be transferred safely within departments & branches General Business: communication between remote employees can be securely exchanged CONFIDENTIALITY Use of VPN software creates private communication channels, often referred to as tunnels. The tunnels are accessible only to parties who have the appropriate protocols. Cost of the VPN software is much less than costs of leasing or buying a privately-owned, secure communications network. Also, makes it much easier to add or remove sites from the network.

VPN works via crypto/Encapsulation

CONFIDENTIALITY It is critical to encrypt any sensitive information stored in devices that are easily lost or stolen, such as laptops, PDAs, cell phones, and other portable devices. Many organizations have policies against storing sensitive information on these devices. 81% of users admit they do so anyway. The FBI loses an average of 11 laptops each month, many with unencrypted sensitive information An Ameriprise Financial laptop was stolen from an employee's parked car. It contained unencrypted lists with personal information of about 230,000 customers and advisers, including names and Social Security numbers of 70,000 current/former financial advisers and the names and internal account numbers of some 158,000 customers. An MCI laptop stolen from an employee car contained the names and social security numbers of 16,500 current and former MCI employees. In 2004 two University of California Los Angeles laptops were stolen. They contained unencrypted personal information concerning 145,000 blood donors and 62,000 health patients In 2008, a file containing confidential information for 15,000 UF students was posted online.

While the FBI has made progress in reducing the rate of loss for weapons and laptops, we identified at least 10 of the 160 missing laptops as containing sensitive or classified information, 1 of which contained personally identifiable information on FBI personnel. Even more troubling, we found that the FBI could not determine whether 51 additional lost or stolen laptops contained sensitive or classified information. Seven of these 51 laptops were assigned to the Counterintelligence or Counterterrorism Divisions, both of which handle sensitive information related to national security. Semiannual Report to Congress October 1, 2006-March 31, 2007 Office of the Inspector General

CONFIDENTIALITY Encryption alone is not sufficient to protect confidentiality. Given enough time, many encryption schemes can be broken. Access controls are also needed: To prevent unauthorized parties from obtaining the encrypted data; and Because not all confidential information can be encrypted in storage. Strong authentication techniques are necessary. Strong authorization controls should be used to limit the actions (read, write, change, delete, copy, etc.) that authorized users can perform when accessing confidential information. Special procedures are needed for information stored on magnet and optical media. Using built-in operating system commands to delete the information does not truly delete it, and utility programs will often be able to recover these files. De-fragmenting a disk may actually create multiple copies of a deleted document. Consequently, special software should be used to wipe the media clean by repeatedly overwriting the disk with random patterns of data (sometimes referred to as shredding a disk). Magnetic disks and tapes can be run through devices to demagnetize them. The safest alternative may be to physically destroy disks with highly sensitive data.

CONFIDENTIALITY Controls to protect confidentiality must be continuously reviewed and modified to respond to new threats created by technological advances. Many organizations now prohibit visitors from using cell phones while touring their facilities because of the threat caused by cameras in these phones. Because these devices are easy to hide, some organizations use jamming devices to deactivate their imaging systems while on company premises. Employee use of email and instant messaging (IM) probably represents two of the greatest threats to the confidentiality of sensitive information. Once sent, there is no way to retrieve or control its distribution. Organizations need to develop comprehensive policies governing the appropriate and allowable use of these technologies for business purposes. Employees need to be trained on what type of information they can and cannot share, especially with IM. Many organizations are taking steps to address the confidentiality threats created by email and IM. One response is to mandate encryption of all email with sensitive information. Some organizations prohibit use of freeware IM products and purchase commercial products with security features, including encryption. Users sending emails must be trained to be very careful about the identity of their addressee. EXAMPLE: The organization may have two employees named Allen Smith. Its critical that sensitive information go to the correct Allen Smith.

Disk Geometry
Track

Sector (Clusters are groups of Sectors) Cylinder

Slack Space

End of File

Slack Space

Last Cluster in a File

PRIVACY

SYSTEMS RELIABILITY PROCESSING INTEGRITY

CONFIDENTIALITY

In the Trust Services framework, the privacy principle is closely related to the confidentiality principle. Primary difference is that privacy focuses on protecting personal information about customers rather than organizational data. Key controls for privacy are the same as for confidentiality.

SECURITY

AVAILABILITY

PRIVACY

PRIVACY As with confidentiality, encryption and access controls are the two basic mechanisms for protecting consumers personal information. It is common practice to use SSL to encrypt all personal information transmitted between individuals and the organizations website. However, SSL only protects the information in transit. Consequently, strong authentication controls are needed to restrict website visitors access to individual accounts. In 2003, the U.S. Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. Provides criminal and civil penalties for violation of the law. Applies to commercial email, which is any email with a primary purpose of advertising or promotion. Covers most legitimate email sent by organizations to customers, suppliers, or donors to non-profits.

PRIVACY
Organizations should consider encrypting customers personal information in storage. May be economically justified, because some state laws require companies to notify all customers of security incidents. The notification process is costly but may be waived if the information was encrypted while in storage. Organizations should consider encrypting customers personal information in storage. May be economically justified, because some state laws require companies to notify all customers of security incidents. The notification process is costly but may be waived if the information was encrypted while in storage. In 2003, the U.S. Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act. Provides criminal and civil penalties for violation of the law. Applies to commercial email, which is any email with a primary purpose of advertising or promotion. Covers most legitimate email sent by organizations to customers, suppliers, or donors to non-profits.

PRIVACY Consequently, organizations must carefully follow the CAN-SPAM guidelines, which include: The senders identity must be clearly displayed in the message header. The subject field in the header must clearly identify the message as an advertisement or solicitation. The body must provide recipients with a working link that can be used to opt out of future email. The body must include the senders valid postal address. Organizations should not: Send email to randomly generated addresses. Set up websites designed to harvest email addresses of potential customers. Organizations need to train employees on how to manage personal information collected from customers. Especially important for medical and financial information. Intentional misuse or unauthorized disclosure can have serious economic consequences, including: Drop in stock price Significant lawsuits Government suspension of the organizations business activity

PRIVACY Privacy is protected by The Privacy Act of 1974 Computer Fraud and Abuse Act of 1984 Children's Online Privacy Protection Act To report a violation: OnGuardOnline.gov Another privacy-related issue that is of growing concern is identity theft. Organizations have an ethical and moral obligation to implement controls to protect databases that contain their customers personal information.

Paid $10,000 fine for collecting information from children online in violation of the Children's Online Privacy Protection Act

PROCESSING INTEGRITY Five categories of integrity controls are designed to meet the preceding objectives: Source data (or Input) controls Data entry controls Processing controls Data transmission controls Output controls PROCESSING INTEGRITY Source Data Controls If the data entered into a system is inaccurate or incomplete, the output will be, too. (Garbage in garbage out.) Companies must establish control procedures to ensure that all source documents are authorized, accurate, complete, properly accounted for, and entered into the system or sent to their intended destination in a timely manner.

PROCESSING INTEGRITY The following input data controls regulate integrity of input: Forms design Pre-numbered forms sequence test Turnaround documents Cancellation and storage of documents Authorization and segregation of duties Visual scanning Check digit verification RFID security Once data is collected, data entry control procedures are needed to ensure that its entered correctly. Common tests to validate input include: Field check Sign check Limit check Range check Size (or capacity) check Completeness check Validity check Reasonableness test

PROCESSING INTEGRITY Additional Batch Processing Data Entry Controls In addition to the preceding controls, when using batch processing, the following data entry controls should be incorporated. Sequence check Error log Batch totals Additional online data entry controls Online processing data entry controls include: Automatic entry of data Prompting Pre-formatting Closed-loop verification Transaction logs Error messages

PROCESSING INTEGRITY Output Controls Careful checking of system output provides additional control over processing integrity. Output controls include: User review of output Users carefully examine output for reasonableness, completeness, and to assure they are the intended recipient.

AVAILABILITY

SYSTEMS RELIABILITY PROCESSING INTEGRITY

CONFIDENTIALITY

SECURITY

AVAILABILITY

PRIVACY

Reliable systems are available for use whenever needed. Threats to system availability originate from many sources, including: Hardware and software failures Natural and man-made disasters Human error Worms and viruses Denial-of-service attacks and other sabotage

AVAILABILITY Proper controls can minimize the risk of significant system downtime caused by the preceding threats. It is impossible to totally eliminate all threats. Consequently, organizations must develop disaster recovery and business continuity plans to enable them to quickly resume normal operations after such an event. Minimizing Risk of System Downtime Loss of system availability can cause significant financial losses, especially if the system affected is essential to e-commerce. Organizations can take a variety of steps to minimize the risk of system downtime. Physical and logical access controls (Chapter 7) can reduce the risk of successful denial-of-service attacks. Good computer security reduces risk of theft or sabotage of IS resources.

AVAILABILITY Preventive maintenance can reduce risk of hardware and software failure. Examples: Cleaning disk drivers Properly storing magnetic and optical media Use of redundant components can provide fault tolerance, which enables the system to continue functioning despite failure of a component. Examples of redundant components: Dual processors Arrays of multiple hard drives (redundant array of inexpensive disks - RAIDs) Disaster Recovery and Business Continuity Planning Disaster recovery and business continuity plans are essential if an organization hopes to survive a major catastrophe. Being without an IS for even a short period of time can be quite costlysome report as high as half a million dollars per hour. Yet many large U.S. companies do not have adequate disaster recovery and business continuity plans. Data Backup Procedures Data need to be backed up regularly and frequently. A backup is an exact copy of the most current version of a database, file, or software program. It is intended for use in the event of a hardware or software failure. The process of installing the backup copy for use is called restoration.

AVAILABILITY The objectives of a disaster recovery and business continuity plan are to: Minimize the extent of the disruption, damage, and loss Temporarily establish an alternative means of processing information Resume normal operations as soon as possible Train and familiarize personnel with emergency operations Key components of effective disaster recovery and business continuity plans include: Data backup procedures Provisions for access to replacement infrastructure (equipment, facilities, phone lines, etc.) Thorough documentation Periodic testing Adequate insurance

AVAILABILITY Several different backup procedures exist. A full backup is an exact copy of the data recorded on another physical media (tape, magnetic disk, CD, DVD, etc.) Restoration involves bringing the backup copy online. Full backups are time consuming, so most organizations: Do full backups weekly Supplement with daily partial backups. Two types of partial backups are possible: Incremental backup backs up only files that have changed since the last backup Differential backup backs up all files that have changed since last full backup Example: Differential every hour and incremental every minute Two types of partial backups are possible: Incremental backup backs up only files that have changed since the last backup Differential backup backs up all files that have changed since last full backup Example: Differential every hour and incremental every minute

AVAILABILITY Incremental and differential backups are both made daily. Additional intra-day backups are often made for mission-critical databases. Periodically, the system makes a copy of the database at that point in time, called a checkpoint, and stores the copy on backup media. If a hardware or software fault interrupts processing, the checkpoint is used to restart the system. The only transactions that need to be reprocessed are those that occurred since the last checkpoint. Backups are retained for only a fixed period of time. An archive is a copy of a database, master file, or software that will be retained indefinitely as an historical record, usually to satisfy legal and regulatory requirements. Multiple copies of archives should be made and stored in different locations. Appropriate security controls should also be applied to these files.

PC Restore Points PC regularly records a snapshot of your computer called restore points. Through the All Programs menu: 1.Click Start. 2.Point to All Programs. 3.Point to Accessories. 4.Point to System Tools. 5.Click System Restore. 6.Follow the instructions on the wizard. Creating Your Own Restore Point 1. 2. 3. 4. Open System Restore. Click Create a restore point, and then click Next. In the Restore point description box, type a name to identify this restore point. System Restore automatically adds the date and time that this Restore Point is created.

AVAILABILITY Special attention should be paid to email, because it has become an important archive of organizational behavior and information. Access to email is often important when companies are embroiled in lawsuits. Organizations may be tempted to adopt a policy of periodically deleting all email to prevent a plaintiffs attorney from finding a smoking gun. Most experts advise against such policies and recommend that organizations include email in their backup and archive procedures because: There are likely to be copies of the email stored in locations outside the organization. Such a policy would mean that the organization would not be able to tell its side of the story. Also, courts have sanctioned companies for failing to provide timely access to email.

Full email header

AVAILABILITY Infrastructure Replacement Major disasters can totally destroy an organizations information processing center or make it inaccessible. A key component of disaster recovery and business continuity plans incorporates provisions for replacing the necessary computing infrastructure, including: Computers Network equipment and access Telephone lines Office equipment Supplies It may even be necessary to hire temporary staff. Organizations have three basic options for replacing computer and networking equipment. Reciprocal agreements Cold sites Hot sites

AVAILABILITY Documentation An important and often overlooked component. Should include: The disaster recovery plan itself, including instructions for notifying appropriate staff and the steps to resume operation, needs to be well documented. Assignment of responsibility for the various activities. Vendor documentation of hardware and software. Documentation of modifications made to the default configuration (so replacement will have the same functionality). Detailed operating instructions. Copies of all documentation should be stored both on-site and off-site. CHANGE MANAGEMENT CONTROLS Changes should be thoroughly tested prior to implementation. Includes assessing effect of change on all five principles of systems reliability. Should occur in a separate, non-production environment. All documentation (program instructions, system descriptions, backup and disaster recovery plans) should be updated to reflect authorized changes to the system. Emergency changes or deviations from policy must be documented and subjected to a formal review and approval process as soon after implementation as practicable. All such actions should be logged to provide an audit trail.

2 Kinds Key Systems

Symmetric Key Algorithms

DES56-bit key Triple-DESencrypt, decrypt, encrypt, using either two or three 56-bit keys IDEA128-bit key Blowfishvariable-length key, up to 448 bits
PKI vs Symmetric Key

PKI easier as you dont have to manage keys on a per user basis But MUCH more compute intensive (up to 1000 times slower) Many systems do a combination I.e. PGP Use PKI to send a symmetric key Then use the symmetric key to crypto the data

PKI to send Private Keys

Digital Signature to verify data not changed in transit

PKI the full picture

AKA as Message Digest

Digital Signatures & Digital Certificates Digital Signature Attached to encrypted message Guarantees authenticity Digital Certificates 3rd party issuer (ex. VeriSign) Secures both keys Provides means to encode reply Provide authentication Verifies sender

Benford Probability Distribution

Exhibit 2, shows the results of an analysis of the population counts of the 3,141 U.S. counties, according to the 1990 census. Benford's law proportions are shown as the diamond studs on the line. The bars show the actual proportions.