ACC 444 - CH 9
Who developed the Generally Accepted Privacy Principles (GAPP)? (PRIVACY)
American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
What is the best SECURITY practice for protecting the privacy of customers' personal information as defined by GAPP? (PRIVACY)
An organization must take reasonable steps to protect its customers' personal information from loss or unauthorized disclosure.
What is the best COLLECTION practice for protecting the privacy of customers' personal information as defined by GAPP? (PRIVACY)
An organization should collect only the information needed to fulfill the purposes stated in its privacy policies.
What is the best NOTICE practice for protecting the privacy of customers' personal information as defined by GAPP? (PRIVACY)
An organization should provide notice about its privacy policies and practices at or before the time it collects personal information from customers, or as soon as practicable thereafter. The notice should clearly explain what information is being collected, the reasons for its collection, and how the information will be used.
What is identity theft? (PRIVACY)
Assuming someone's identity, usually for economic gain. This is another privacy-related issue of growing concern. Identity theft is a financial crime. A growing proportion of identity theft now includes obtaining medical care and services. Tax identity theft is another growing problem.
What does it mean to control access to the information? (CONFIDENTIALITY)
Authentication and authorization controls are not sufficient to protect confidentiality because they only control initial access to sensitive information that is stored digitally. Organizations need to protect sensitive information throughout its entire life cycle, including distribution and disposal, regardless whether it is stored digitally or physically.
What is the best MANAGEMENT practice for protecting the privacy of customers' personal information as defined by GAPP? (PRIVACY)
Organizations need to establish a set of procedures and policies for protecting the privacy of personal information they collect from customers, as well as information about their customers obtained from third parties such as credit bureaus. They should assign responsibility and accountability for implementing those policies and procedures to a specific person or group of employees.
What is the best MONITORING AND ENFORCEMENT practice for protecting the privacy of customers' personal information as defined by GAPP? (PRIVACY)
Organizations should assign one or more employees to be responsible for ensuring compliance with its stated privacy policies. Organizations must also periodically verify that their employees are complying with stated privacy policies. In addition, organizations should establish procedures for responding to customer complaints, including the use of a third-party dispute resolution process.
What is the best DISCLOSURE TO THIRD PARTIES practice for protecting the privacy of customers' personal information as defined by GAPP? (PRIVACY)
Organizations should disclose their customers' personal information to third parties only in the situations and manners described in the organization's privacy policies and only to third parties who provide the same level of privacy protection as does the organization that initially collected the information.
What is the best CHOICE AND CONSENT practice for protecting the privacy of customers' personal information as defined by GAPP? (PRIVACY)
Organizations should explain the choices available to individuals and obtain their consent prior to collection and use of their personal information. In the US, the default policy is called opt-out, which allows organizations to collect personal information about customers unless the customer explicitly objects.
What is the best QUALITY practice for protecting the privacy of customers' personal information as defined by GAPP? (PRIVACY)
Organizations should maintain the integrity of their customers' personal information and employ procedures to ensure that it is reasonably accurate. Providing customers with a way to review the personal information stored by the organization can be a cost-effective way to achieve this objective.
What is the best USE AND RETENTION practice for protecting the privacy of customers' personal information as defined by GAPP? (PRIVACY)
Organizations should use customers' personal information only in the manner described in their stated privacy policies and retain that information only as it is needed to fulfill a legitimate business purpose.
What are the 2 major privacy-related concerns? (PRIVACY)
Spam and identity theft.
Why is spam a privacy-related issue? (PRIVACY)
Spam is a privacy-related issue because recipients are often targeted as a result of unauthorized access to e-mail address lists and databases containing personal information.
What government regulations are there for protecting individual privacy? (PRIVACY)
State disclosure laws, federal regulations, Health Insurance Portability and Accountability Act (HIPPA), Health Information Technology for Economic and Clinical Health Act (HITECH), Financial Services Modernization Act (Gramm-Leach-Bliley Act) - all impose specific requirements on organizations to protect the privacy of their customers' personal information.
What is CAN-SPAM? (PRIVACY)
Controlling the Assault of Non-Solicited Pornography and Marketing Act- passed by US Congress in 2003. Provides both criminal and civil penalties for violations of the law. Applies to commercial e-mail, which is defined as any e-mail that has the primary purpose of advertising or promotion.
What is data loss prevention (DLP), part of control access? (CONFIDENTIALITY)
Data loss prevention software protects confidentiality by providing controls over outbound communication. The Software works like antivirus programs in reverse, blocking outgoing messages (e-mail, instant messages, etc) that contain key words or phrases associated with intellectual property or other sensitive data the organization wants to protect. DLP software is a PREVENTATIVE control.
What does it mean to encrypt the information? (CONFIDENTIALITY)
Encryption is an extremely important and effective tool to protect confidentiality. It is the only way to protect information in transit over the internet. It is also a necessary part of defense-in-depth to protect information stored on websites or in a public cloud.
What is a fundamental control for protecting the privacy of personal information that organizations collect? (PRIVACY)
Encryption. Information needs to encrypted both while it is in transit and over the internet and while it is in storage.
What does it mean to identify and classify the information? (CONFIDENTIALITY)
The first step to protect the confidentiality of intellectual property and other sensitive business information is to IDENTIFY where such information resides and who has access to it. (taking a thorough inventory of every digital and paper store of information is both costly and time-consuming. It involves examining more than just the contents of the organization's financial systems). The next step is to CLASSIFY the information in terms of its value to the organization. (Classification is the responsibility of information owners as they understand how the information is used).
What does it mean to train employees to properly handle the information? (CONFIDENTIALITY)
Training is the most important control for protecting confidentiality. 1) Employees need to know WHAT information they can share with outsiders and what information needs to be protected. 2) Employees need to be taught HOW to protect confidential data. with proper training employees can play an important role in protecting the confidentiality of an organization's information and enhance effectiveness of related controls.
What are other controls for protecting privacy in addition to encryption and access controls? (PRIVACY)
Training. Organizations also need to train employees on how to manage and protect personal information collected from customers. This is especially important for medical and financial information.
What is spam? (PRIVACY)
Unsolicited e-mail that contains either advertising or offensive content. Spam is a privacy-related issue and is a source of many viruses, worms, spyware programs, and other types of malware.
What are the 5 principles of reliable systems in the Trust Services Framework?
1) Security, 2) Confidentiality, 3) Privacy, 4) Processing Integrity, 5) Availability.
What does it mean to use privacy controls? (PRIVACY)
1) The first step to protect the privacy of personal information collected from customers, employees, suppliers, and business partners is to identify what information the organization possesses, where it is stored, and who has access to it? 2) It is then important to implement controls to protect the information because incidents involving the unauthorized disclosure of personal information, whether intentional or accidental, can be costly.
What are some of the CAN-SPAM key guidelines organizations need to follow? (PRIVACY)
1) The sender's identity must be clearly displayed in the header of the message. 2) The subject field in the header must clearly identify the message as an advertisement or solicitation. 3) The body of the message must provide recipients with a working link that can be used to opt out of future e-mail. After receiving an opt-out request, organizations have 10 days to implement steps to ensure they do not send any additional unsolicited e-mail to that address. 4) The body of the message must include the sender's valid postal address. 5) Organizations should not send commercial e-mail to randomly generated addresses, nor should they set-up websites designed to "harvest" e-mail addresses of potential customers.
What is data masking, part of control access? (PRIVACY)
A program that protects privacy by replacing personal information with fake values. To protect privacy, organizations should run data masking programs that replace personal information with fake values (like SSN) before sending that data to the program development and testing system. Data masking is also known as tokenization.
What is a cookie? (PRIVACY)
A text file created by a website and stored on a visitor's hard disk. Cookies store information about what the user has done on the site.
What are steps to control access in response to new threats created by technological advances? (CONFIDENTIALITY)
Access controls designed to protect confidentiality must be continuously reviewed and modified to respond to new threats. (ie: voice-over-the-internet (VoIP) technology now requires that conversations about sensitive topics should be encrypted).
What are other controls for protecting privacy in addition to encryption? (PRIVACY)
Access controls. Strong authentication and authorization controls restrict who can access systems that contain personal information and the actions the users can perform once they are granted access.
What is a digital watermark, part of data loss prevention and control access? (CONFIDENTIALITY)
DLP software should be supplemented by embedding code called a digital watermark in documents. The digital watermark is a DETECTIVE control that enables the an organization to identify confidential information that has been disclosed.
What are additional steps to control PHYSICAL UNSUPERVISED access to information? (CONFIDENTIALITY)
1) Restrict access to rooms that contain printers, digital copiers, and fax machines because these devices store large amounts of confidential information. 2) Laptops and workstations should run password-protected screen savers automatically after a few minutes of inactivity, to prevent unauthorized viewing of sensitive information. 3) Screen protection devices that limit the distance and angle from which information on a laptop or workstation monitor can be seen provide additional means to safeguard sensitive information, particularly in areas which visitors have access.
How does virtualization and cloud computing also effect the risk of unauthorized access to sensitive or confidential information? (CONFIDENTIALITY)
1) An important control in virtual environments , including internally managed "private" clouds, is to use virtual firewalls to restrict access between different virtual machines that coexist on the same physical server. 2) Virtual machines that store highly sensitive or confidential data should not be hosted on the same physical server with virtual machines that are accessible via the internet because of the risk that a skilled attacker might be able to break out of the latter and compromise the former. 3) With public clouds, the data is stored elsewhere, and access occurs over the internet via browsers. All communication between between users and the cloud must be encrypted.4) Browser software often contains numerous vulnerabilities, therefore highly sensitive and confidential data probably should not be stored in a public cloud because of lack of control over where the information is actually stored and because of the risk of unauthorized access by other cloud customers, who may include competitors, or even by employees of the cloud provider.
What should training cover when teaching employees ways they can protect confidential data? (CONFIDENTIALITY)
1) How to use encryption software, 2) The importance of always logging out of applications and using a password-protected screen saver before leaving their laptops or workstations, 3) How to code reports they create to reflect the importance of information contained therein so that other employees will know how to handle those reports, 4) Not to leave reports containing sensitive information in plain view on their desks, 5) The proper use e-mail (do not routinely use "reply all"), instant messaging, and blogs.
What are the 4 basic actions that must be taken to preserve the CONFIDENTIALITY of sensitive information?
1) Identify and classify the information, 2) Encrypt the information, 3) Control access to the information, 4) Train employees to properly handle the information.
What are the 10 internationally recognized best practices for protecting the privacy of customers' personal information as defined by GAPP? (PRIVACY)
1) Management, 2) Notice, 3) Choice and Consent, 4) Collection, 5) Use and Retention, 6) Access, 7) Disclosure to Third Parties, 8) Security, 9) Quality, 10) Monitoring and Enforcement. Protecting the privacy of customers' personal information requires first implementing a combination of policies, procedures, and technology, then training everyone in the organization to act in accordance with those plans, and subsequently monitoring compliance. Only senior management possesses the authority and the resources to accomplish this, which reinforces the fact hat all aspects of systems reliability are, at bottom, a managerial issue and jot just an IT issue.
What are additional steps to control PHYSICAL access to information stored in PHYSICAL DOCUMENTS and proper DISPOSAL of sensitive information? (CONFIDENTIALITY)
1) Printed reports and microfilm containing confidential information should be shredded before being thrown out. 2) Proper disposal of computer media requires use of special software designed to "wipe" the media clean by repeatedly overwriting the disk or drive with random patterns of data. 3) Physically destroy (ie: incinerate) magnetic and optical media that have been used to store extremely sensitive data.
What is Information rights management (IRM), part of control access? (CONFIDENTIALITY)
Information rights managment (IRM) software provides an additional layer of protection to sensitive information that is stored in digital format, offering the capability not only to limit access to specific files or documents, but also to specify the actions (read, copy, print, down-load, etc) that individuals who are granted access to that resource can perform. Some IRM software even has the capability to limit access privileges to a specific period of time and to remotely erase protected files.
Under the Trust Services Framework, what is the PRIVACY principle?
It is closely related to the confidentiality principle, except that it focuses on protecting personal information about customers, employees, suppliers or business partners (rather than organizational data). The controls that need to be implemented to protect privacy are the same ones used to protect confidentiality: identification of the information needs to be protected, encryption, access controls, and training.
