Chapter 12 SLATER: Confidentiality and Privacy Controls

Accounting Information Systems - Chapter 12: Confidentiality and Privacy Controls

Learning Objectives (1 of 2)

1. Understand the controls used to protect the confidentiality of an organization’s information and personal information from customers, suppliers, and employees.

2. Discuss the Generally Accepted Privacy Principles (GAPP) framework guiding the development of comprehensive privacy protection complying with regulations like the EU’s General Data Privacy Regulation (GDPR).

Learning Objectives (2 of 2)

1. Explain the functioning of various encryption systems and differentiate between encryption and hashing.

2. Archiving digital signatures and their role in creating legally enforceable contracts.

3. Discuss the workings of blockchain technology.

Data Security

• Key Players:

  • Defensive Tools: Firewalls, Encryption, Antivirus Software

  • Threats: Human Errors

Introduction to Reliable Systems Principles

Reliable systems must uphold five principles:

1. Information Security

2. Confidentiality

3. Privacy

4. Processing integrity

5. Availability

Confidentiality, Security, and Privacy

• Confidentiality involves maintaining sensitive information's secrecy.

• Important in ensuring privacy alongside robust security measures.

Protecting Confidentiality and Privacy Components

1. Identify and Classify Information: Understanding what data is sensitive.

2. Encryption: Process of transforming data to make it unreadable.

3. Access Controls: Regulating who can handle sensitive information.

4. Training: Educating employees on information handling practices.

Confidentiality and Privacy Measures

• Effective control of sensitive information requires:

  • Identification of sensitive data

  • Classification based on value

  • Protection strategies that include encryption and access control.

Controls for Sensitive Information

1. Encryption

• At Storage: Use encryption and access controls.

• During Transmission: Ensure data is encrypted to protect its integrity.

• Disposal: Employ physical destruction and thorough erasure to prevent data retrieval.

2. Information Rights Management (IRM)

• Limit access to data and monitor actions performed on it. Preventative control. Limit access to data files but also which actions can be taken with the files (access control matrix).

• Use Data Loss Prevention (DLP) software to prevent unauthorized data distribution. Preventative control. Stop outgoing messages which contain key words or phrases associated with intellectual property.

• Implement digital watermarks to trace disclosed sensitive data. Detective control. Code embedded into a file that allows company to identify confidential information that has been disclosed.

Training on Access Controls

• Train employees to manage sensitive data positively and securely. Key points include:

  • Proper password protection and logging out of applications when leaving workstations.

  • Manage email communication to prevent unintended disclosures.

  • Specific protocols for handling sensitive reports and files.

Identifying and Classifying Sensitive Information

• Examples of Confidential Company Information:

  • Business plans, Pricing strategies, Client lists, Legal documents, Trade secrets.

• Private Data:

  • Personal information from customers, suppliers, and employees.

Privacy Regulations

• GDPR: Imposes significant fines for non-compliance concerning personal data.

• Other notable regulations include:

  • CCPA: California Consumer Privacy Act 2018

  • HIPAA: Health Insurance Portability and Accountability Act

  • HITECH: Health Information Technology for Economic and Clinical Health Act

Generally Accepted Privacy Principles (GAPP)

The GAPP outlines 10 best practices for ensuring customer data privacy:

1. Management: Establish procedures for protecting customer data and assign accountability.

2. Notice: Inform customers of data collection practices.

3. Choice and Consent: Obtain customer consent for data usage.

4. Collection: Only collect necessary data.

5. Use, Retention, and Disposal: Adhere to data usage policies, retain only as needed, and dispose of securely.

6. Access: Allow individuals to access and correct their data.

7. Disclosure to Third Parties: Share data only per stated policies, ensuring third-party protection.

8. Security: Implement measures to protect data from unauthorized access.

9. Quality: Maintain data integrity and allow customer review.

10. Monitoring and Enforcement: Assign personnel to ensure compliance with privacy policies and handling complaints.

Digital Signatures and Certificates

• Digital signatures affirm document integrity via hashing and encryption.

• Digital certificates authenticate public keys, essential for secure communications.

Blockchain Technology

• Functionality: A blockchain is a distributed ledger ensuring data integrity through hashed documents.

• Importance of Immutability: If a document is altered, its corresponding hash changes, detecting fraud.

Conclusion

Maintaining confidentiality and privacy in an organization requires disciplined approaches, robust encryption methods, extensive training, and strict adherence to established regulations and practices. Training employees is crucial in reevaluating and enhancing existing privacy measures.