This chapter covers two other important principles of reliable systems in the thrust services framework: preserving the confidentiality of an organization’s intellectual property and protecting the privacy of personal information it collects from customers. We also discuss the topic of encryption in detail because it is a critical tool to protecting both confidentiality and privacy.

Organizations possess a myriad of sensitive information, including strategic plans, trade secrets, cost information, legal documents and process improvements. This intellectual property often is crucial to the organization’s long-run competitive advantages and success. Consequently, preserving the confidentiality of the organization’s intellectual property, and similar information shared by its business partners, has long been recognized as a basic objective of information security. This section discusses the actions that must be taken to preserve confidentiality.

1. Identification and classification of the information to be protected

2. Encryption of sensitive information

3. Controlling access to sensitive information

4. Training

The first action is the identification and classification of information to be protected. The first step is to identify where such information resides and who has access to it. This sounds easy, but it’s harder than you think. It is time-consuming and costly, because it involves examining more than just the contents of the organization’s financial system. The next step is to classify the information in terms of its value to the organization.

Encryption is an important and effective tool to protect confidentiality. It is the only way to protect information in transit over the internet. Encryption is not a panacea. Some sensitive information may not be stored digitally and therefore cannot be protected by being encrypted. Strong authentication is needed, so that no one else can prove access to the computer. Physical access controls are also needed. Sensitive information is exposed in plain view whenever it is being processed by a program, displayed on a monitor of included in printed reports. Protecting confidentially requires application of the principle of defense-in-depth: supplementing encryption with access controls and training.

The third actions is to use Information rights management (IRM) software. This software provides an additional layer of protection to specific information resources offering the capability not only to limit access to specific files or documents, but also to specify the actions that individuals can perform (read, copy, print, download to USB devices etc.).

Today, organizations constantly exchange information with their business partners and customers. Therefore, protecting confidentiality also requires controls over outbound communications. One tool for accomplish that is data loss prevention (DLP) software. This software works like antivirus programs in reverse, blocking outgoing messages that contain key words or phrases associated with the intellectual property or other sensitive data the organization wants to protect.

A digital watermark is a detective control that enables organizations to identify confidential information that has been disclosed. When an organization discovers documents containing its digital watermark on the internet, it has evidence that the preventive controls designed to protect its sensitive information have failed. It should then investigate how compromise occurred and take appropriate corrective action.

The last action is training, which is arguably the most important control for protecting confidentiality. Employees need to know what information they can share with outsides and what information needs to be protected. They also need to be taught how to protect these confidentiality data. For example, know how to use encryption software. They also should be aware of the fact they always need to log out before leaving a laptop or workstation unattended.

Privacy

The ‘Trust Services Framework’ privacy is closely related to the confidentiality principle. They only differ in that it focus on protecting personal information about customers rather than organizational data. the controls that need to be implemented to protect privacy are the same ones used to protect confidentiality.

The first step is to protect the privacy of personal information collected from customers to identify what information is collected, where it is stored, and who has access to it. Furthermore, it is important to implement controls to protect that information because incidents involving the unauthorized disclosure of customers’ personal information, whether intentional or accidental, can be costly.

Encryption is a fundamental control for protecting privacy of personal information from customers. That information needs to be encrypted both while it is in transit over the internet and while it is in storage. Encrypting information also can save money for the company.

To protect privacy, organizations should run data masking programs. This kind of programs replace customers’ personal information with fake values before sending that data to the program development and testing system.

Organizations also need to train employees on how to manage and protect personal information from customers. This is especially important for medical and financial personal information.

Two major privacy related concerns are spam and identity theft.

Spam is unsolicited e-mail that contains either advertising or offensive content. Spam is a privacy related issue, because recipients are often targeted as a result of unauthorized access to e-mail address lists and databases containing personal information. Spam is also a source of many viruses, worms, spyware programs, and other types of malware. There are a few key provisions. The sender’s identity must be clearly displayed in the head of the message. The subject in the field in the header must be clearly identify the message. The body of the message must provide recipients with a working link that can be used to opt out of future e-mail. The body of the message must also include the sender’s valid postal address. At last, organizations should not send commercial e-mail to randomly generated addresses.

Identity theft on the other hand is the unauthorized use of someone’s personal information for the perpetrator’s benefit. Identity theft is often a financial crime. Perpetrators obtain loans or opens new credit cards in the victim’s name and sometimes loots the victim’s bank accounts. A growing portion of identity theft cases involve fraudulently obtaining medical care and services, which can have life threatening consequences.The Generally Accepted Privacy Principles (GAPP) identifies and defines the following ten internationally recognized best practices for protecting the privacy of customer’s personal information.

1. Management. Organizations need to establish a set of procedures and policies for protecting the privacy of customers. They should assign responsibility and accountability for implementing those policies to a specific person or group.

2. Notice. An organization should provide notice about its privacy policies and practices. The notice should clearly explain what information is being collected, the reasons why, and how it will be used.

3. Choice and consent. Organizations should explain the choices available to individuals and obtain their consent prior to the collection and use of their personal information. The nature of the choices offered differs across countries.

4. Collection. An organization should collect only the information needed to fulfil the purposes stated in its privacy policy. Some use cookies on websites. A cookie is a text file created by a website and stored on a visitor’s hard disk. They store information about what the user has done on the site.

5. Use and retention. Organization should use customers’ personal information only in the manner described in their stated privacy policies and retain that information only as long as needed to fulfil a legitimate business purpose.

6. Access. An organizations should provide individuals with the ability to access, review, correct, and delete personal information stored about them.

7. Disclosure to third parties. Organizations should disclose their customers’ personal information to third parties only in the situation and manners described in the organizations privacy policies and only to third parties who provide the same level of privacy protection.

8. Security. An organization must take reasonable steps to protect its customers’ personal information from loss or unauthorized disclosure. The organization must use the preventive, detective and corrective controls to restrict access to this personal information.

9. Quality. Organizations should maintain the integrity of their customers’ personal information and employ procedures to ensure that it is reasonably accurate.

10. Monitoring and enforcement. An organization should assign one or more employees to be responsible for ensuring compliance with its stated privacy policies. They must periodically verify that their employees are complying with stated privacy policies.

Encryption is a preventive control that can be used to protect both confidentially and privacy. Encryption protects data that is being sent over the internet and it provides one last barrier that must be overcome by an intruder who has obtained unauthorized access to stored information. Accountants, auditors and system professionals should understand encryption.

So encryption is the process of transforming normal content, called plain text, into unreadable gibberish, called cipher text. See figure 9.1 on page 278 for the steps in the encryption and decryption process.

Decryption reverses this process, transforming cipher text into plaintext. Both involve use of a key and an algorithm. Computers represent both as a series of binary digits (0s and 1s).

The key is also a string of binary digits of a fixed length.

The algorithm is a formula for combining the key and the text.

Most documents are longer than the key, so the encryption process begins by dividing the plaintext into blocks, each block being of equal length to the key. Then the algorithm is applied to the key and the block of plaintext.

Three important factors determine the strength of any encryption system.

• Key length: longer keys provide stronger encryption by reducing the number of repeating blocks in the cipher text. This makes it harder to spot patterns in the cipher text that reflect patterns in the original plaintext.

• Encryption algorithm: the nature of the algorithm used to combine the key and the plaintext is important. A strong algorithm is difficult to break by using brute force guessing techniques.

• Policies for managing cryptographic keys. No matter how long the keys are, or how strong an encryption algorithm is, if the keys have been compromised, the encryption can be easily broken. There is also a process called key escrow. This process involves making copies of all encryption keys used by employees and storing those copies securely.

There are two basic types of encryption systems. The first one is symmetric encryption systems. This type use the same key both to the encrypt and decrypt. The other type is the asymmetric encryption system, which uses two keys. One is called the public key. This key is widely distributed and available to everyone. The other one is called the private key and is kept secret and known only to the owner of that pair of keys.

Symmetric encryption is much faster than asymmetric encryption, but it has two major problems. First, both parties need to know the shared secret key. This means that the two parties need to have some method for securely exchanging the key that will be used to both encrypt and decrypt.

The second problem is that a separate key needs to be created for use by each party with whom the use of encryption is desired.

Asymmetric encryption systems solve these problems. It does not matter who knows the public key, because any text encrypted with it can be decrypted only by using the corresponding private key.

The main drawback to asymmetric encryption systems is speed. Asymmetric encryption is thousands of times slower than symmetric encryption, making it impractical for use to exchange large amounts of data over the internet. Symmetric encryption is used to encode most of the data being exchanged, add asymmetric encryption is used to safely send the symmetric key to the recipient for use in decrypting the cipher text.

Hashing is a process that takes plaintext of any length and transforms it into a shirt code, called a hash. Hashing differs from encryption in two important aspects. The first one is that encryption always produces cipher text similar in length to the original plaintext, but hashing always produces a hash that is of a fixed short length, regardless of the length of the original plaintext.

The second difference is that encryption is reversible, but hashing is not. Given the decryption key and the algorithm, cipher text can be decrypted back into the original plaintext. By hashing, it is not possible to transform a hash back into the original plaintext, because hashing throws away information.

An important issue for business transactions has always been nonrepudiation, or how to create legally binding agreements that cannot be unilaterally repudiated by either party. The answer is to use both hashing and asymmetric encryption to create a digital signature. A digital signature is a hash if a document or a file that is encrypted using the document creator’s key.

A digital certificate is an electronic document that contains an entity’s public key and certifies the identity of the owner of that particular public key. Digital certificates functions like the digital equivalent of a driver’s licence or passport.

A certificate authority is a trusted independent party, like the government, that issue the passports and driving licences and contain the certificate authority’s digital signature to prove that they are genuine.

The system for issuing pairs of public and private keys and corresponding digital certificates is called a public key infrastructure (PKI). The entire PKI system hinges on trusting the certificate authorities that issue the keys and the certificates.

Encrypting information while it traverses the internet creates a virtual private network (VPN), so named because it provides the functionality of a privately owned secure network without the associated costs of leased telephones, satellites, and other communication equipment.

See figure 9.4 on page 284 for the virtual private networks.