Scribd
Upload
223 views

CH9. Confidentiality and Privacy Controls

This document discusses controls for maintaining confidentiality and privacy. It describes identifying, encrypting, controlling access to, and training employees about sensitive information to preserve confidentiality. Similar controls protect privacy, guided by the Generally Accepted Privacy Principles framework. Encryption, virtual private networks, and the power of blind carbon copying emails are discussed as important technical tools. Exercises explore issues around offshore outsourcing, data deletion requests, biometric authentication, and RFID privacy concerns.

Uploaded by

nigus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
223 views

CH9. Confidentiality and Privacy Controls

This document discusses controls for maintaining confidentiality and privacy. It describes identifying, encrypting, controlling access to, and training employees about sensitive information to preserve confidentiality. Similar controls protect privacy, guided by the Generally Accepted Privacy Principles framework. Encryption, virtual private networks, and the power of blind carbon copying emails are discussed as important technical tools. Exercises explore issues around offshore outsourcing, data deletion requests, biometric authentication, and RFID privacy concerns.

Uploaded by

nigus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 12

CH9.

Confidentiality and Privacy Controls

After studying this chapter, you should be able to:


1. Describe the controls that can be used to protect the
confidentiality of an org’s info.
2. Explain the controls that orgns can use to protect the
privacy of personal info they collect from customers,
suppliers, and employees, and discuss how the
Generally Accepted Privacy Principles (GAPP)
framework provides guidance in developing a
comprehensive approach to protecting privacy.

1
Introduction

• CH8 discussed info security, which is the fundamental


principle of systems reliability.
• This chapter covers two other important principles of
reliable systems in the Trust Services Framework:
preserving the confidentiality of an org’s intellectual
property and protecting the privacy of personal info it
collects from customers, employees, suppliers, and
business partners.
• We also discuss the topic of encryption in detail, because
it is a critical tool for protecting both confidentiality and
privacy.
2
1. Preserving Confidentiality
• Orgs possess a myriad of sensitive info, including strategic plans,
trade secrets, cost info, legal documents, and process
improvements. This intellectual property often is crucial to the
org’s long-run competitive advantage and success. Consequently,
preserving the confidentiality of the org’s intellectual property,
and similar info shared with it by its business partners, has long
been recognized as a basic objective of information security.
• Figure 9-1 shows the four basic actions that must be taken to
preserve the confidentiality of sensitive information:
(1) identify and classify the info to be protected,
(2) encrypt the information,
(3) control access to the info, and
(4) train employees to properly handle the information.
3
As the fig shows, the
controls that need to be
implemented to protect
privacy are the same as
ones used to protect
confidentiality

4
2. PRIVACY CONCERNS

• Two major privacy-related concerns are spam


and identity theft.
– SPAM
– Spyware

5
Encryptions
Encryption-The process of transforming normal
text, called plaintext, into unreadable gibberish,
called ciphertext.

6
Virtual Private networks
• virtual private network (VPN)- Using encryption
and authentication to securely transfer info over
the Internet, thereby creating a “virtual” private
network.

7
Exercise
• What risks, if any, does offshore outsourcing of
various IS functions pose to satisfying the principles
of confidentiality and privacy?
• Upon your request (with proper verification of your
identity) should orgs be required to delete personal
info about you that they possess?
• What privacy concerns might arise from the use of
biometric authentication techniques?
• What about the embedding of RFID tags in products
such as clothing? What other technologies might
create privacy concerns?
8
Explore the power of the :bcc feature to protect privacy.
1. Write a message and send it to yourself plus use
the :cc feature to send it to a set of people, including
one of your other e-mail accounts in the :cc list.
2. Repeat step a, but this time send the e-mail only to
yourself and then list everyone in the :bcc field.
3. Use your other e-mail account (the one you included
in the :cc an :bcc fields) to open the two e-mail
messages. Use all available options (e.g., view full
header, etc.) to see what you can learn about the
recipient lists for both e-mails. What is the power of
the :bcc field?
9
Visit Symantec.com or any other security software vendor assigned
by your instructor and download a trial version of encryption
software.
a. Use the software to encrypt a file.
b. Send the encrypted file to your instructor and to a friend.
c. Try to open an encrypted file you receive from your friend or from
your instructor. Print a screenshot to show what happens.
d. List all the options for importing the key needed to decrypt an
encrypted file you receive from your friend or instructor. Which
do you think is most secure? Easiest? Explain why.
e. Import (or install) the key needed to decrypt an encrypted file you
receive from your friend or instructor. E-mail the decrypted file to
whomever sent it to you and obtain verification that it is the
plaintext version of the encrypted file they sent you.
10
• The principle of confidentiality focuses on protecting an
organization’s intellectual property. The flip side of the issue
is ensuring that employees respect the intellectual property
of other organizations. Research the topic of software piracy
and write a report that explains the following:
a. What software piracy is
b. How orgs attempt to prevent their employees from
engaging in software piracy
c. How software piracy violations are discovered
d. The consequences to both individual employees and to
organizations who commit software piracy
11
Explore the power of the :bcc feature to protect privacy.
a. Write a message and send it to yourself plus use the :cc
feature to send it to a set of people, including one of your
other e-mail accounts in the :cc list.
b. Repeat step a, but this time send the e-mail only to
yourself and then list everyone in the :bcc field.
c. Use your other e-mail account (the one you included in
the :cc an :bcc fields) to open the two e-mail messages. Use
all available options (e.g., view full header, etc.) to see what
you can learn about the recipient lists for both e-mails.
What is the power of the :bcc field?
12

You might also like