Sistem Informasi Akuntansi

Week 8
 Systems Reliability

Controls for Information Security Chapter 11

Confidentiality and Privacy Controls Chapter 12

Processing Integrity and Availability Controls Chapter 13

2
Controls for Information Security Chapter 11

3
Figure 11.1 Relationships Among the Five
Trust Services Principles for Systems Reliability

4
Trust Services Framework
• The Trust Services Framework organizes IT-related controls into five
principles that jointly contribute to systems reliability
• Developed jointly by the American Institute of Certified Public
Accountants (AICPA) and the Canadian Institute of Chartered
Accountants (CICA) to provide guidance for assessing the reliability of
information systems
• Five basic principles that contribute to systems reliability: security,
confidentiality, privacy, processing integrity, and availability.
Security is the foundation of systems reliability.
• The criteria constitute professional guidance as well as serve as best
practices for system reliability.
5
Figure 11.1 Relationships Among the Five
Trust Services Principles for Systems Reliability
▪ Information security is the foundation of systems
reliability and is necessary for achieving each of the
other four principles.
▪ Information security procedures restrict system access
to authorized users only, thereby protecting the
confidentiality of sensitive organizational data and the
privacy of personal information collected from
customers.
▪ Information security procedures protect information
integrity by preventing submission of unauthorized or
fictitious transactions and preventing unauthorized
changes to stored data or programs.
▪ Finally, information security procedures provide
protection against a variety of at-tacks, including
viruses and worms, thereby ensuring that the system
is available when needed. 6
Trust Services Framework
• Security
• Access (physical & logical) to the system and data is controlled and
restricted to legitimate users.
• Confidentiality
• Sensitive organizational data is protected.
• Privacy
• Personal information about trading partners, investors, and
employees is protected.
• Processing integrity
• Data are processed accurately, completely, in a timely manner, and
only with proper authorization.
• Availability
• System and information are available. 7
Figure 11.2 The Security Life Cycle

8
Three Fundamental Information Security
Concepts
1. Security is a management issue, not just a technology issue

• Senior management involvement and support throughout

all phases of the security life cycle is absolutely essential.
• Although effective information security requires the
deployment of technological tools such as firewalls,
antivirus, and encryption, senior management
involvement and support throughout all phases of the
security life cycle is absolutely essential for success.
9
How Senior Management Can Improve the
Organization’s Information Security
• Senior management needs to demonstrate their support for
information security by exhibiting the following behaviors:
• Provide adequate resources for information security.
• Regularly communicate the importance of information security.
• Demonstrate, by their actions, that they believe information security is important.
• Adopting a proactive aproach to potential security threats, instead of reacting to problems after
they happen.
• Including information security issues whenever assessing the risk of any new initiative.
• Doing so creates a “security-aware” organizational culture in which all
employees believe information security is important. As a result,
employee compliance with security policies increases. Visible top
management support for information security also improves the design of
internal controls, reducing the number of security-related weaknesses. 10
Three Fundamental Information Security
Concepts
2. People are the critical factor
• People can either be the “weakest link” in security or an
important asset.
• To make employees a positive part of the organization’s
security efforts, management must create a “security-
conscious” culture and provide continuous security
awareness training.

11
Three Fundamental Information Security
Concepts
3. The time-based model of information security
• It is the implementation of a combination of preventive, detective,
and corrective controls that protect information assets long enough
to enable an organization to recognize that an attack is occurring and
take steps to thwart it before any information is lost or compromised.
• Time-based model, security is effective if:
• P > D + C where
• P is time it takes an attacker to break through preventive controls
• D is time it takes to detect an attack is in progress
• C is time it takes to respond to the attack and take corrective
action
12
Defense-in-dept
On of the strategy in the time-based model of information
security.
Organizations attempt to satisfy the objective of the time-
based model of security by employing the strategy of
defense-in-depth, which entails using multiple layers of
controls in order to avoid having a single point of failure.
Defense-in-depth recognizes that although no control can be
100% effective, the use of overlapping, complementary, and Source: internet search

redundant controls increases overall effectiveness because if

one control fails or gets circumvented, another may
succeed.

13
Figure 11.3 Pieces of the Security Puzzle

14
Preventive, Detective, and Corrective Controls
Used to Satisfy the Time-Based Model of Security
Preventive Controls Detective Controls
• Physical security: • Log analysis
Access controls (locks, guards, etc.)
• Intrusion detection systems

• Process: • Honeypots
User access controls (authentication and a security mechanism that creates a virtual trap to lure
attackers
authorization)
• Continuous monitoring
• IT solutions Response
Anti-malware, Network access controls
(firewalls, intrusion prevention systems, • Computer Incident Response
etc.), Device and software hardening Teams (CIRT)
(configuration controls), Encryption
• Chief Information Security Officer
(CISO) 15
Preventive: Physical Security: Access Controls
• Physical security access controls
• Limit entry to building
• Restrict access to network and data

16
Preventive Process: User Access Controls
• Authentication—verifies the
person
1. Something person knows

2. Something person has

3. Some biometric characteristic
4. Combination of all three
• Authorization—determines what
a person can access

17
Authentication vs Authorization

Authentication Authorization
• The process of verifying the identity • The process of restricting access of
of the person or device attempting to authenticated users to specific
access the system. portions of the system and limiting
• The objective is to ensure that only what actions they are permitted to
legitimate users can access the perform.
system. • The objective is to structure an
• Multifactor authentication: the use of employee’s rights and privileges in a
two or more types of authentication manner that establishes and maintains
adequate segregation of duties.
credentials in conjunction to achieve a
greater level of security. • For example, a customer service
representative should not be authorized
to access the payroll system. 18
Confidentiality and Privacy Controls Chapter 12

19
Components of Protecting Confidentiality and
Privacy

20
Confidentiality vs Privacy
• Confidentiality
Example: Strategic plans, trade secrets, cost information, legal documents, and
process improvements.

• Privacy
Example: Customers/employees/supplier information

• The objectives for confidentiality and privacy are the same: protect
sensitive information from unauthorized access and disclosure.

21
Protecting Confidentiality and Privacy
• Identify and classify information to be protected
• Where is it located and who has access?
• Classify value of information to organization
• Protecting sensitive information with encryption
• Protect information in transit and in storage
• It is the only way to protect information in transit over the
Internet
• Encryption only protects information while it is stored or
being transmitted, not during processing
22
Protecting Confidentiality and Privacy
• Controlling access to sensitive information
• Information Rights Management (IRM) Software that offers the capability not only
to limit access to specific files or documents but also to specify the actions (read, copy, print, download,
etc.) that individuals granted access to that resource can perform.

• Data loss prevention (DLP) Software that works like antivirus programs in reverse,
blocking outgoing messages (e-mail, instant messages, etc.) that contain key words or phrases
associated with intellectual property or other sensitive data the organization wants to protect.

• Digital watermarks Code embedded in documents that enables an organization to identify

confidential information that has been disclosed.

• Data masking Protecting privacy by replacing sensitive personal information with fake data (i.e.
token). Also called tokenization.

23
Protecting Confidentiality and Privacy
• Training
• Training is arguably the most important control for protecting confidentiality
and privacy.
• Employees need to know what information they can share with outsiders and
what information needs to be protected.
• For example, employees often do not realize the importance of information
they possess.
• It is important for management to inform employees who will attend external
training courses, trade shows, or conferences whether they can discuss such
information or whether it should be protected because it provides the
company a cost savings or quality improvement advantage over its
competitors.
24
 Generally Accepted Privacy Principles
Generally Accepted Privacy Principles (GAPP) are 10 best practices recommended for protecting privacy of customer’s personal
information, developed by AICPA (US) and CICA (Canada).
1. Management 6. Access
• Procedures and policies with assigned • Customer should be able to review,
responsibility and accountability correct, or delete information collected
2. Notice on them
• Provide notice of privacy policies and practices 7. Disclosure to third parties
prior to collecting data
8. Security
3. Choice and consent
• Opt-in versus opt-out approaches • Protect from loss or unauthorized
access
4. Collection
• Only collect needed information 9. Quality
5. Use, retention, and disposal 10. Monitoring and enforcement
• Use information only for stated business purpose. • Procedures in responding to
When no longer useful, dispose in a secure complaints
manner. • Compliance 25
Generally Accepted Privacy Principles
Opt Out vs Opt In
• Opt-out is referred to as implicit consent because companies
can assume it is okay to collect and use customers’ personal
in-formation unless they explicitly object.
• Default policy in the US
• Opt-in is referred to as explicit consent because
organizations cannot collect and use customers’ personal
information unless they explicitly agree to allow such
actions.
• Default policy in Europe
26
Identity Theft
• Identity theft is the unauthorized use of someone’s personal
information for the perpetrator’s benefit.
• One privacy-related issue of growing concern is identity theft.
• Identity theft is often a financial crime, in which the perpetrator
obtains loans or opens new credit cards in the victim’s name and
sometimes loots the victim’s bank accounts.
• Organizations, however, also have a role to play in preventing identity
theft. In addition to regulatory requirements, organizations have an
ethical and moral obligation to implement controls to protect the
personal information that they collect (i.e. customers/employees/
suppliers data).
27
Processing Integrity and Availability Chapter 13

Controls

28
GIGO
• “garbage in, garbage out” highlights the importance of input controls.
• If the data entered into a system are inaccurate, incomplete, or
invalid, the output will be too. Consequently, only authorized
personnel acting within their authority should prepare source
documents.

29
Application Controls for Processing Integrity

30
Processing Integrity Controls
• The processing integrity principle of the Trust Services Framework
states that a reliable system produces information that is accurate,
complete, timely, and valid.

Processing Integrity Controls:

• Input Control
• Processing Control
• Output Control

31
Processing Integrity Controls
• Input Process Stage
• Forms design
• Sequentially prenumbered
• Turnaround documents
• Records of company data sent to an external
party and then returned to the system as input.
Turnaround documents are in machine-
readable form to facilitate their subsequent
processing as input records. An example is a
utility bill and a detachable remittance slip.
• Cancelation and storage of source documents
• Data entry controls 32
 Processing Integrity: Data Entry Controls
• Field check • Size check
• Characters in a field are proper type • Input data fits into the field
• Sign check • Completeness check
• Data in a field is appropriate sign • Verifies that all required data is entered
(positive/negative) • Validity check
• Limit check • Compares data from transaction file to
• Tests numerical amount against a that of master file to verify existence
fixed value • Reasonableness test
• Range check • Correctness of logical relationship
• Tests numerical amount against between two data items
lower and upper limits • Check digit verification
• Recalculating check digit to verify data
entry error has not been made
33
 Check Digit

34
Source: internet search
 Additional Data Entry Controls
• Batch processing • Prompting
• Sequence check • System prompts you for input (online
• Test of batch data in proper completeness check)
numerical or alphabetical sequence • Closed-loop verification
• Batch totals • Checks accuracy of input data by
• Summarize numeric values for a using it to retrieve and display other
batch of input records related information (e.g., customer
• Financial total sums a field that contains account # retrieves the customer
monetary values name)
• Hash total the sum of a numerical item for a batch
of documents, calculated prior to processing the batch,
when the data are entered, and subsequently compared
with computer-generated totals after each processing step
to verify that the data was processed correctly.

• Record count the number of records in a batch. 35

Additional Data Entry Controls
Batch totals for weekly payroll processing

• Financial totals: total amount of salaries transfered in one batch

Financial totals (assumption rate $10/hour) = 430 + 225 + 370 = $1,025
• Hash totals: total worker ID from one particular batch
Hash totals = 0172 + 9023 + 2652 = 11847
• Record count: total number of records in a batch
Recod count = 3

36
Processing Controls
• Data matching • Cross-footing
• Two or more items must be matched • Verifies accuracy by comparing two
before an action takes place alternative ways of calculating the same
• File labels total
• Ensures correct and most updated • Zero-balance tests
file is used • For control accounts (e.g., payroll
• Recalculation of batch totals clearing)
• Write-protection mechanisms
• Protect against overwriting or erasing
data
• Concurrent update controls
• Prevent error of two or more users
updating the same record at the same
37
time
Output Controls
• User review of output
• Reconciliation procedures
• Procedures to reconcile to control reports (e.g., general ledger A/R
account reconciled to Accounts Receivable Subsidiary Ledger)
• External data reconciliation
• Data transmission controls
• Checksums
• Parity bits
• Blockchain

38
Availability Key Objectives
1. Minimize risk of system downtime
2. Quick and complete recovery and resumption of normal
operations

39
Availability Key Objectives and Key Controls

40
Availability Controls
• Preventive maintenance • Backup procedures
• Fault tolerance • Incremental
• Copies only items that have changed
• Use of redundant components since last partial backup
• Data center location and design • Differential backup
• Raised floor • Copies all changes made since last full
• Fire suppression backup

• Air conditioning • Disaster recovery plan (D R P)

• Procedures to restore
• Uninterruptible power supply (UPS)
• Surge protection organization’s I T function
• Cold site
• Training • Hot site
• Patch management and antivirus • Business continuity plan (B C P)
software • How to resume all operations, not
just IT 41
DRP & BCP

DRP BCP
• Disaster Recovery Plan • Business Continuity Plan
• Procedures to restore an • Procedures how to resume not
organization’s IT function in the only IT operations, but all
event that its data center is business processes, including
destroyed.
relocation to new offices and
• Types hiring temporary replacements,
• Cold site in the event of major calamity.
• Hot site
• Real time mirroring
3 Privacy 4 Processing Integrity
The Trust Services Framework privacy
principle is closely related to the
Relationships among the “FIVE A reliable system is one that produces information that is
accurate, complete, timely & valid
confidentiality principle, differing primarily
in that it focuses on protecting personal
trust services principles” for
information about customers rather than
organizational data
systems reliability
Privacy concerns/risks
• Spam
• Identity theft

Preserving Privacy (of customer’s data)

• Identify and classify information 2 3 4 5
• Protecting sensitive information
with Encryption
• Controlling access to sensitive Availability
information 5 Interruptions to business processes due to the unavailability of
• Training systems/information can cause significant financial losses

Privacy regulations
• GAPP
• 10 best practices

Confidentiality 1
2 Reliable systems can protect confidential
company’s information from unauthorized
disclosure
1 Preventive Controls Detective Controls Corrective Controls
Preserving Confidentiality (of company’s
intellectual property) • Physical security • Log analysis • Computer Incident Response
• Identify and classify information • Process • Intrusion detection systems Team (CIRT)
• Protecting sensitive information
• IT Solutions • Penetration testing • Chief Information Security
with Encryption
• People • Officer (CISO)
• Controlling access to sensitive Continuous monitoring
information • Change controls and change • Patch management
management
• Training
Sources
M.B. Romney and P.J. Steinbart (2021). Accounting Information Systems 15th edition. Pearson.

Internet search.

44