Download Session 21

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
Document related concepts

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Access control wikipedia , lookup

Mobile security wikipedia , lookup

Cross-site scripting wikipedia , lookup

Information security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Web of trust wikipedia , lookup

Information privacy law wikipedia , lookup

Do Not Track legislation wikipedia , lookup

Transcript 
Session 21
• Personal Information Protection and
Electronic Documents Act
• Payment Card Industry standard
• Web Trust
• Sys Trust
CSE 4482, 2009
Personal Information Protection
and Electronic Documents Act
• Governs the collection, use and disclosure
of personal information in a manner that
balances the right of privacy of all
individuals
• Requires each organization to designate a
responsible officer
CSE 4482, 2009
Personal Information
• Information about a person that originates
from the person, e.g., social insurance
number given to an employer, age.
• Does not include business information
generated for a person, e.g., salary within
the employer’s possession or grade within
the school’s possession.
CSE 4482, 2009
PIPEDA Principles
• Accountability – needs a chief privacy
officer
• Identifying purpose
• Consent
• Limiting collection
CSE 4482, 2009
PIPEDA Principles
• Limiting use, retention and disclosure.
• Accuracy
• Safeguards
• Openness
CSE 4482, 2009
PIPEDA Principles
• Individual access
• Challenge
CSE 4482, 2009
Web Trust
• A Web site assurance service developed by
American Institute of Certified Public
Accountants (AICPA) and Canadian
Institute of Chartered Accountants (CICA)
• Reviews have been on large e-commerce
sites to gain customer confidence
CSE 4482, 2009
Main Web Trust Principles
• The Availability Principle addresses
accessibility to the defined system, products,
or services as advertised or committed by
contract, service-level, or other agreements.
• The Security Principle requires an entity to
meet high standards for the protection of the
system components from unauthorized
access, both logical and physical.
CSE 4482, 2009
Main Web Trust Principles
• Processing Integrity Principle requires
an entity to meet high standards for the
completeness, accuracy, timeliness,
and authorization of system processing
including the processing of electronic
commerce transactions.
All three principles must be satisfied.
CSE 4482, 2009
Secondary Web Trust Principles
• Confidentiality – no unauthorized viewing
• Privacy – confidentiality of personal info
CSE 4482, 2009
Web Trust Review
• The reviewer has to be licensed by AICPA
or CICA .
• The outcome of the review consists of a
report and the Web Trust seal if the client
passes the selected criteria. The seal can be
placed on the Web site. The seal is
accompanied by a report of controls with an
audit opinion from the reviewer.
CSE 4482, 2009
Control Criteria
• Management of the web site develops
criteria (objectives) to satisfy each main
principle and each selected secondary
principle.
• Each control criterion is supported by
control activities (procedures), which can be
manual or automated.
CSE 4482, 2009
Web Trust Seal
• Auditor (reviewer) provides an opinion on
the effectiveness (including
comprehensiveness) of control activities for
each criterion and the comprehensiveness of
the criteria for each principle.
CSE 4482, 2009
Process of a Web Trust Review
• E-commerce company decides to pursue a
Web Trust seal.
• E-commerce company engages an
accounting firm to do the review.
• E-commerce company selects the optional
principles.
CSE 4482, 2009
Process of a Web Trust Review
• E-commerce company develops control
criteria for each principle.
• E-commerce company develops control
procedures for each criterion.
• Accounting firm assess adequacy of control
procedures for each criterion and adequacy
of criteria for each principle.
CSE 4482, 2009
Process of Web Trust Review
• Accounting firm conducts testing.
• Accounting firm provides audit opinion.
• If opinion is unqualified, accounting firm
creates a seal and send to a certificate
authority for digital signature to
authenticate.
CSE 4482, 2009
Process of a Web Trust Review
• Accounting firm sends the signed seal and
audit report to the client. The audit report is
hosted in www.webtrust.org.
• E-commerce company puts the seal on the
web site.
CSE 4482, 2009
SysTrust
• A system assurance service developed by
American Institute of Certified Public
Accountants (AICPA) and Canadian
Institute of Chartered Accountants (CICA)
• Reviews have been on new systems in an
organization or systems shared by a number
of partner organizations
CSE 4482, 2009
Main SysTrust Principles
• Availability
• Security
• Processing integrity
Must be covered to get an unqualified
opinion.
CSE 4482, 2009
Secondary SysTrust Principles
• Confidentiality
• Privacy
CSE 4482, 2009
Control Criteria
• Management of the web site develops
criteria (objectives) to satisfy each main
principle and each selected secondary
principle.
• Each control criterion is supported by
control activities (procedures), which can be
manual or automated.
CSE 4482, 2009
Sys Trust Seal
• Auditor (reviewer) provides an opinion on
the effectiveness (including
comprehensiveness) of control activities for
each criterion and the comprehensiveness of
the criteria for each principle.
CSE 4482, 2009
Components of System
•
•
•
•
•
Infrastructure
Software
People
Procedures
Data
CSE 4482, 2009
SysTrust Review
• The reviewer has to be licensed by AICPA
or CICA
• The review is reported with an opinion
against management’s assertion about the
system
CSE 4482, 2009
SysTrust Users
• Management
• Customers
• Trading partners
• Financial statement auditors
CSE 4482, 2009
SysTrust Users
• Internal and legislative auditors
• Software vendors
• Service providers
CSE 4482, 2009
SysTrust Report
• An opinion on management’s asserted controls.
• Opinion does not cover system description,
although system description is often included in
the report. But if reviewer knows that system
description is misleading, s/he should not issue an
opinion on the controls.
• Opinion covers the reporting period of not more
than one year.
CSE 4482, 2009
Drivers for SysTrust Review
• The potential conflict of interest between the
system operator and system user or owner.
• The complexity of systems, requiring expertise to
conduct an audit that would provide a reasonable
degree of assurance about their conformity with
system reliability principles and criteria.
CSE 4482, 2009
Drivers for SysTrust Review
• The remoteness of users from systems requiring
an independent objective representative to observe
the system on their behalf.
• The consequences of system unreliability.
• The four conditions above may contribute
individually to the need for assurance services
related to the reliability of an entity’s key
information system(s) and they may also interact
to increase the need for such assurance.
CSE 4482, 2009
Symptoms of System
Unreliability
• Frequent system failures
• Failure to prevent unauthorized access
• Loss of data integrity
• Serious maintenance problems
CITM 595,
CSE Fall
4482,
2007,
2009D Chan
Process of a Sys Trust Review
• System hosting organization decides to
pursue a Sys Trust Review.
• System hosting organization hires an
accounting firm.
• System hosting organization selects optional
principles, develops control criteria and
control procedures.
CSE 4482, 2009
Process of a Sys Trust Review
• Accounting firm assesses the adequacy of
control criteria and procedures.
• Accounting firm conducts testing.
• Accounting firm provides report to system
hosting organization.
• System hosting organization shares report
with user organizations.
CSE 4482, 2009
Payment Card Industry (PCI)
Security Standard
• Developed by the PCI Security Council formed by
major card issuers like Visa, MasterCard and
American Express.
• Requires agent financial institutions and major
merchants (over 6 million transactions annually)
to have an annual external audit for compliance.
• Failure to comply can lead to a fine of $500,000.
CSE 4482, 2009
PCI Standards
1.Install and maintain a firewall to protect
cardholder data
2. Do not use vendor supplied defaults for
system passwords and other security
parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data
across the Internet
CSE 4482, 2009
PCI Standards
5. Use regularly updated anti-virus software
6. Develop and maintain secure systems and
applications
7. Restrict access to cardholder data by
business on a need-to-know basis
8. Assign a unique ID to each person with
computer access
CSE 4482, 2009
PCI Standards
9. Restrict physical access to cardholder data
10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and
processes
12. Maintain a policy that addresses
information security
CSE 4482, 2009
Related documents
Operating Systems EDA092, DIT400 Why study Operating Systems
Operating Systems EDA092, DIT400 Why study Operating Systems
26-computer_science
26-computer_science
ppt
ppt
Survey of AI for games - Ohio State Computer Science and
Survey of AI for games - Ohio State Computer Science and
CSE 446 Machine Learning
CSE 446 Machine Learning
CSE 5431 (Approved): Systems II: Introduction to Operating Systems
CSE 5431 (Approved): Systems II: Introduction to Operating Systems
Conduct Branch-I
Conduct Branch-I
PPT
PPT
Conduct Branch-I
Conduct Branch-I
CSE 303 - Autum 2006
CSE 303 - Autum 2006