36
CSE 4482, 2009 Session 21 • Personal Information Protection and Electronic Documents Act • Payment Card Industry standard • Web Trust • Sys Trust
CSE 4482, 2009
Session 21
• Personal Information Protection and Electronic Documents Act
• Payment Card Industry standard• Web Trust• Sys Trust
CSE 4482, 2009
Personal Information Protection and Electronic Documents Act
• Governs the collection, use and disclosure of personal information in a manner that balances the right of privacy of all individuals
• Requires each organization to designate a responsible officer
CSE 4482, 2009
Personal Information
• Information about a person that originates from the person, e.g., social insurance number given to an employer, age.
• Does not include business information generated for a person, e.g., salary within the employer’s possession or grade within the school’s possession.
CSE 4482, 2009
PIPEDA Principles
• Accountability – needs a chief privacy officer
• Identifying purpose
• Consent
• Limiting collection
CSE 4482, 2009
PIPEDA Principles
• Limiting use, retention and disclosure.
• Accuracy
• Safeguards
• Openness
CSE 4482, 2009
PIPEDA Principles
• Individual access
• Challenge
CSE 4482, 2009
Web Trust
• A Web site assurance service developed by American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA)
• Reviews have been on large e-commerce sites to gain customer confidence
CSE 4482, 2009
Main Web Trust Principles
• The Availability Principle addresses accessibility to the defined system, products, or services as advertised or committed by contract, service-level, or other agreements.
• The Security Principle requires an entity to meet high standards for the protection of the system components from unauthorized access, both logical and physical.
CSE 4482, 2009
Main Web Trust Principles
• Processing Integrity Principle requires an entity to meet high standards for the completeness, accuracy, timeliness, and authorization of system processing including the processing of electronic commerce transactions.
All three principles must be satisfied.
CSE 4482, 2009
Secondary Web Trust Principles
• Confidentiality – no unauthorized viewing
• Privacy – confidentiality of personal info
CSE 4482, 2009
Web Trust Review
• The reviewer has to be licensed by AICPA or CICA .
• The outcome of the review consists of a report and the Web Trust seal if the client passes the selected criteria. The seal can be placed on the Web site. The seal is accompanied by a report of controls with an audit opinion from the reviewer.
CSE 4482, 2009
Control Criteria
• Management of the web site develops criteria (objectives) to satisfy each main principle and each selected secondary principle.
• Each control criterion is supported by control activities (procedures), which can be manual or automated.
CSE 4482, 2009
Web Trust Seal
• Auditor (reviewer) provides an opinion on the effectiveness (including comprehensiveness) of control activities for each criterion and the comprehensiveness of the criteria for each principle.
CSE 4482, 2009
Process of a Web Trust Review
• E-commerce company decides to pursue a Web Trust seal.
• E-commerce company engages an accounting firm to do the review.
• E-commerce company selects the optional principles.
CSE 4482, 2009
Process of a Web Trust Review
• E-commerce company develops control criteria for each principle.
• E-commerce company develops control procedures for each criterion.
• Accounting firm assess adequacy of control procedures for each criterion and adequacy of criteria for each principle.
CSE 4482, 2009
Process of Web Trust Review
• Accounting firm conducts testing.• Accounting firm provides audit opinion.• If opinion is unqualified, accounting firm
creates a seal and send to a certificate authority for digital signature to authenticate.
CSE 4482, 2009
Process of a Web Trust Review
• Accounting firm sends the signed seal and audit report to the client. The audit report is hosted in www.webtrust.org.
• E-commerce company puts the seal on the web site.
CSE 4482, 2009
SysTrust
• A system assurance service developed by American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA)
• Reviews have been on new systems in an organization or systems shared by a number of partner organizations
CSE 4482, 2009
Main SysTrust Principles
• Availability
• Security
• Processing integrity
Must be covered to get an unqualified opinion.
CSE 4482, 2009
Secondary SysTrust Principles
• Confidentiality
• Privacy
CSE 4482, 2009
Control Criteria
• Management of the web site develops criteria (objectives) to satisfy each main principle and each selected secondary principle.
• Each control criterion is supported by control activities (procedures), which can be manual or automated.
CSE 4482, 2009
Sys Trust Seal
• Auditor (reviewer) provides an opinion on the effectiveness (including comprehensiveness) of control activities for each criterion and the comprehensiveness of the criteria for each principle.
CSE 4482, 2009
Components of System
• Infrastructure
• Software• People• Procedures• Data
CSE 4482, 2009
SysTrust Review
• The reviewer has to be licensed by AICPA or CICA
• The review is reported with an opinion against management’s assertion about the system
CSE 4482, 2009
SysTrust Users
• Management
• Customers
• Trading partners
• Financial statement auditors
CSE 4482, 2009
SysTrust Users
• Internal and legislative auditors
• Software vendors
• Service providers
CSE 4482, 2009
SysTrust Report
• An opinion on management’s asserted controls.• Opinion does not cover system description, although
system description is often included in the report. But if reviewer knows that system description is misleading, s/he should not issue an opinion on the controls.
• Opinion covers the reporting period of not more than one year.
CSE 4482, 2009
Drivers for SysTrust Review
• The potential conflict of interest between the system operator and system user or owner.
• The complexity of systems, requiring expertise to conduct an audit that would provide a reasonable degree of assurance about their conformity with system reliability principles and criteria.
CSE 4482, 2009
Drivers for SysTrust Review
• The remoteness of users from systems requiring an independent objective representative to observe the system on their behalf.
• The consequences of system unreliability. • The four conditions above may contribute
individually to the need for assurance services related to the reliability of an entity’s key information system(s) and they may also interact to increase the need for such assurance.
CSE 4482, 2009CITM 595, Fall 2007, D Chan
Symptoms of System Unreliability
• Frequent system failures
• Failure to prevent unauthorized access
• Loss of data integrity
• Serious maintenance problems
CSE 4482, 2009
Process of a Sys Trust Review
• System hosting organization decides to pursue a Sys Trust Review.
• System hosting organization hires an accounting firm.
• System hosting organization selects optional principles, develops control criteria and control procedures.
CSE 4482, 2009
Process of a Sys Trust Review
• Accounting firm assesses the adequacy of control criteria and procedures.
• Accounting firm conducts testing.• Accounting firm provides report to system
hosting organization.• System hosting organization shares report
with user organizations.
CSE 4482, 2009
Payment Card Industry (PCI) Security Standard
• Developed by the PCI Security Council formed by major card issuers like Visa, MasterCard and American Express.
• Requires agent financial institutions and major merchants (over 6 million transactions annually) to have an annual external audit for compliance.
• Failure to comply can lead to a fine of $500,000.
CSE 4482, 2009
PCI Standards
1.Install and maintain a firewall to protect cardholder data
2. Do not use vendor supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.4. Encrypt transmission of cardholder data
across the Internet
CSE 4482, 2009
PCI Standards
5. Use regularly updated anti-virus software6. Develop and maintain secure systems and
applications7. Restrict access to cardholder data by
business on a need-to-know basis8. Assign a unique ID to each person with
computer access
CSE 4482, 2009
PCI Standards
9. Restrict physical access to cardholder data10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes12. Maintain a policy that addresses information security
