Confidentiality and Privacy Controls for Digital Signatures

Question: Discuss about theConfidentiality and Privacy Controls for Digital Signatures. Answer: Introduction This chapter includes the two important aspects: Maintaining confidentiality of organization. Secrecy of personal information. Confidentiality For preserving the confidentiality following actions are to be taken: Information Identification and classification- Information identification is the first step after that classification is done which is the responsibility of owners of information as per COBIT 5 and not security personnels. Encryption- It is the most effective method for protecting information. It is the process of converting the text into cipher text; vice versa case is called as Decryption. Access controls levied on information- Authentication and authorization are initial control access and thus are not sufficient to protect the same and thus additional controls are levied. Information rights management and Data loss prevention tools are used. Employees training- Training is provided to employees for protecting client data and maintaining confidentiality. Privacy Any unauthorized leak of information may lead to infinite loss for which privacy controls are implemented. Encryption is an effective control for ensuring privacy in which information is encrypted both at the time of sending and storing. It saves organization from loss as well as monetary effect due to loss. Privacy Concerns: Spam It is an unsolicited email which contains offensive or advertising content. It not only affects the efficiency but also results into viruses, malware, worms and other spyware programs. Controls such as CAN-SPAM Act (2003) were introduced. Under these law penalties of both civil and criminal is imposed on violation of law. It includes the following provisions- Display of sender identity in the header should be clearly presented. Subject should evidently classify the message as advertisement or solicitation. Main content should contain list of recipients with a working link for Opt-out requests for which organization shall place the responsibility. It is an ethical practice to have valid address. Organizations are advised to design their own websites and not send any commercial email to any email address. Identity Theft It is defined as unauthorized use of someone personal information for perpetrators benefit. It may lead to financial crime by looting the clients bank account or medical theft by manipulating the reports of the client leading to some life threatening diseases or tax identity threat in which the fraudsters file an invalid return of refund. So it is an ethical and moral practice to safeguard the client information and provide safeguard against such threats. Following 10 best practices are adopted by the organization Management - By assigning responsibilities and accountability to a specific group of persons to follow proper policies and procedures for protecting customers information. Notice - A notice is provided to clarify the type of information collected, reason associated and using the same. Choice and consent- Individuals are provided with choice and consent to be taken before using their information. There are two approaches called as opt-in and opt-out. GAAP suggests to use opt in approach. Collection- Only collecting that information which is needful. Cookie is a text file which contains the tasks which user has done on site and it is stored in hard disk. Use and retention- Policies should be formulated to ensure that the use of information as stated in privacy policy and retain only till when it is required for business purpose. Access Access to add delete modify the information. Disclosure to third parties- Disclosure shall be made only when policies of organization allows. Security- Use of preventive, detective and corrective controls. Quality- By ensuring integrity of information this target can be achieved. Monitoring and enforcement- Continuous monitoring is required of the stated policies and enforcement of policies is required. Encryption System and its types Factors influencing are key length, encryption algorithm and various policies for managing cryptographic keys. These are of 2 types: Symmetric and Asymmetric systems. In symmetric there is the use of same key for encrypt and decrypt but in asymmetric there are 2 keys that is public and private key. Loss of keys for both is a threat. Hashing A plain text is converted into a short code which is called as Hash. Difference between hash and encryption is encryption produces cipher text whereas it produces only short code and encrypted data can again be decrypted but code cannot be converted again to plain text. Hashing maintains the integrity of data and is unique for each function. Digital Signatures It is defined as authentication of documents as a replacement of physical signature. It is a two-step process in which first hash is created and then the same is decrypted by private key and this is how digital signature is authenticated. Virtual Private Networks (VPNs) VPN may be defined as a technology used to create a safe and encrypted connection over internet. It is a privately owned connection without bearing the costs of leased line. It is only assessable to those who have encryption and decryption keys.