ACCOUNTING INFORMATION SYSTEMS

LIST OF QUESTIONS FOR COLLABORATIVE LEARNING

CHAPTER 8, 9, 10

Chapter 8 Controls for Information Security

1. It is said that “Security is a management issue”. Please explain this statement.

Security is a management issue not just a technology issue. senior management involvement and
support throughout all phases of the security life cycle is absolutely essential for success personal.
Senior management needs to assess threats & select risk response, develop & communicate policy,
Acquire & Implement solutions, and Monitor Performance.

2. What is defense in depth?

Employ multiple layers of controls to avoid having a single point of failure, for example, many
organizations use not only firewalls but also multiple authentication method, such as passwords,
tokens, and biometrics, to restrict access to their information systems. Misalnya di perusahaan
teknologi dimana ia sangat memprotect dalam teknologinya, atau perancang busana dimana disana
mempunyai ruangan yang khusus dimana hanya ada orang-orang yang terpilih untuk masuk kesana

3.
a. Among various preventive controls for information security, it is believed that “people”
component is the most important. Please explain your argument on this issue?
People is the most important because they are the actor that can do the preventive control
through creating a security-conscious culture and training.
b. Why does the company need to establish a security conscious culture?
Security conscious culture is when the employees comply with organizational policies and the top
management must not only communicate but must also lead by example. It is important because
there are so many information that employee can access and it is confidential for the company
and if they do not follow the company policies, such as writing down a password and affixing it to
a monitor, it can harm the company if the information spread.
c. Please explain the difference between authentication and authorization as part of preventive
controls.
Authentication is the process of verifying the identity of the person or device attempting to access
the system, meanwhile authorization is the process of restricting access of authenticated users to
specific portions of the system and limiting what actions they are permitted to perform.

4. It is stated that “Good change control often results in better operating performance”. Please explain
this statement and describe the characteristics of good change control.
Good change control often results in better operating performance because there are fewer problems
to fix. Companies with good change management and change control processes also experience lower
costs when security incidents do happen.
- Characteristics
 a. Documentation of all change requests, identifying the nature of the change, its rationale, date of
the request, and outcome of the request.
b. Documented approval of all change requests by appropriate levels of management. It
c. is especially important that senior management review and approve major changes to processes
and systems in order to ensure that the proposed change is consistent with the organization’s
long-term strategic plans.
d. Testing of all changes in a separate system, not the one used for daily business processes. This
reduces the risk that “bugs” in modifications do not disrupt normal business.
e. Conversion controls to ensure that data is accurately and completely transferred from the old to
the new system. Internal auditors should review the conversion process.
f. Updating of all documentation (program instructions, system descriptions, procedures manuals,
etc.) to reflect the newly implemented changes.
g. A special process for timely review, approval, and documentation of “emergency changes” as
soon after the crisis as is practical. All emergency changes need to be logged to provide an audit
trail. A large number or marked increase in the number of emergency changes is a potential red
flag of other problems (poor configuration management procedures, lack of preventive
maintenance, or political “game-playing” to avoid the normal change control process).
h. Development and documentation of “backout” plans to facilitate reverting to previous
configurations if the new change creates unexpected problems.
i. Careful monitoring and review of user rights and privileges during the change process to
j. Ensure that proper segregation of duties is maintained.

5. Please explain various components in Detective and Corrective controls.

Components in detective control:
- Log analysis: the process of examining logs to identify evidence of possible attacks.
- Intrusion Detection Systems: a system that creates logs of all network traffic that was permitted
to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions.
- Penetration Testing: an authorized attempt to break into the organization’s information system.
- Continuous Monitoring: continuously monitoring both employee compliance with the
organization’s information security policies and overall performance of business processes
Components in corrective control:
Contoh : adanya quality team address on going problem
- Computer Incident response team: a team that is responsible for dealing with major security
incidents.
- Chief InformatIon securIty officer: a position which is independent of other information systems
functions and should report to either the chief operating officer (COO) or the chief executive
officer (CEO)
- Patch Management: the process of regularly applying patches and updates to software.
-

Chapter 9 Confidentiality and Privacy Controls

1. a. What is the difference between confidentiality and privacy?

 Privacy focuses on protecting personal information about customers, employees, suppliers, or
business partners rather than organizational data. Otherwise, th/e confidentiality focuses more on
the organizational data, how it can make competitive advantage among other competitors.
b. What are the key components to protect confidentiality and privacy?
Key components to protect confidentiality and privacy:
- Identify and classify information to be protected
- Encrypt the information : datanya itu terkonek dengan internet git
- Control access to the information
- Train employees to properly handle the information

2. It is stated that “Training is the most important control for protecting confidentiality”. Please explain
your argument on this issue.
Training is the most important control for protecting confidentiality. Explain!
Training is the most important control for protecting confidentiality, because employees sometimes
do not realize the importance of information they possess and reckless in handling the information.
Thus, they need to know how to protect it which can lead to the effectiveness of related controls.

3. What is identity theft? Please give example and describe things-to-do to prevent it.
Identity theft: the unauthorized use of someone’s personal information for the perpetrator’s benefit,
usually for economic gain.
Example: the perpetrator obtain loans or opens new credit cards in the victim’s name and loots the
victim’s bank accounts.
How to prevent:
- Shred all documents that contain personal information
- Securely store documents that contain sensitive personal and financial information
- Never send personal information in unencrypted email
- Beware of requests to verify personal information that the requesting party should
already possess
- Do not carry your social security card with you
- Resist requests to provide social security number to businesses
- Print only your initials and last name on checks
- Limit the amount of other information preprinted on checks
- Do not place outgoing mail containing personal information in your mailbox for pickup
- Do not carry more than a few blank checks
- Use special software to thoroughly clean any digital media prior to disposal
- Monitor credit reports regularly
- File a police report as soon as possible when your belongings being stolen
- Immediately cancel any stolen or lost credit cards

4. What is GAPP? Please explain its best practices.

GAPP: a regulation concerning the use and protection of personal information which help organization
to cost-effectively comply with the requirements
Explain its best practices:
1. Management: establishing a set of procedures and policies for protecting privacy
 2. Notice: should provide notice before collecting personal information
3. Choice and consent: explain choices available to individuals and obtain their consent
4. Collection: collect only the information needed
5. Use and retention: only use customers’ personal information align with what is stated in
their privacy policies
6. Access: provide individuals with the ability to access, review, correct, and delete it
7. Disclosure to third parties: disclose it only in the situations and manners stated in their
privacy policies and in exchange with the third parties who have the same level of privacy
protection
8. Security: take reasonable steps to protect its customers’ personal information from loss or
unauthorized disclosure
9. Quality: maintain the integrity of their customers’ personal information and employ
procedures to ensure that it is reasonably accurate.
10. Monitoring and enforcement: ensuring compliance, verify it periodically, and establish
procedures for responding customer complaints

Chapter 10 Processing Integrity and Availability Controls

1. a. What are the key components of input controls?

Key component of input controls
- Form design
- Cancellation and Storage Source of Documents
- Data entry controls
b. What is Garbage In Garbage Out concept?
Garbage in, garbage out means If the data entered into a system are inaccurate, incomplete, or
invalid, the output will be too.

2. What are the key components of processing and output controls?

Key components of processing controls
- Data matching
- File Labels
- Recalculation of batch tools
- Cross-footing and zero balance test
- Write-protection mechanisms
- Concurrent Update Controls
Key components of output controls
- User review output
- Reconciliation procedures
- Exteral data reconciliation
- Data transmission controls

3. What are DRP and BCP? Please explain and highlight the differences.
 DRP ( disaster recovery plan ) and BCP ( business continuity plan) are design to mitigate problems
when one or more files or databases become corrupted because of hardware, software, or human
error.
DRP outlines the procedures to restore an organization's IT function in the even that the data center
is destroyed by a natural disaster org act of terrorism.
BCP specifies how to resume not only IT operations, but all business process in the event that major
calamity destroys not only an organization's data center but also its main headquarters.

4. What are the effects of virtualization and cloud computing on availability controls?
Virtualization significantly reduces the time needed to recover from hardware problems.
Cloud computing reduces the risk that a single catastrophe could result in system downtime and the
loss of all data.

Case Study:

http://www.slate.com/articles/technology/safety_net/2015/02/venmo_security_it_s_not_as_strong_as
_the_company_wants_you_to_think.html

Question:

1. Explain the value chain of Venmo!

2. Describe the form of control that has been implemented by Venmo to store personal information
of Venmo applications’s users.
3. Explain the form of corrective control that Venmo have/should have been implemented to avoid
unauthorized transaction events.

Instructions:

1. The group should prepare a presentation of maximum 5-8 minutes using the power point to
answer the above questions.
2. Refer to your understanding on Romney Chapters 8 and 9.