 Hello and welcome to this session in which we will discuss IT security principles. Specifically, we're going to be discussing the AICPA, the American Institute of Certified Public Accountant IT Security Principles. And what they did is they developed five IT security principles to help organization safeguard their sensitive information and asset. Now bear in mind, those IT principles might be very similar to some other framework IT principles. Nevertheless, in this session, we focus on the AICPA because this is basically for the CPA exam. Specifically, those principles are known as the trust services criteria, TSC, and they are as follow security principle, availability principle, process and integrity principle, confidentiality principle, privacy principle. If you know anything about FARHAT, since I have a list, I'm going to go over each item on this list and explain it separately. Before we proceed any further, I have a public announcement about my company, farhatlectures.com. Farhat Accounting Lectures is a supplemental educational tool that's going to help you with your CPA exam preparation as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions, as well as exercises. Go ahead, start your free trial today, no obligation, no credit card required. Starting with security principle. Well, it basically states that an organization is required to protect its data and system against unauthorized access, both physical access and logical access. It means you can't go in, you can't break in. This is the physical access, logical access. You cannot access the information over a network. You cannot access the information over the web or through some sort of a computerized system. This includes against hacking, viruses and other form of cyber threats. Now, how do they make sure they are protected? Well, one is they use authentication. What is that? It's verifying the identity of the person that's attempting to access the system or the data. Well, this includes password, the most common one, smart card, biometric identification. For example, if you have a bank account, sometimes what they do is they would require two-factor authentication mechanism via one-time code sent to your phone or to your email. So after you input your login and password, they will send you a code to your phone. So it's not your login, your password, plus a code on the phone. And sometime you might have those token. So once you login, this token will keep on changing. So you have to have the physical token in addition to the login and the password. For what purpose? To make sure the system is protected from unauthorized access. So they are authenticating you. The other one is authorization. Once a user has been authenticated, it means that's the proper user, we can give them access to everything. We have to give them authorization control. So what you can access is limited to what's needed to be accessed by you. So if you work in AP, you only have access to AP. You don't have access to cash. If you work in AR, you should not have access to payroll, so on and so forth. Authorization mechanism can be based on roles, responsibility, or specific privileges. We could also use encryption. This involves converting data into a format that's unreadable. So even if you were able to intercept this data, you cannot read it because you need a decryption key. So encryption is an effective way to protect against sensitive data. So I will send you an email and I will send you information in that email. If that email was intercepted, no one can read it. Why? Because I'm going to send you a key separately to be able to be able to open that email. So this way unauthorized access or disclosure in transit or at rest is protected. Any information is protected unless you have the key to decrypt this information. You could also use firewalls. Those are devices that monitor and control traffic between the organization internal and external network. Firewall are designed to prevent unauthorized access and to protect against various types of cyber attacks. So before the cyber attacker tried to penetrate your system, don't think of it as a wall, but it's a firewall to protect you. Just that's what it is. Availability principle. What does it, what does it entails? It ensures that an organization system is available. We are there. It's there when we need it for use as needed. This includes minimizing downtime. We don't want to have a downtime or if it is, it's very minimal. Maintaining system performance. The system is performing at its peak or close to peak at all time and providing timely when we need that information. Now, how do we make sure that the availability principle is in action? Well, we have to have what's called redundancy. What is redundancy? This is important. It involves duplicate systems, components or processes. So if one thing fail, you have a duplicate system that you can bring online immediately. For example, an organization could have multiple servers that can take over as a primary server fail. So one of your server fail. Well, guess what? You have another server. You could just go in and launch your business from it immediately, almost immediately. Backup and recovery. Well, this involves creating and storing backup of critical data. So in case something happened to your system, it's backed up somewhere. So what happened is you can easily recover from an outage or a data loss and minimize your downtime, downtime. That's something called load balancing. What is load balancing? This involves distribution, distributing or distribution workloads across multiple system to ensure no single system becomes overloaded, okay? Which could cause what? If that's the case, performance issue, you may try to log in and you can't log in. For example, e-commerce websites always implement this load balancing. Think, for example, on Black Friday or Cyber Monday, certain website, they have a lot of traffic. So what they do, they load the traffic on different servers, on different sites. So what happened is the system is not slowed down. The system doesn't go down because of the demand. This is what load balancing is. Also, you need a disaster recovery planning. And we're going to have a whole session about this. This involves developing and testing a plan for recovering from a major outage or disaster. You have to be ready. If something happened, a disaster happened, a hurricane, earthquake or a cyber attack, do you have a plan to recover? And we'll talk about this, there's a whole session about this. You would outline the steps the organization must take to restore the system availability. That's the first thing, including identifying critical systems and data, establishing recovery time objectives and implementing a backup and recovery procedures. So basically, you are ready to go back online almost immediately after a disaster. Do you have a plan for that? The second principle is integrity. I believe that's the third principle. The third principle is integrity processing principle. What does that mean? It means that an organization data is processed accurately, completely and on time. How? Well, you're going to have something called data validation. Well, this involves ensuring that data is accurate and complete before it's processed. Now, you're going to be saying, give me more examples. Well, this includes verifying the data is correct incorrect format requires that fields are populated and data values are within acceptable range. Now, there's one whole session about data validation. It's called input controls. So if you want to learn more about data validation, we have a whole session about input control. So here we are discussing data validation within the IT security. But if you want to learn more about this, I don't want you to think I'm short changing you. There's, you know, this, this topic is so important. I'm just giving you example, how the, how the system can have integrity through data validation, error detection and correction, how this involves monitoring data processing for errors and implementing procedures to correct those errors when they are detected. Well, this include implementing automated error detection mechanism such as checksums, data validation rules, providing manual processes for correcting errors. Now, again, this is called process controls. It means once you input the information into the system, you want to make sure it's processed properly. There's a one whole session, this topic is so important. There's something called process control. Again, we have input. So you want to make sure when you input the data into the system, the input is correct. Once the system is processed, the information is correct to maintain integrity of the system. So then we have input control lecture, processing control, and obviously we have output control lecture. And this is form of audit trails. This involves recording all action taking during the data processing and storing this information in an audit trail. Basically, you'll be able to, once it's done, you'll be able to go back and see what happened. This includes recording users action, system events, and other relevant information that can be used to track the data processing and identify the potential errors or issues. So this is after it happens, you're auditing the process. And this is called output controls. Again, you have a whole session about output controls and reconciliation is a great thing. It's a great control. It's basically involved comparing once you hear the word reconciliation and accounting. It means you are taken to think and comparing them to each other and making sure they match, comparing two sets of data to ensure that they match. For example, an organization may reconcile a bank statement with their own financial record. This is a typical reconciliation example where you have the bank statement and you take the bank statement and you compare the bank statement information to your general ledger cash and they should match after you prepare the appropriate adjustment. The fourth principle is the confidentiality principle and basically require an organization to do what? Protect its sensitive information from unauthorized disclosure, confidential. This includes protecting personal, financial, health information from being accessed or disclosed to unauthorized parties. Now, how can the company do that? Again, access controls, limiting access to sensitive information to only individuals who have legitimate need to know. So not everyone should have access to this information. This includes implementing authentication and authorization control as we saw earlier using password, role-based access control and encryption. Data classification. This is important and we talked about data classification much more in details when we spoke about data. This involved classifying the data based on its sensitivity level. There's certain data more sensitive than other and implementing appropriate security control based on the classification. For example, we might have highly sensitive data that may require additional security control such as encryption, physical security measures, logical control, so on and so forth. We could have low sensitive, high sensitive, extremely sensitive secret information so we can classify this information. Data masking and upfusification. This involved up securing sensitive data by replacing it with random character or symbols. A good example with it, for example, the credit card. We have the credit card but the credit card number shows as access. So you are masking. You are obscuring this information so even if somebody have access to it, they don't know what it is. They cannot read it. Monitoring and login. This involved monitoring access to sensitive data and login all actions taken by authorized users. Notice all these principles are interrelated to make sure we're covering everything. From authenticating to authorizing to protecting the data, they're all interrelated. They serve each other. This can help identify unauthorized access or other suspicious activities and the most important thing is to monitor the process. You can go back and audit the process if need be. A good example of confidentiality is using it in healthcare organization where they implement access control to protect patient health information with access control. Only authorized individuals such as health providers and administrative staff are granted access to this health information, to the patient health information. The fifth principle is the privacy principle and this is very important that requires an organization personal information is collected, used and retained, disclosed in a manner consistent with the organization privacy policies and applicable laws and procedures. And this is a big topic on the CPA exam 2024. This includes protecting confidentiality which we talked about and giving individual control over their information, over how their information is used. How? How do we implement this? Well, first we should have a privacy policies. Just tell you exactly how we're going to be using your information. Creating and implementing a privacy policy that outline how personal information is collected, used, retained and disclosed. And this policy should also describe individuals right and the organizational responsibilities. What are you going to do with my information? Are you going to sell it? Are you going to disclose it to a third party? I need to know and what is your responsibility under applicable laws and regulation? Consent mechanism. Well, this involves obtaining individual consent before collecting, using and disclosing the information. Are you getting my consent? For example, in the U.S., you can opt out of having your information collected by a website in Europe. You have to opt in. So what is your consent? In Europe, there are more strict rules about privacy. This consent mechanism should be clear and specific. An individual should be given the option to opt out. Just like every time you log into a website now, they have this option for you. Data minimization. What is that? This involves collecting and retaining only the minimum amount of personal information to achieve the organization's purpose. Don't collect more information than need be. What is your purpose? Why are you collecting this information? For example, you might collect my name, my contact information. Well, you don't need maybe my social security. Do you really need it? Yes or no? You may not need my email. You may not need my phone, so on and so forth. So just collect the information that's needed for your business purpose and don't collect information that's not necessary. This is called data minimization. Information security. Well, this involves implementing appropriate security controls to protect your personal information, again, from unauthorized access or disclosure. The security should be designed to prevent, detect, and respond to security incident. Now, as I mentioned, privacy is an important topic, especially on the 2024 CPA exam. It's relevant for now, but on the 2024, it's a big topic. So we're going to talk a little bit more about privacy. We're going to discuss the generally accepted privacy principles, G-A-P-P, there are 10 of them. We're going to have a separate session for that. We're going to look at the general data protection regulation, another important topic tested on the 2024, and the health insurance portability and accountability act HIPAA. That's another topic that deals with privacy we need to be familiar with. So notice about privacy principle alone, we're going to have at least three more sessions that deals with how companies should handle your information from a privacy perspective. So it's very important. What should you do now? Go to far hat lectures. It's time to answer multiple choice questions. Yes, you listen to me, you understand the principles, but those principles, they could be a little bit confusing, similar to each other. The only way you can clarify this is doing what? Working MCQs. Whether you are studying for your CPA exam, CMA exam, some other professional certification, IT security control, or for example CISA, is extremely important, is extremely important to your success. Invest in yourself, invest in your career, good luck, and of course, stay safe.