• The Trust Services framework identifies four essential criteria for successfully implementing the five principles of

systems reliability:
– Develop and document policies.
– Effectively communicate those policies to all authorized users.
– Design and employ appropriate control procedures to implement those policies.
– Monitor the system, and take corrective action to maintain compliance with the policies.
• Top management involvement and support is necessary to satisfy each of the preceding criteria.
No. Principles Definition Controls Mechanisms
1. Security Access to the system and its data is  Preventive:
controlled. o Authentication controls (passwords, tokens,
biometrics, MAC addresses)
Fundamental information security o Authorization controls (access control matrices
concepts: and compatibility tests)
 Security as a management o Training
issue, not a technology issue o Physical access controls (locks, guards, biometric
 The time based model of devices)
security o Remote access controls (IP packet filtering by
 Defense in depth border routers and firewalls using access control
lists; intrusion prevention systems; authentication
of dial-in users; wireless access controls)
o Host and Application Hardening procedures
(firewalls, anti-virus software, disabling of
unnecessary features, user account management,
software design, e.g., to prevent buffer overflows)
o Encryption
 Detective:
o Log analysis
o Intrusion detection systems
o Managerial reports
o Security testing (vulnerability scanners,
penetration tests, war dialing)
 Corrective:
o Computer Emergency Response Teams
o Chief Security Officer (CSO)
o Patch Management
2. Confidentiality Sensitive information is protected
from unauthorized disclosure.

3. Privacy Personal information about customers
collected through e-commerce is
 Encryption
 Virtual Private Network
 Strong access controls through authentication and
authorization used to limit CRUD.
• The Trust Services privacy framework of the AICPA and
CICA lists ten internationally recognized best practices for
collected, used, disclosed, and
maintained in an appropriate manner.
protecting the privacy of customers’ personal information:
– Management: The organization establishes a set
of procedures and policies for protecting privacy
of personal information it collects.
Assigns responsibility and accountability for those
policies to a specific person or group.
– Notice: Provides notice about its policies and
practices when it collects the information or as
soon as practicable thereafter.
– Choice and consent: Choices may differ across
countries.
U.S.—The default is “opt out,” i.e., organizations
can collect personal information about customers
unless the customer explicitly objects.
Europe—The default is “opt in,” i.e., they can’t
collect the information unless customers explicitly
give them permission.
– Collection: The organization collects only that
information needed to fulfill the purposes stated
in its privacy policies
– Use and retention: The organization uses its
customers’ personal information only according to
stated policy and retains that information only as
long as needed.
– Access: The organization provides individuals with
the ability to access, review, correct, and delete
the personal information stored about them.
– Disclosure to Third Parties: The organization
discloses customers’ personal information to third
parties only per stated policy and only to third
parties who provide equivalent protection.
– Security
– Quality: The organization maintains the integrity
of its customers’ personal information.
 – Monitoring and enforcement: The organization
assigns one or more employees to be responsible
for assuring and verifying compliance with its
stated policies.
Also provides for procedures to respond to
customer complaints, including third-party
dispute-resolution processes.
4. Processing integrity Data is processed: – Source data controls:
– Accurately – Forms design
– Completely – Pre-numbered forms sequence test
– In a timely manner – Turnaround documents
With proper authorization – Cancellation and storage of documents
– Authorization and segregation of duties
– Visual scanning
– Check digit verification
– RFID security
– Data entry controls:
– Field check
– Sign check
– Limit check
– Range check
– Size (or capacity) check
– Completeness check
– Validity check
– Reasonableness test
– Processing controls:
– Data matching
– File labels
– Recalculation of batch totals
– Cross-footing balance test
– Write-protection mechanisms
– Database processing integrity procedures
– Data conversion controls
– Data transmission controls

5. Availability The system is available to meet
operational and contractual
obligations.
– Parity checking
– Message acknowledgment techniques
– Output controls
– User review of output
– Reconciliation procedures
– External data reconciliation
– Minimizing risk of down time
 Physical and logical access controls (Chapter 7)
can reduce the risk of successful denial-of-
service attacks.
 Good computer security reduces risk of theft
or sabotage of IS resources.
– Disaster recovery and business continuity planning:
 Data backup procedures
 Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
 Thorough documentation
 Periodic testing
 Adequate insurance