Inadequate security and controls also bring forth issues of liability Legal and

Inadequate security and controls also bring forth issues of liability Legal and Regulatory Requirements for Electronic Records Management  Firms face new legal obligations for retention and storage of electronic records and privacy protection - Recovering data from computers while preserving evidential integrity - Securely storing and handling recovered electronic data - Finding significant information in a large volume of electronic data  PIPEDA: Personal Information Protection and Electronic Documents Act - Specify privacy, Security and electronic transaction standards for handling consumer/patient records  C-SOX: Canadian Rules for Sarbanes-Oxley Act, Bill 198 - Imposes responsibility on companies and management to safeguard accuracy and integrity of financial info used internally and released externally - Consider systems security and other controls needed to ensure integrity, confidentiality and accuracy of their data - Because managing this data involves information systems, information systems must implement controls to make sure this information is accurate and to enforce integrity, confidentiality, and accuracy. Electronic evidence and computer forensics  Presenting the information to a court of law Downloaded by Ragashan Soundrajan ([email protected]) lOMoARcPSD|2960509

 In legal action, firm is obligated by law to respond to discovery request for access to info that may be used as evidence - If company has trouble assembling data or it has been corrupted/improperly destroyed, cost can be enormous - Effective electronic document retention policy ensures electronic data/emails are well organized accessible and nor retained too long or short Computer Forensics: scientific collection, examination, authentication preservation and analysis of data held on/retrieved from computer storage in such a way that it can be used as evidence in a court of law 1. Recovering data from computers while preserving evidential integrity 2. Securely storing and handling recovered electronic data 3. Finding significant information in a large volume of electronic data 4. Presenting the information to a court of law  Electronic evidence may be on computer in form of ambient data : not visible to average user - Computer forensic experts can try to recover such hidden data for presentation as evidence - Data that may have been deleted can be recovered with various techniques 8.3 Establishing a Framework for Security and Control  Need to know where company is at risk and what controls must be taken to protect IS’s  Need to develop security policy for keeping business running if IS is not operational Information System Controls  Manual and automated; consists of general and application controls General Controls Govern the design, security and use of computer programs and security of data files in general throughout an organizations IT infrastructure  apply to all computerized applications and consist of a combination of hardware, software, and manual procedures that cerate overall control environment 