ADELAIDE · S1 2026 · FACULTY OF BUSINESS & ECONOMICS

ACCTING2503 · Accounting Systems And Analytics

- one subject, every graph, every model, every mark
50% final exam · hurdle14 Chapters9-page Bible
Our own words - no uploaded lecturer files
Built to mirror S1 2026 · updated this semester
Chapter 4 of 11 · ACCTING 2503

Controls for Confidentiality, Privacy, Processing Integrity & Availability

This chapter takes the Trust Services FrameworkSecurity as the foundation, with Confidentiality, Privacy, Processing Integrity and Availability built on top — and turns it into examinable controls. You learn to protect organisational secrets and personal data, tell authentication (who you are) from authorisation (what you may do), use encryption, hashing and digital signatures in the right key direction, sort processing-integrity controls into input / processing / output stages, and plan for availability with fault tolerance, backups and recovery sites. It is tested in Test 1 and, more heavily, in the closed-book final, where a case study asks you to name a control, classify it and justify it.

In this chapter

What this chapter covers

  • 011. Trust Services Framework — Security is the foundation; Confidentiality, Privacy, Processing Integrity, Availability sit on top
  • 022. Confidentiality (organisational IP) vs Privacy (personal data) — same toolkit, different subject
  • 033. Protecting sensitive data: identify & classify, encrypt, control access, train (training is the key step)
  • 044. Privacy rules — Generally Accepted Privacy Principles (GAPP), opt-in vs opt-out consent, the Privacy Act and Spam Act
  • 055. Authentication vs authorisation — know/have/are and multifactor vs the access-control matrix
  • 066. Encryption — symmetric vs asymmetric vs hybrid — plus hashing as one-way integrity (hashing is not encryption)
  • 077. Digital signatures — sign with your private key; encrypt for secrecy with the recipient's public key
  • 088. Processing-integrity controls by stage (input / processing / output) and availability (fault tolerance, incremental vs differential backup, BCP vs DRP, cold vs hot site)
Worked example · free

Confidential, signed tender file

Q [8 marks]. Coorong Logistics emails a priced tender document to a client, GulfPort. It needs three things: the file must stay secret if intercepted, GulfPort must be able to prove it was not altered, and GulfPort must be able to prove it genuinely came from Coorong. (a) Contrast symmetric and asymmetric encryption. (b) Explain how a digital signature gives both integrity and non-repudiation, naming the role of hashing. (c) State which key encrypts and which decrypts to keep the tender confidential.
  • +2(a) Symmetric encryption uses one shared secret key for both encrypt and decrypt — fast, but it carries the key-distribution risk (both parties must share the secret safely). Asymmetric encryption uses a public/private key pair (encrypt with one key, decrypt with the other) — it solves key distribution and enables signatures, but is slower.
  • +2(b) Hashing step: Coorong runs the tender through a one-way hash to produce a fixed-length digest. Any change to the document — even one character — produces a different digest, which is how GulfPort later detects tampering. That gives integrity.
  • +2(b) Signature step: Coorong encrypts that digest with its own private key; the result is the digital signature attached to the file. GulfPort decrypts it with Coorong's public key — success proves it came from Coorong (non-repudiation), and re-hashing the received file and matching the digests proves it is unaltered (integrity).
  • +2(c) Confidentiality: to keep the tender secret, Coorong encrypts it with GulfPort's public key; only GulfPort's private key can decrypt it, so an interceptor learns nothing.
Symmetric = one shared key; asymmetric = a public/private pair. Digital signature = the document's hash encrypted with the sender's PRIVATE key (verified with the sender's public key) → integrity + non-repudiation. For confidentiality, encrypt with the RECIPIENT's public key and decrypt with the recipient's private key.
Sia tip — Remember the two opposite key directions: sign with your OWN private key (identity — 'only I can do it'); encrypt for secrecy with THEIR public key (only they can decrypt). And never say a hash is 'decrypted' — hashing is one-way and gives integrity, not confidentiality.
Glossary

Key terms

Trust Services Framework
Five principles for a reliable AIS: Security (the foundation and a management issue), Confidentiality, Privacy, Processing Integrity and Availability. The four upper principles depend on the security base.
Confidentiality vs privacy
Confidentiality protects the organisation's own sensitive information (strategic plans, trade secrets, cost data, IP). Privacy protects personal information about individuals (customers, employees) and is governed by GAPP and, in Australia, the Privacy Act and Spam Act.
Authentication vs authorisation
Authentication verifies who you are — something you know (password), have (token/smart card) or are (biometric); multifactor combines these. Authorisation decides what you may do once identified, implemented through an access-control matrix. Identity first, permissions second.
Symmetric / asymmetric / hybrid encryption
Symmetric uses one shared key (fast, key-distribution risk). Asymmetric uses a public/private key pair (secure, slower, needs a PKI). Hybrid uses a symmetric key for the bulk data and asymmetric encryption to share that symmetric key — how TLS works.
Hashing
A one-way function that turns any input into a fixed-length digest (e.g. SHA-256). It cannot be reversed; any change to the input changes the digest, so it provides integrity — not confidentiality. Hashing is not encryption.
Digital signature
A document's hash encrypted with the signer's private key. Verifying it with the signer's public key proves authenticity (non-repudiation); re-hashing and comparing proves the document is unaltered (integrity).
Processing-integrity controls
Controls ensuring data is processed completely and accurately, organised by stage: input (field, sign, limit, range, validity, completeness, reasonableness checks; batch and hash totals), processing (matching, recalculation, record locking) and output (review, reconciliation, transmission checks).
BCP vs DRP; incremental vs differential backup
A Business Continuity Plan restores all business processes; a Disaster Recovery Plan restores only the IT function (via a cold, hot or mirrored second site). Incremental backup copies data changed since the last backup; differential copies data changed since the last FULL backup.
FAQ

Controls for Confidentiality, Privacy, Processing Integrity & Availability FAQ

How do I keep authentication and authorisation straight?

Authentication answers 'who are you?' and comes first — it verifies identity using something you know, have or are (multifactor combines them). Authorisation answers 'what may you do?' and comes second — it grants or limits access through an access-control matrix. A fingerprint scanner is authentication (something you are); being allowed to approve a payment is authorisation. You cannot grant permissions to an identity you have not established, so the order never reverses.

Which key signs and which key keeps a message secret?

They are opposite directions. To SIGN (integrity + non-repudiation) you encrypt the document's hash with your OWN private key; the receiver verifies with your public key. To keep a message SECRET (confidentiality) you encrypt with the RECIPIENT's public key; only their private key can decrypt it. The mnemonic: private = identity ('only I can do it'), the recipient's public = secrecy ('only they can undo it'). Reversing these loses the whole part.

Why is hashing not the same as encryption?

Encryption is reversible — you decrypt ciphertext back to plaintext — and the output is about the same size as the input. A hash is a fixed-length digest and is one-way: there is no way to 'decrypt' it back to the document. Encryption gives confidentiality; hashing gives integrity (you detect any change because the digest changes). Writing 'decrypt the hash' signals you have confused the two primitives.

What is the difference between incremental and differential backups, and BCP vs DRP?

Incremental backup copies only data changed since the LAST backup (of any kind) — fast to back up, but restore needs the full backup plus every increment in order. Differential copies data changed since the last FULL backup — slower and larger each day, but restore needs only the full plus one latest differential. Separately, a DRP restores only the IT function after a disaster (cold, hot or mirrored site), while a BCP restores the whole business. The common traps: defining differential as 'since last backup', and using BCP and DRP interchangeably.

How is this chapter examined in ACCTING 2503?

As definitions and clean distinctions applied to a scenario. Test 1 uses case-based multiple choice; the closed-book final (50%) hands you a business situation and asks you to name the control, classify it and justify it. Expect 'distinguish X from Y' prompts (authentication vs authorisation, symmetric vs asymmetric, hashing vs encryption, incremental vs differential, BCP vs DRP), 'which key encrypts/decrypts?' questions, and 'give a control at each stage' questions where you must match a named check to the specific symptom rather than listing controls generically.

Study strategy

Exam move

Build your answers around the framework: say 'Security is the foundational, management-level principle; confidentiality, privacy, processing integrity and availability are the reliability outcomes it enables', then drill into the specific control. Memorise the four highest-value distinctions cold, because the final is closed-book: authentication (who) vs authorisation (what); symmetric vs asymmetric vs hybrid encryption; hashing (one-way integrity) vs encryption (reversible secrecy); and the two opposite key directions for signing versus secrecy. For processing integrity, practise sorting controls into input / processing / output and matching each check to a scenario symptom (limit check for negative hours, field check for a non-numeric rate, validity check against the master file). For availability, keep three pairs sharp — incremental vs differential backup, BCP vs DRP, cold vs hot site. The marks reward precise vocabulary applied to a case, not padded prose.

A+Everything unlocked
Unlocks this Bible + all 244 of your ADELAIDE subjects - and 1,000+ Bibles across every Australian university.
Sia - your ACCTING2503 tutor, unlimited, worked the way the exam marks it
The full 9-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
ACCTING2503 · Accounting Systems And Analytics - independent study guide on the AskSia Library. More ADELAIDE subjects · Microeconomics across all universities
Unlock the full ACCTING2503 Bible + 244 ADELAIDE subjects解锁完整 ACCTING2503 Bible + ADELAIDE 244 门科目
$25/mo