ISBN 13: 9781893209107

From the Publisher:

Preparing Business for Secure E-Commerce - Deloitte & Touche and ISACF Release Best Practices Report

NEW YORK ( May 31, 2000) - To help businesses maintain secure information technology (IT) as they navigate the challenges of e-commerce, the Information Systems Audit and Control FoundationTM (ISACFTM) and Deloitte & Touche LLP have published E-Commerce Security - Enterprise Best Practices, a perspective on security, control and audit issues involved in e-commerce.

The book completes the second stage of a four-phase research project to define best practices and evaluate the role, status and implementation of e-commerce security measures around the world. It is a follow up to the first book, E-Commerce Security - A Global Status Report, which detailed results of interviews and survey responses from professionals in 46 countries. Both publications help link business management initiatives with information systems security concerns.

E-Commerce Security - Enterprise Best Practices establishes a framework for business managers to understand the principles of e-commerce security and how to best control and implement it within their organizations. The book offers valuable insights and best practices involving e-commerce issues such as protecting data, maintaining confidentiality, confirming identities, controlling system changes, detecting unauthorized intrusions and handling denial of service attacks.

According to the study, some major risks of doing business via the Internet include: §

Interception. Because information is usually transferred in unencrypted, plain text, information can be viewed and modified at any point between the client and server. §

Redirection. Also known as "spoofing," it is relatively easy for people to impersonate a web service or represent a web site or organization falsely. §

Identification. It is relatively easy for people to assume a different, or fraudulent, identity on the Internet. Because there is not yet a globally-accepted standard to establish identity, e-commerce sites must implement unique solutions. §

Exploitable Program Errors. All computer software, including web servers and browsers, is prone to errors or "bugs." These weaknesses have long enabled attackers to commit unauthorized actions including denial of service and vandalism. §

Weak Client Security. Even if an e-commerce provider manages its internal risks, it often is powerless to do the same for clients. For example, even though vendors regularly issue program patches to correct security problems, only a small portion of Internet users performs the updates. They are then at risk of well-documented problems - and so are the e-commerce sites they use.

"Establishing 'best practices' is the next logical and necessary step as e-commerce progresses," said Paul A. Williams, FCA, MBCS, international president of the Information Systems Audit and Control Association® and Foundation (ISACATM/F). "Businesses must fully integrate security as they venture into the new terrain of e-commerce, yet it must be seamless and allow all the expected functionality. This publication will help businesses focus on what they should look at and steps they can take to protect their e-commerce initiatives."

E-Commerce Security - Enterprise Best Practices encompasses both business-to-business (B2B) and business-to-consumer (B2C) e-commerce models. It is designed as a framework applicable to all IT platforms and environments.

"To date, there is no established set of rules surrounding the security of e-commerce," said Robert B. Rothermel, global managing director of Deloitte & Touche's Enterprise Risk Services practice. "We believe this research is the first step in establishing one universal framework that can be implemented by businesses around the world."

"Many businesses didn't consider e-commerce security issues until the recent denial of service attacks on major online retailers," explained Steven Ross, director in the ERS practice at Deloitte & Touche. "It was just a matter of time before such disruptions were executed and we have reacted promptly to help organizations put measures in place that will help limit such incidents and other breaches of security in the future."

Excerpt. © Reprinted by permission. All rights reserved.:

Introduction

This document is intended to be a tutorial on the issues of e-Commerce Security for the control community- that is, to anyone with a professional interest in the design, implementation and assessment of controls for e-Commerce.

ISACA defines e-Commerce as the processes by which organizations conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology. It therefore encompasses both business-to business (B2B) and business-to-consumer (B2C) e-Commerce models, but does not include existing non-Internet e-Commerce methods based on private networks, such as EDI and S.W.I.F.T.

While this Perspective necessarily explores new technology issues of e-Commerce, it focuses on security, audit and control issues. The field of e-Commerce is developing rapidly on the combined fronts of technology and business use. By its nature, e-Commerce security challenges its practitioners in many different ways from the security environments of recent times that must now be considered as legacy. The primary objective of the authors has been to establish a framework that the reader can use to understand the principles of e-Commerce security and the challenges for their particular organizations and environments, and then go on to seek more detail from other sources.

This Perspective provides introductory material on technology and auditing. It is not intended to be product specific, and generally was developed around concepts or a range of technologies.

E-Commerce-Global Best Practices is a follow-up to the first publication developed in this series, e-Commerce-A Global Status Report. It takes up where the prior document left off. Now that the global status of e-Commerce security uncovered, this publication readily identifies the areas of e-Commerce that need attention to maintain a feeling that your organization’s security is not falling behind.

Security Goals
Security is a subject often used with different meanings in widely different contexts. For example, security of an enterprise’s financial investments is quite different from security of corporate personal data. This Perspective clearly focuses on the security of information as used in commercial transactions over the Internet. There are always many ways to define any term, especially one such as information security that is commonly shared among widely varying communities, including computer vendors, corporate business managers, private individuals and military interests. However, rather than endlessly debate the true definition, this document assumes a conventional approach with security defined by its principal objectives. These have often been expressed with the convenient CIA acronym as in confidentiality, integrity and availability.

Confidentiality is an e-Commerce issue in that potential consumers are (rightly) concerned about providing unknown vendors with personal, sometimes sensitive, information. Moreover, the medium of the Internet is a broadcast network; whatever is placed on it is routed over wide-ranging and essentially uncontrolled paths. There is concern about the integrity of information for much the same reason, in that data passing over a broadcast network can be intercepted and potentially misused. This, in essence, is the fear of hacking. While hacking undoubtedly occurs, it is questionable whether it is so prevalent as to be a direct threat to individual consumers, as much as an infrastructural inhibitor. Nonetheless, whether or not the fear is rational, it has been a factor affecting the initial growth of e-Commerce. E-vendors in particular are focused on availability. If their sites are not up, they cannot do business, and lose out on potential revenues.

SECURITY GOALS

Management should employ the controls, tools, mechanisms, and supervision necessary to ensure that they can: ·

Authenticate the identity of all parties to the application or communication ·

Protect the traffic from modification, destruction, interference, or contamination ·

Protect the traffic from inappropriate or unnecessary disclosure ·

Ensure that the business can continue to operate in the case of technology failures ·

Demonstrate to an independent party the accountability for all business transactions to the level of an individual ·

Recognize variances from the intended use, operation, or behavior of systems and take timely and effective corrective action

In addition to CIA, two further goals are increasingly required in dealing with e-Commerce: authentication and non-repudiation. These two are closely linked. Individuals using e-Commerce applications must be identified and in some manner must prove that they are who they say they are before the transaction is entered into, or at least, before it is completed. Then, after the fact, there must be some manner of ensuring that the individuals cannot deny that the transaction had been entered into, or at least that they had performed the transaction.

"About this title" may belong to another edition of this title.