12 Security Services that are Critical for Successful E-Commerce Security. Comprehensive Safeguards Assessment for your E-Commerce and Web Server.

September 19, 2009 by kutenk
Filed under: Computer Security 

E-Commerce and Web Server Safeguards.

Develop Security Service Options for your E-Commerce and Web Server.

The services provided by information security organizations vary from company to company. Several factors will determine the required services, but the most significant considerations include:
 Industry factors
 The company’s risk appetite
 Maturity of the security function
 Organizational approach (centralized or decentralized)
 Impact of past security incidents
 Internal organizational factors
 Political factors
 Regulatory factors
 Perceived strategic value of information security

Security services are defined as safeguards and control measures to protect the confidentiality, integrity, and accountability of information and computing resources. Security services that are required to secure e-commerce transactions need to be based on the business requirements and on the willingness to assume or reduce the risk of the information being compromised. Information security professionals can be subject-matter experts, but they are rarely equipped to make the business decisions required to select the necessary services. Twelve security services that are critical for successful e-commerce security have been identified:




1. Policy and procedures are a security service that defines the amount of information security that the organization requires and how it will be implemented. Effective policy and procedures will dovetail with system strategy, development, implementation, and operation. Each organization will have different policies and procedures; best practice dictates that organizations have policies and procedures based on the risk the organization is willing to take with its information. At a minimum, organizations should have a high-level policy that dictates the proper use of information assets and the ramifications of misuse.

2. Confidentiality and encryption are a security service that secures data while they are stored or in transit from one machine to another. A number of encryption schemes and products exist; each organization needs to identify those products that best integrate with the application being deployed.

3. Authentication and identification are a security service that differentiates users and verifies that they are who they claim to be. Typically, passwords are used, but stronger methods include tokens, smart cards, and biometrics. These stronger methods verify what you have (e.g., token) or who you are (e.g., biometrics), not just what you know (password). Two-factor authentication combines two of these three methods and is referred to as strong authentication.

4. Authorization determines what access privileges a user requires within the system. Access includes data, operating system, transactional functions, and processes. Access should be approved by management who own or understand the system before access is granted. Authorized users should be able to access only the information they require for their jobs.




5. Authenticity is a security service that validates a transaction and binds the transaction to a single accountable person or entity. Also called nonrepudiation, authenticity ensures that a person cannot dispute the details of a transaction. This is especially useful for contract and legal purposes.

6. Monitoring and audit provide an electronic trail for a historical record of the transaction. Audit logs consist of operating system logs, application transaction logs, database logs, and network traffic logs. Monitoring these logs for unauthorized events is considered a best practice.




7. Access controls and intrusion detection are technical, physical, and administrative services that prevent unauthorized access to hardware, software, or information. Data are protected from alteration, theft, or destruction. Access controls are preventive—stopping unauthorized access from occurring. Intrusion detection catches unauthorized access after it has occurred, so that damage can be minimized and access cut off. These controls are especially necessary when confidential or critical information is being processed.

8. Trusted communication is a security service that assures that communication is secure. In most instances involving the Internet, this means that the communication will be encrypted. In the past, communication was trusted because it was contained within an organization’s perimeter. Communication is currently ubiquitous and can come from almost anywhere, including extranets and the Internet.

9. Antivirus is a security service that prevents, detects, and cleans viruses, Trojan horse programs, and other malware.

10. System integrity controls are security services that help to assure that the system has not been altered or tampered with by unauthorized access.

11. Data retention and disposal are a security service that keeps required information archived, or deletes data when they are no longer Availability of retained data is critical when an emergency exists. This is true whether the problem is a systems outage or a legal process, whether caused by a natural disaster or by a terrorist attack (e.g., September 11, 2001).

12. Data classification is a security service that identifies the sensitivity and confidentiality of information. The service provides guides for information labeling, and for protection during the information’s life.

Not all of the services will be relevant for you, but using a complete list and excluding those that are not required will assure a comprehensive assessment of requirements, with appropriate security built into the system’s development. In fact, management can reconcile the services accepted with their level of risk acceptance.

Related posts:

  1. E-Commerce Trends for Organizational Advancement: New Applications and Methods | PDF EBOOK DOWNLOAD | by Mehdi Khosrow-Pour (ed) | 2010 | ISBN: 9781605669649. Mobile Commerce Applications Development. Business Models for M-Services. E-Commerce Web Site Evaluation Model. E-Government Service Delivery Performance
  2. Handbook of Research on Information Security and Assurance | by Jatinder N. D. Gupta and Sushil K. Sharma (eds) | 2009 | ISBN: 9781599048550. E-Commerce Security Risks and Countermeasures. Information Security Management Research. Effective Security Policies and Procedures.
  3. Handbook of Research on Mobile Multimedia, Second Edition | by Ismail Khalil Ibrahim (ed) | 2009 | ISBN: 9781605660462. Creating Successful Mobile Viral Marketing Strategies. Wireless Multimedia Sensor Networks. Business Model Typology for Mobile Commerce. Mobile Multimedia Collaborative Services. THE COMMERCIAL MOBILE BROADCASTING. Advanced Mobile Multimedia Services with IMS. Architectures for Mobile Context-Aware Applications
  4. Web Services Security Development and Architecture: Theoretical and Practical Issues | by Carlos Gutiérrez and Mario Piattini | 2010 | ISBN: 9781605669502. Security Analysis of Service Oriented Systems. Forensics over Web Services.
  5. Hiring Success: The Art and Science of Staffing Assessment and Employee Selection | by Steven T. Hunt | ISBN: 9780787996482. Essential Resources for Training and HR Professionals. Principles Of Staffing Assessment Process Design. How To Use Job Analysis To Define Critical Employee Behaviors.
  6. Managing Web Service Quality: Measuring Outcomes and Effectiveness | by Khaled M. Khan (ed) | 2009 | ISBN: 9781605660424. Web Services Technology. WEB SERVICES MANAGEMENT FRAMEWORK. Web Services Infrastructure. Multimedia Delivery in a Services Oriented Architecture. Testability of Web Services
  7. Architecting Secure Software Systems | by Asoke K. Talukder and Manish Chaitanya | 2009 | ISBN: 9781420087840. How to Construct Secured and Safe C/UNIX Programs. How to Construct Secured Web Services. ASP.NET Security. Java Security.
  8. Computer and Information Security Handbook | by John R. Vacca (ed) | 2009 | ISBN: 9780123743541. System and Network Security. TEN STEPS TO BUILDING A SECURE ORGANIZATION. Unix and Linux Security. Internet Security. Information Technology Security Management. Security Management Systems. Computer Forensics
  9. Windows Server 2008: Administrator’s Pocket Consultant, Second Edition | by William R. Stanek | 2010 | ISBN: 9780735627116. Core Active Directory Administration. Administering Network Printers and Print Services. Optimizing DNS.
  10. How to Complete a Risk Assessment in 5 Days or Less | by Thomas R. Peltier | 2009 | ISBN: 9781420062755. Facilitated Risk Analysis and Assessment Process (FRAAP). Difference between Risk Analysis and Risk Assessment. Sample Risk Analysis Questionnaire. Business Impact Analysis.
  11. Application Security in the ISO27001 Environment | by Vinod Vasudevan et al. | ISBN: 9781905356355. International Information Security Standards. Secure Application Development Lifecycle. Information Security Management System.
  12. The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments | by Craig S. Wright | ISBN: 9781597492669. IT Compliance Guideline. Information Systems Audit Program. Developing IT Security Policy. Vulnerability Assessment Tools. Information Systems Legislation
  13. The Guide to the Universal Service Management Body of Knowledge: A Comprehensive Guide To Best Practices For Managing The Provision of Services | by Ian M. Clayton | ISBN: 9780981469102. USMBOK Reference. IT Service Management. Service Management System
  14. New Information Security Framework. Six security elements—availability, utility, integrity, authenticity, confidentiality, and possession.
  15. The Executive MBA in Information Security | by John J. Trinckes, Jr. | 2010 | ISBN: 9781439810071. Information Security Management. IT Audit and Compliance. Effective Information Security Program. Administrative Controls. Technical Controls. Application Controls. Perimeter Controls
  16. Schneier on Security | by Bruce Schneier | ISBN: 9780470395356. Information Security Books. The Architecture of Security. The Risks of Cyberterrorism. Identity-Theft Disclosure Laws. The Security of RFID Passports. Cybercrime and Cyberwar. Software Vulnerabilities
  17. Windows Server 2008 R2 Hyper-V: Insiders Guide to Microsoft’s Hypervisor | by John Kelbley and Mike Sterling | 2010 | ISBN: 9780470627006. Virtualization Best Practices. Virtual Machine Access Security Model. Virtual Machine Migration.
  18. Professional Oracle WebLogic Server | by Robert Patrick, Gregory Nyberg, Philip Aston et al. | 2010 | ISBN: 9780470484302. Web Application Best Practices. WebLogic JMS Application Design. Building Enterprise JavaBeans in WebLogic Server.
  19. The AMA Handbook Of Leadership | by Marshall Goldsmith, John Baldoni and Sarah McArthur | 2010 | ISBN: 9780814415139. Diversity Management. FOUR CRITICAL LEADERSHIP TASKS. How to Develop Exceptional Leaders. 12 CHARACTERISTICS OF SUCCESSFUL EXECUTIVE DEVELOPMENT PROGRAMS.
  20. Managing Security Overseas: Protecting Employees and Assets in Volatile Regions | by Scott Alan Ast | 2010 | ISBN: 9781439804674. Security Management in Companies with Global and High-Risk Operations. Emergency Management Plan. Crisis Management Do’s and Don’ts. Security Awareness Training.
  21. Wordpress 2.9 Upgrade Problem | Internal Server Error. The server encountered an internal error or misconfiguration and was unable to complete your request.
  22. Computer Certifications Study Guide. ExamWise for CompTIA 2009 Security+ Certification Exams SY0-201 and BR0-001 | by David Failor | 2009 | ISBN: 9781590952139. Computing Infrastructure Security. Communication and Wireless Security. IT Vulnerabilities, Threats, and Attacks.
  23. Information Security Management Handbook, Sixth Edition, Volume 3 | by Harold F. Tipton and Micki Krause (eds) | 2009 | ISBN: 9781420090925. Identity Management Systems. Mobile Data Security. Web Application Firewalls. Botnets.
  24. Assessing Information Security: Strategies, Tactics, Logic And Framework | by Andrew Vladimirov, Konstantin Gavrilenko and Andriej Michajlowski | 2010 | ISBN: 9781849280365. Information Security Auditing Strategies And Tactics. Security Policies And Compliance.
  25. Critical Marketing: Contemporary Issues in Marketing | by Mark Tadajewski and Douglas Brownlie (eds) | ISBN: 9780470512005. Scientific Marketing Management. Experiential Consumer Research. Cultural Studies in Marketing. Social Costs of Marketing. Critical Marketing Thought.
  26. Services and Business Computing Solutions with XML: Applications for Quality Management and Best Processes | by Patrick Hung (ed) | 2009 | ISBN: 9781605663302. Enterprise Information Integration. Mobile and Web Services Technologies. Mediated Service-Based Data Integration Solutions.
  27. Computer Security Handbook, Fifth Edition | by Seymour Bosworth, M.E. Kabay and Eric Whyne (eds) | 2009 | ISBN: 9780471716525. Computer Books. IT EBooks. Information System Security Books.
  28. List of Competencies Critical to the Internal Consultant
  29. SOA-Based Enterprise Integration: A Step-by-Step Guide to Services-Based Application | by Waseem Roshen | 2009 | ISBN: 9780071605526. Integrating Mainframe Applications. Web Services Implementation. Integration Through Service Composition (BPEL)
  30. Water and Wastewater Engineering. Water Supply Systems Security | by Larry W. Mays (ed) | 2004 | ISBN: 9780071425315. DRINKING WATER SECURITY AND SAFETY. WATER SYSTEM EMERGENCY RESPONSE PLAN. SECURITY HARDWARE AND SURVEILLANCE SYSTEMS FOR WATER SUPPLY SYSTEMS
  31. A Short Course in International Business Plans — Charting a Strategy for Success in Global Commerce, 3rd Edition | by Robert L. Brown and Alan S. Gutterman | 2009 | ISBN: 9781607800026
  32. Ciso Soft Skills: Securing Organizations Impaired by Employee Politics, Apathy, and Intolerant Perspectives | by Ron Collette, Michael Gentile and Skye Gentile | 2009 | ISBN: 9781420089103. True Security Model. Security Consultant Guide.
  33. Security Manager’s Guide to Disasters: Managing Through Emergencies, Violence, and Other Workplace Threats | by Anthony D. Manley | 2009 | ISBN: 9781439809068. Disaster Management Books. Security and Safety Management. The Emergency Procedure Plan. Criminal and Civil Litigation
  34. Safety Engineering Books. Safety with Machinery, Second Edition | by John Ridley and Dick Pearce | 2006 | ISBN: 9780750667807. Engineering Safety Books. Typical Hazards of Machinery. Interlocking Safeguards. Safety with Pressure Systems
  35. Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions | by Kenneth J. Knapp (ed) | 2009 | ISBN: 9781605663265. Insider Threat Prevention, Detection and Mitigation. Information Security Management Standards. Approach to Managing Identity Fraud. Emergency Response Planning
  36. Collaborative Computer Security and Trust Management | 2010 | ISBN: 9781605664149. Data Protection in Collaborative Business Applications. Unified Trust Management Framework. Wireless Sensor Network Security.
  37. Cloud Computing: A Practical Approach | by Anthony T. Velte, Toby J. Velte and Robert Elsenpeter | 2010 | ISBN: 9780071626941. Cloud Computing Services. Cloud Storage Providers. Software as a Service. Software plus Services Offerings. Enterprise-Class Cloud Offerings.
  38. Multimodal Human Computer Interaction and Pervasive Services | by Patrizia Grifoni (ed) | 2009 | ISBN: 9781605663869. How to Make the Web Accessible to the Visually Impaired. How to Design Contextualized Interaction for Learning. Mobile Multimodal Social Services. On-Board Vehicle Multimodal Interaction System.
  39. Safety and Security Review for the Process Industries: Application of HAZOP, PHA and What-If Reviews, 2nd Edition | by Dennis P. Nolan | ISBN: 9780815515463. Qualitative Safety Reviews. Security Vulnerability Analysis (SVA). Process Hazard Analysis Reviews. Quality Assurance Audit Checklist.
  40. Security Testing Handbook for Banking Applications | by Arvind Doraiswamy et al. | 2009 | ISBN: 9781905356829. 12 Basic Security Tests and Techniques. Credit Card Payment Management applications. Loan Management application. Electronic payment switch.

Tags: , , , , , , , , , , , , , , , ,

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.