12 Security Services that are Critical for Successful E-Commerce Security. Comprehensive Safeguards Assessment for your E-Commerce and Web Server.

September 19, 2009 by kutenk
Filed under: Computer Security 

E-Commerce and Web Server Safeguards.

Develop Security Service Options for your E-Commerce and Web Server.

The services provided by information security organizations vary from company to company. Several factors will determine the required services, but the most significant considerations include:
 Industry factors
 The company’s risk appetite
 Maturity of the security function
 Organizational approach (centralized or decentralized)
 Impact of past security incidents
 Internal organizational factors
 Political factors
 Regulatory factors
 Perceived strategic value of information security

Security services are defined as safeguards and control measures to protect the confidentiality, integrity, and accountability of information and computing resources. Security services that are required to secure e-commerce transactions need to be based on the business requirements and on the willingness to assume or reduce the risk of the information being compromised. Information security professionals can be subject-matter experts, but they are rarely equipped to make the business decisions required to select the necessary services. Twelve security services that are critical for successful e-commerce security have been identified:




1. Policy and procedures are a security service that defines the amount of information security that the organization requires and how it will be implemented. Effective policy and procedures will dovetail with system strategy, development, implementation, and operation. Each organization will have different policies and procedures; best practice dictates that organizations have policies and procedures based on the risk the organization is willing to take with its information. At a minimum, organizations should have a high-level policy that dictates the proper use of information assets and the ramifications of misuse.

2. Confidentiality and encryption are a security service that secures data while they are stored or in transit from one machine to another. A number of encryption schemes and products exist; each organization needs to identify those products that best integrate with the application being deployed.

3. Authentication and identification are a security service that differentiates users and verifies that they are who they claim to be. Typically, passwords are used, but stronger methods include tokens, smart cards, and biometrics. These stronger methods verify what you have (e.g., token) or who you are (e.g., biometrics), not just what you know (password). Two-factor authentication combines two of these three methods and is referred to as strong authentication.

4. Authorization determines what access privileges a user requires within the system. Access includes data, operating system, transactional functions, and processes. Access should be approved by management who own or understand the system before access is granted. Authorized users should be able to access only the information they require for their jobs.




5. Authenticity is a security service that validates a transaction and binds the transaction to a single accountable person or entity. Also called nonrepudiation, authenticity ensures that a person cannot dispute the details of a transaction. This is especially useful for contract and legal purposes.

6. Monitoring and audit provide an electronic trail for a historical record of the transaction. Audit logs consist of operating system logs, application transaction logs, database logs, and network traffic logs. Monitoring these logs for unauthorized events is considered a best practice.




7. Access controls and intrusion detection are technical, physical, and administrative services that prevent unauthorized access to hardware, software, or information. Data are protected from alteration, theft, or destruction. Access controls are preventive—stopping unauthorized access from occurring. Intrusion detection catches unauthorized access after it has occurred, so that damage can be minimized and access cut off. These controls are especially necessary when confidential or critical information is being processed.

8. Trusted communication is a security service that assures that communication is secure. In most instances involving the Internet, this means that the communication will be encrypted. In the past, communication was trusted because it was contained within an organization’s perimeter. Communication is currently ubiquitous and can come from almost anywhere, including extranets and the Internet.

9. Antivirus is a security service that prevents, detects, and cleans viruses, Trojan horse programs, and other malware.

10. System integrity controls are security services that help to assure that the system has not been altered or tampered with by unauthorized access.

11. Data retention and disposal are a security service that keeps required information archived, or deletes data when they are no longer Availability of retained data is critical when an emergency exists. This is true whether the problem is a systems outage or a legal process, whether caused by a natural disaster or by a terrorist attack (e.g., September 11, 2001).

12. Data classification is a security service that identifies the sensitivity and confidentiality of information. The service provides guides for information labeling, and for protection during the information’s life.

Not all of the services will be relevant for you, but using a complete list and excluding those that are not required will assure a comprehensive assessment of requirements, with appropriate security built into the system’s development. In fact, management can reconcile the services accepted with their level of risk acceptance.

  • Share/Bookmark

Related posts:

  1. Handbook of Research on Information Security and Assurance | by Jatinder N. D. Gupta and Sushil K. Sharma (eds) | 2009 | ISBN: 9781599048550. E-Commerce Security Risks and Countermeasures. Information Security Management Research. Effective Security Policies and Procedures.
  2. Computer Security Handbook, Fifth Edition | by Seymour Bosworth, M.E. Kabay and Eric Whyne (eds) | 2009 | ISBN: 9780471716525. Computer Books. IT EBooks. Information System Security Books.
  3. Handbook of Research on Mobile Multimedia, Second Edition | by Ismail Khalil Ibrahim (ed) | 2009 | ISBN: 9781605660462. Creating Successful Mobile Viral Marketing Strategies. Wireless Multimedia Sensor Networks. Business Model Typology for Mobile Commerce. Mobile Multimedia Collaborative Services. THE COMMERCIAL MOBILE BROADCASTING. Advanced Mobile Multimedia Services with IMS. Architectures for Mobile Context-Aware Applications
  4. Computer and Information Security Handbook | by John R. Vacca (ed) | 2009 | ISBN: 9780123743541. System and Network Security. TEN STEPS TO BUILDING A SECURE ORGANIZATION. Unix and Linux Security. Internet Security. Information Technology Security Management. Security Management Systems. Computer Forensics
  5. New Information Security Framework. Six security elements—availability, utility, integrity, authenticity, confidentiality, and possession.
  6. The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments | by Craig S. Wright | ISBN: 9781597492669. IT Compliance Guideline. Information Systems Audit Program. Developing IT Security Policy. Vulnerability Assessment Tools. Information Systems Legislation
  7. The Executive MBA in Information Security | by John J. Trinckes, Jr. | 2010 | ISBN: 9781439810071. Information Security Management. IT Audit and Compliance. Effective Information Security Program. Administrative Controls. Technical Controls. Application Controls. Perimeter Controls
  8. Hiring Success: The Art and Science of Staffing Assessment and Employee Selection | by Steven T. Hunt | ISBN: 9780787996482. Essential Resources for Training and HR Professionals. Principles Of Staffing Assessment Process Design. How To Use Job Analysis To Define Critical Employee Behaviors.
  9. Managing Web Service Quality: Measuring Outcomes and Effectiveness | by Khaled M. Khan (ed) | 2009 | ISBN: 9781605660424. Web Services Technology. WEB SERVICES MANAGEMENT FRAMEWORK. Web Services Infrastructure. Multimedia Delivery in a Services Oriented Architecture. Testability of Web Services
  10. The Guide to the Universal Service Management Body of Knowledge: A Comprehensive Guide To Best Practices For Managing The Provision of Services | by Ian M. Clayton | ISBN: 9780981469102. USMBOK Reference. IT Service Management. Service Management System
  11. Schneier on Security | by Bruce Schneier | ISBN: 9780470395356. Information Security Books. The Architecture of Security. The Risks of Cyberterrorism. Identity-Theft Disclosure Laws. The Security of RFID Passports. Cybercrime and Cyberwar. Software Vulnerabilities
  12. Computer Certifications Study Guide. ExamWise for CompTIA 2009 Security+ Certification Exams SY0-201 and BR0-001 | by David Failor | 2009 | ISBN: 9781590952139. Computing Infrastructure Security. Communication and Wireless Security. IT Vulnerabilities, Threats, and Attacks.
  13. Cyber Security and Global Information Assurance: Threat Analysis and Response Solutions | by Kenneth J. Knapp (ed) | 2009 | ISBN: 9781605663265. Insider Threat Prevention, Detection and Mitigation. Information Security Management Standards. Approach to Managing Identity Fraud. Emergency Response Planning
  14. List of Competencies Critical to the Internal Consultant
  15. IT Certifications Study Guide. Insiders Choice to CompTIA Security+ Exam SYO-201 and BR0-001 Certification, 2009 Edition | by David K. Failor | 2009 | ISBN: 9781590952153
  16. Services and Business Computing Solutions with XML: Applications for Quality Management and Best Processes | by Patrick Hung (ed) | 2009 | ISBN: 9781605663302. Enterprise Information Integration. Mobile and Web Services Technologies. Mediated Service-Based Data Integration Solutions.
  17. A Short Course in International Business Plans — Charting a Strategy for Success in Global Commerce, 3rd Edition | by Robert L. Brown and Alan S. Gutterman | 2009 | ISBN: 9781607800026
  18. Three Factors for ensuring Successful Organizational Performance. Creating High Performance Organization.
  19. Handbook of Enterprise Integration | by Mostafa Hashem Sherif | 2010 | ISBN: 9781420078213. Enterprise Application Integration. Enterprise System Integration. Mobile Middleware. Business-to-Business Electronic Commerce. SERVICE-ORIENTED ARCHITECTURE. Software and Service Architectures.
  20. Security Manager’s Guide to Disasters: Managing Through Emergencies, Violence, and Other Workplace Threats | by Anthony D. Manley | 2009 | ISBN: 9781439809068. Disaster Management Books. Security and Safety Management. The Emergency Procedure Plan. Criminal and Civil Litigation
  21. SOA-Based Enterprise Integration: A Step-by-Step Guide to Services-Based Application | by Waseem Roshen | 2009 | ISBN: 9780071605526. Integrating Mainframe Applications. Web Services Implementation. Integration Through Service Composition (BPEL)
  22. Wordpress 2.9 Upgrade Problem | Internal Server Error. The server encountered an internal error or misconfiguration and was unable to complete your request.
  23. Water and Wastewater Engineering. Water Supply Systems Security | by Larry W. Mays (ed) | 2004 | ISBN: 9780071425315. DRINKING WATER SECURITY AND SAFETY. WATER SYSTEM EMERGENCY RESPONSE PLAN. SECURITY HARDWARE AND SURVEILLANCE SYSTEMS FOR WATER SUPPLY SYSTEMS
  24. Far distance wireless surveillance, discreet remote monitoring and high portability with Wireless Security Camera.
  25. Safety Engineering Books. Safety with Machinery, Second Edition | by John Ridley and Dick Pearce | 2006 | ISBN: 9780750667807. Engineering Safety Books. Typical Hazards of Machinery. Interlocking Safeguards. Safety with Pressure Systems
  26. Critical Marketing: Contemporary Issues in Marketing | by Mark Tadajewski and Douglas Brownlie (eds) | ISBN: 9780470512005. Scientific Marketing Management. Experiential Consumer Research. Cultural Studies in Marketing. Social Costs of Marketing. Critical Marketing Thought.
  27. Context-Aware Mobile and Ubiquitous Computing for Enhanced Usability: Adaptive Technologies and Applications | by Dragan Stojanovic (ed) | 2009 | ISBN: 9781605662909. IT Research Papers. Computer Research Papers. Distributed Context Management. Adaptive and Context-Aware Mobile Services
  28. Fraud Risk Assessment: Building a Fraud Audit Program | by Leonard W. Vona | ISBN: 9780470129456. Fraud Management Books. Payroll Fraud Schemes. Fraud Risk Control Strategy. Sample Fraud Audit Report. Travel Expense Concealment Strategies. Fraud in Expenditure. Contract Fraud Audit Plan
  29. Windows Azure Platform | by Tejaswi Redkar | 2009 | ISBN: 9781430224792. Modeling Cloud Service Offerings. Cloud Services Drivers and Barriers. Essential Cloud Architecture. Windows Azure Service Management. Programming with the AppFabric Service Bus. Database Migration Strategies
  30. The CSSLP Prep Guide: Mastering the Certified Secure Software Lifecycle Professional | by Ronald L. Krutz and Alexander J. Fry | 2009 | ISBN: 9780470461907. Software Engineering Books. Security Design Principles. Software Development Methodologies. Standards for Software Quality Assurance
  31. Cloud Computing: Implementation, Management, and Security | by John W. Rittinghouse and James F. Ransome | 2010 | ISBN: 9781439806807. Open Cloud Consortium. Software-as-a-Service (SaaS). Cloud-Based Service Offerings. Infrastructure-as-a-Service (IaaS). Monitoring-as-a-Service (MaaS).
  32. RFID in Tracking & Monitoring: An In-depth Product & Service Analysis with Case Studies | Mind Commerce | 2009 | RFID Based Solution Implementations. RFID Based Vehicle Immobilization. RFID in Process Manufacturing. RFID Based Tracking in HealthCare. RFID in Marine Operation. RFID in Payment Transactions.
  33. Protect your Enterprise Messaging with TrendMicro InterScan Messaging Hosted Security
  34. The Fall of the House of Credit: What Went Wrong in Banking and What can be Done to Repair the Damage? | by Alistair Milne | 2009 | ISBN: 9780521762144. Analysis of the Causes and Cure of the Current Global Banking Crisis. Structured Financial Products. The Tranched Mortgage-Backed Security.
  35. Protecting Games: A Security Handbook for Game Developers and Publishers | by Steven Davis | ISBN: 9781584506706. Game Distribution Piracy. Game Console Piracy. Game Code Vulnerabilities and Countermeasures. Game Scams. Cheating in High-Score Games. Fighting Pirate Networks
  36. RFID in Tracking & Monitoring: An In-depth Product & Service Analysis with Case Studies | Mind Commerce | 2009 | RFID Based Solution Implementations. RFID Based Vehicle Immobilization. RFID in Process Manufacturing. RFID Based Tracking in HealthCare. RFID in Marine Operation. RFID in Payment Transactions
  37. Breaking Through the Project Fog: How Smart Organizations Create, Select and Execute On-Strategy Projects | by James Norrie | ISBN: 9780470840719. ON- STRATEGY PROJECT MANAGEMENT. BUILDING A STRATEGIC PROJECT SCORING MODEL. INTERNAL PROJECT RISK ASSESSMENT. STRATEGIC PMO PROCESSES
  38. Knowledge Management Strategies for Business Development | by Meir Russ (ed) | 2010 | ISBN: 9781605663487. How to Create Agile Alignment of Enterprise Execution Capabilities with Strategy. Knowledge Assessment Review and Management Audit. Organizational Knowledge Management Strategic Dilemmas.
  39. Outsourcing and Offshoring of Professional Services: Business Optimization in a Global Economy | by Amar Gupta (ed) | ISBN: 9781599049724. HOW TO CREATE STRATEGIC GLOBAL PARTNERSHIPS. Information Technology Offshore Outsourcing Key Risks and Success Factors. OUTSOURCING VERSUS INSOURCING.
  40. Consulting Leadership Strategies: Industry Leaders on the New Benchmarks for Success | by Aspatore Books Staff | ISBN: 9781596222601. Consulting Management Books. Keys to Consulting Success. How to Be a Successful Consulting Firm. Creating a Successful Consulting Arm.

Tags: , , , , , , , , , , , , , , , , , , ,

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.