Read Bennett Gold LLP's privacy policies and practices regarding this web site.
LINK TO: Bennett Gold LLP's Privacy Policies and Practices. SecurityMatters.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.

LINK TO: SecurityMatters.com, home page.
The network security practice of Bennett Gold LLP, Chartered Accountants.


Join the
Bennett Gold
News List:

(enter e-mail)
read privacy
disclosure

Security News Headlines:

CONSIDERING SECURITY AND CONTROL

GO BACK to Previous Page.

Source: The New Straits Times
Posted on July 20, 2001

      The complexity of modern enterprises, their reliance on technology and the heightened interconnectivity among organizations create widespread opportunities for theft, fraud and other forms of exploitation by offenders both outside and inside an organization.

      With the growth of electronic business (e-business), internal and external perpetrators can exploit traditional vulnerabilities in just seconds, taking advantage of new weaknesses existing in the information system (IS) architecture that now form the backbone of most organizations.

      E-business is the complex fusion of business processes, enterprise applications and organizational structure necessary to create a high- performance business model in a chosen electronic space. E-business is not just about online transactions: it is the overall strategy of redefining old business models with the aid of technology to maximize customer and shareholder values.

      One of the biggest issues that must take into account in utilizing e-business initiatives is security and control. KPMG's 2001 Global e.fr@ud.survey provides an insight on e-fraud and security-related issues based on 1,253 number of responses from the largest public and private companies in the world.

      According to the survey, 62 per cent of the respondents have already embraced e-business. Cost is a major inhibitor to implementing a full e-business system, aside from the availability of skills and security of information and privacy issues.

      There is an overwhelming indication from respondents that the security of the following areas was by far the most important issues to be addressed in any e-business initiative:

  • Credit card numbers;
  • System availability (for example, risk of denial of service attacks);
  • Confidentiality of customer and company information; and
  • The maintenance of the integrity of this information.

      However, less than 35 per cent of respondents have security audits performed on their systems. Only 12 per cent of respondents reported that their Web site bear a seal certifying that their e-business systems had passed a third-party security audit.

      Fifty per cent of businesses identified hackers and the poor implementation of security policies as the greatest threats to their e-business systems.

      The recent reports on hacking of prominent Web sites in Malaysia further perpetuate this concern.

      The survey results illustrate how management can be misinformed about the actual vulnerabilities of their network systems. Some notable causes of misinformation are:

  • Poorly trained and/or poorly qualified system/network administrators;
  • Weak internal/implementation controls;
  • Poor reporting procedures for security breaches; and
  • Dishonest employees.

      Nevertheless, survey respondents from the majority of the participating countries stated that the security of their e-business system could be significantly enhanced by:

  • Regular system penetration testing;
  • Use of software specifically designed for security issues in an e-business environment; and
  • The increased use of encryption technology.

Taking action to protect your business

      E-business security and control is an ongoing, comprehensive process of adding, removing and managing layers of actions based on a holistic approach in risk management strategies. Since organizations are providing greater access to their systems to both people and systems outside their direct control, they must integrate a defence that encompasses all points of interconnectivity from the inside out. If they fail to do so, they may leave themselves vulnerable to attacks.

Trusted third parties

      E-assurance is a framework that considers the e-business risks faced by businesses and describes the key parameters of internal control considered necessary in a borderless world.

      As e-businesses grow, more and more companies and customers need to establish "trust" among them by using trusted third parties. Research has shown that consumers would be more willing to engage in transactions online if there was an independent assurance of a Web site. One example is the WebTrust Seal of Assurance (http://WebTrust.net), which is placed on a particular Web site to assure potential customers that an independent professional third-party firm has evaluated the business practices, policies and controls of the Web site to determine if they are in accordance with the WebTrust Electronic Commerce Principles.

IS Governance

      An effective risk management structure allows an organization to understand the risks in any business initiative and make informed decisions on whether and how the risks should be managed.

      IS governance and risk management is about how an organization can better understand its technological risk to improve its performance and meet its objectives.

      IS governance in this context defines the organization's technology structures, roles, responsibilities and accountabilities. This includes the authority that supports the decision-making in an organization through internal IS audit/review and information technology (IT) due diligence. This should also include the management of compliance and regulatory requirements through standardization and enforcement of security policies and standards. As organizations rely heavily on their computer/IS for information, the need for IS audit/review and IT due diligence also becomes crucial.

      An organizational-wide defence ideally includes integrated business strategies established in the form of philosophies, policies, procedures and practices and implemented through defined action plans. Such organizational strategies should encompass technical, legal and business strategies. They should be implemented in a way that involves employees, customers, suppliers, third-party relationships and other key stakeholders.

      As technology continues to change, organizations must take the necessary steps to understand the related risks and control issues that will evolve with technology. They must understand how they might be affected by those risks and ensure that their defence processes and controls are continually updated to meet evolving needs.

      Encryption, firewalls, intrusion detection systems, incident response procedures, monitoring and independent external IT/ technology audits and review performed by external specialists are examples of techniques used to increase or enhance the security of an e-business system.


RETURN TO TOP OF PAGE.



LINK TO: Site development and design by PLANETCAST.