a. Build on the theories and frameworks of computer security, information security and Information Systems audit
b. Review the unique characteristics of EC so that you can adapt the theories in (a) to the EC case.
c. Also then consider specific EC-specific security frameworks, technologies and practices, based on your foundational knowledge in (a) and (b).
Take the case of (b), above, EC is global and local (or glocal); EC is real-time, EC is collaborative and EC is virtual. These characteristics affect corporate EC external and internal environments, thus its specific EC seurity analysis. Other than that, I encourage you to adopt a systematic EC security, that is mainly based on risk management thinking (re: http://en.wikipedia.org/wiki/Risk_management). Generally, consider the following:
a. Classify threats (internal/ external; intentional and unintentional; severity of impacts: serious threats or disastrous, etc.); classify safeguards: preventive, detective and corrective; then consider insurance as a risk transfer option; disaster recovery planning and business continuity management is a kind of corrective but it is treated as a separate topic because of its potentail fatal business impacts (re: http://www.thebci.org/); safeguards (or controls) can be general and application-specific. Obviously you need to relate specific EC security tools, security standards and practices to these variables. You need concrete examples for illustrations, in other words.
b. Examine threats, safeguards, vulnerability of assets and consequences of EC attack success. The model of probability of threats, probability of success of attacks and measure of consequence is highly relevant here. You need ot review these variaables from time to time because they change frequently. The security game involves attack, defence and counter-attack from a game theory-perspective.
c. The actual criteria for EC security evaluation are: cost-benefit analysis; 3 levels of measures: level 1- legal compliance; level 2 - peer group standards and level 3- strategic consideration of a specific business.
I am not going to provide futher details for these items as there are lots of details involved. I just want to say that, EC security tools and practices change very fast; it is important for you to have a organized and effective way to think about the topic.
References
- Certified IS Auditors: http://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/What-is-CISA/Pages/default.aspx
- EC security (IBM): http://www.ibm.com/developerworks/websphere/library/techarticles/0504_mckegney/0504_mckegney.html
- EC security for merchants: http://www.ecommerce-digest.com/ecommerce-security-issues.html
- On Intrusion detection system: http://en.wikipedia.org/wiki/Intrusion_detection_system
- On public key infrastructure: http://en.wikipedia.org/wiki/Public_key_infrastructure
- Truste: http://connect.truste.com/truste/getform/reg/search_amer_privacy_brand_learnmoreQ2_11?campaign=70180000000TC6Q&campaign_theme=Privacy&campaign_tactic=Keyword_APAC_Privacy_Google_Brand_Exact_LearnMore&leadsource_detail=Keyword_APAC_Privacy_Google_Brand_Exact_LearnMore&lead_source=Keyword&gclid=CJ62wb6D5qoCFWQD4god71FM7A
No comments:
Post a Comment