e-Commerce Security - Enterprise Best Practices
This document is intended to be a tutorial on the issues of e-Commerce Security for the control community- that is, to anyone with a professional interest in the design, implementation and assessment of controls for e-Commerce.
ISACA defines e-Commerce as the processes by which organizations conduct business electronically with their customers, suppliers and other external business partners, using the Internet as an enabling technology. It therefore encompasses both business-to business (B2B) and business-to-consumer (B2C) e-Commerce models, but does not include existing non-Internet e-Commerce methods based on private networks, such as EDI and S.W.I.F.T.
While this Perspective necessarily explores new technology issues of e-Commerce, it focuses on security, audit and control issues. The field of e-Commerce is developing rapidly on the combined fronts of technology and business use. By its nature, e-Commerce security challenges its practitioners in many different ways from the security environments of recent times that must now be considered as legacy. The primary objective of the authors has been to establish a framework that the reader can use to understand the principles of e-Commerce security and the challenges for their particular organizations and environments, and then go on to seek more detail from other sources.
This Perspective provides introductory material on technology and auditing. It is not intended to be product specific, and generally was developed around concepts or a range of technologies.
E-Commerce-Global Best Practices is a follow-up to the first publication developed in this series, e-Commerce-A Global Status Report. It takes up where the prior document left off. Now that the global status of e-Commerce security uncovered, this publication readily identifies the areas of e-Commerce that need attention to maintain a feeling that your organization’s security is not falling behind.
Security is a subject often used with different meanings in widely different contexts. For example, security of an enterprise’s financial investments is quite different from security of corporate personal data. This Perspective clearly focuses on the security of information as used in commercial transactions over the Internet. There are always many ways to define any term, especially one such as information security that is commonly shared among widely varying communities, including computer vendors, corporate business managers, private individuals and military interests. However, rather than endlessly debate the true definition, this document assumes a conventional approach with security defined by its principal objectives. These have often been expressed with the convenient CIA acronym as in confidentiality, integrity and availability.
Confidentiality is an e-Commerce issue in that potential consumers are (rightly) concerned about providing unknown vendors with personal, sometimes sensitive, information. Moreover, the medium of the Internet is a broadcast network; whatever is placed on it is routed over wide-ranging and essentially uncontrolled paths. There is concern about the integrity of information for much the same reason, in that data passing over a broadcast network can be intercepted and potentially misused. This, in essence, is the fear of hacking. While hacking undoubtedly occurs, it is questionable whether it is so prevalent as to be a direct threat to individual consumers, as much as an infrastructural inhibitor. Nonetheless, whether or not the fear is rational, it has been a factor affecting the initial growth of e-Commerce. E-vendors in particular are focused on availability. If their sites are not up, they cannot do business, and lose out on potential revenues.
Management should employ the controls, tools, mechanisms, and supervision necessary to ensure that they can:
- Authenticate the identity of all parties to the application or communication
- Protect the traffic from modification, destruction, interference, or contamination
- Protect the traffic from inappropriate or unnecessary disclosure
- Ensure that the business can continue to operate in the case of technology failures
- Demonstrate to an independent party the accountability for all business transactions to the level of an individual
- Recognize variances from the intended use, operation, or behavior of systems and take timely and effective corrective action
In addition to CIA, two further goals are increasingly required in dealing with e-Commerce: authentication and non-repudiation. These two are closely linked. Individuals using e-Commerce applications must be identified and in some manner must prove that they are who they say they are before the transaction is entered into, or at least, before it is completed. Then, after the fact, there must be some manner of ensuring that the individuals cannot deny that the transaction had been entered into, or at least that they had performed the transaction.