Creating a Winning E-Business Second Edition

1
Creating a Winning E-BusinessSecond Edition

• Securing Your E-Business
• Chapter 10

2
Learning Objectives

• Describe the risk management process
• Describe business continuity planning
• Discuss the importance of business records
  management
• List the security risks and remedies associated
  with networks and Web sites
• Discuss the value of a security audit and network
  penetration testing

3
Risk Management

• A process that
• Identifies a risk of business loss
• Assesses the risks potential impact
• Determines how to handle the risk
• Protects physical assets from damage or theft
• Protects nonphysical assets from network-related
  risks

4
Risk Management
5
Risk Management

• Handling perceived risks
• Strong security policies and procedures
• Appropriate physical protections and security
• Transferring all or part of the risk to someone
  else via insurance
• Policy deductible is the retained portion of the
  risk

6
Risk Management
7
Risk Management
8
Business Continuity Planning

• A business continuity plan (BCP)
• Specifies how an e-business will resume partial
  or complete operations after a major disruption
• Identifies events that might cause a disruption
• Determines the resources needed to maintain
  critical business functions

9
Business Continuity Planning

• A business continuity plan (BCP) (continued)
• Specifies how an e-business will resume partial
  or complete operations after a major disruption
• Develops the technical procedures to recover
  critical business systems (disaster recovery
  plan)
• Establishes procedures for communicating with
  employees, clients, vendors, emergency service
  personnel, and so forth

10
Business Continuity Planning

• BCP information may include (but is not limited
  to)
• Backup copies of software and data
• Instructions on how to access backups stored
  offsite
• Copies of
• Electronic file backup procedures
• Computer network configuration information
• Emergency contact procedures

11
Business Continuity Planning

• BCP information (continued)
• Copies of
• Emergency duty rosters
• Office space floor plans
• Lists of computer and telecommunications
  equipment
• Lease agreements
• Insurance policies
• Emergency service agreements with utility and
  communications providers

12
Business Continuity Planning

• A BCP and its accompanying disaster recovery plan
  must be reviewed and tested on an ongoing basis
• Check with ISP or Web hosting company to verify
  their BCP and disaster recovery plans

13
Business Records Management

• Planning processes and actions necessary to make
  certain that business records are
• Safely retained for an appropriate period of time
• Guarded against unauthorized access
• Destroyed per schedule when no longer needed

14
Business Records Management

• Establishing procedures for handling critical
  business records is part of overall business
  continuity planning
• Primary records document key e-business
  activities
• Secondary records include information that
  supports primary business activities

15
Business Records Management

• Identify primary and secondary records
• Store records in a secure online or offline
  environment
• Control access to the stored records
• Search for records as needed
• Maintain records-retention schedule
• Destroy records as scheduled

16
Business Records Management
17
Network and Web Site Security

• Threats against a private network can occur from
  anywhere on the public network
• Viruses, worms, and Trojan horses
• Virus A small, malicious program that infects
  other programs
• Worm A type of virus that replicates itself
• Trojan horse Appears to be useful but actually
  does something destructive
• Install and keep updated antivirus software

18
Network and Web Site Security

• Hackers and crackers
• Individuals who gain unauthorized access to
  private networks for personal gain or to take
  malicious actions
• Monitor network performance
• Use well-formed passwords
• Install software/hardware firewalls

19
Network and Web Site Security
20
Network and Web Site Security
21
Network and Web Site Security

• Unauthorized or inappropriate network access by
  employees and other insiders
• Surfing the Web for personal use
• Sending and receiving personal e-mail or instant
  messages
• Circulating offensive material using internal
  e-mail or instant messages
• Using business high-speed Internet connections to
  download music and video files

22
Network and Web Site Security

• Unauthorized or inappropriate network access by
  employees and other insiders (continued)
• Establish and circulate clearly worded acceptable
  use policies
• Enforce acceptable use policies
• Restrict physical access to network facilities
  and data
• Install network and Internet monitoring software

23
Network and Web Site Security

• Distributed denial of service (DDoS) attacks
• Designed to disable a network by flooding it with
  useless traffic
• Can cause substantial financial damage
• Reroute traffic
• Filter traffic
• Wait it out

24
Network and Web Site Security
25
Network and Web Site Security

• Web site defacement
• Web site vandalism
• Common Web site threat
• Causes embarrassment, frustration, and cost to
  remove defacement
• Securing against hackers can protect a site
  against defacement

26
Security Audits andPenetration Testing

• Network and Web site security audit should be
  performed by a qualified third-party security or
  accounting firm
• Security auditor looks for
• Published security policies
• How well employees understand and comply with
  security policies
• Controls in place to restrict physical and
  electronic access to systems

27
Security Audits andPenetration Testing

• Security auditor looks for (continued)
• System and application software and data file
  backups
• Storage
• Timeliness
• Access
• BCP and who is responsible for implementation
• Rehearsed disaster recovery procedures

28
Security Audits andPenetration Testing

• Penetration testing uses real-world hacking tools
  to test network and Web site security
• Use care when contracting with a security or
  accounting firm to perform penetration testing
• Liability insurance coverage
• Nondisclosure agreement
• Background checks
• Tools to be used
• Scope of testing

29
Chapter Summary

• Risk management is the process of protecting
  business assets by identifying risks, assessing
  their potential impact, and then managing the
  risks
• Managing risks involves avoiding the risk where
  possible reducing the potential loss from the
  risk when it cant be avoided retaining all or
  part of the risk transferring all or part of the
  risk to someone else

30
Chapter Summary

• Insurance is the tool used to transfer risk
• A business continuity plan (BCP) specifies how a
  business will resume partial or complete
  operations after a natural or human-made disaster
• Business records management is an important part
  of a BCP
• A private network is exposed to threats from
  anywhere on the public network (Internet)

31
Chapter Summary

• Network and Web site threats include viruses,
  worms, Trojan horses, hackers, unauthorized or
  inappropriate access by employees or other
  insiders, DDoS attacks, and Web site defacement
• Security audits and penetration testing can
  provide an assessment of network and Web site
  security