1 / 25

Creating a Winning E-Business Second Edition

MIS/ENTR 375 Global E-Commerce. Creating a Winning E-Business Second Edition. Securing Your E-Business Chapter 10. Learning Objectives. Describe the risk management process Describe business continuity planning Discuss the importance of business records management

irisa
Download Presentation

Creating a Winning E-Business Second Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MIS/ENTR 375 Global E-Commerce Creating a Winning E-BusinessSecond Edition Securing Your E-Business Chapter 10

  2. Learning Objectives • Describe the risk management process • Describe business continuity planning • Discuss the importance of business records management • List the security risks and remedies associated with networks and Web sites • Discuss the value of a security audit and network penetration testing

  3. Risk Management • A process that • Identifies a risk of business loss • Assesses the risk’s potential impact • Determines how to handle the risk • Protects physical assets from damage or theft • Protects nonphysical assets from network-related risks

  4. Risk Management (continued)

  5. Risk Management (continued) • Handling perceived risks • Strong security policies and procedures • Appropriate physical protections and security • Transferring all or part of the risk to someone else via insurance • Policy deductible is the retained portion of the risk

  6. Risk Management (continued)

  7. Risk Management (continued)

  8. Business Continuity Planning • A business continuity plan (BCP) • Specifies how an e-business will resume partial or complete operations after a major disruption • Identifies events that might cause a disruption • Determines the resources needed to maintain critical business functions • Develops the technical procedures to recover critical business systems (disaster recovery plan) • Establishes procedures for communications

  9. Business Continuity Planning (continued) • BCP information may include (but not limited to) • Backup copies of software and data • Instructions on how to access backups stored offsite • Copies of • Electronic file backup procedures • Computer network configuration information • Emergency contact procedures • Emergency duty rosters • Office space floor plans • Lists of computer & telecommunications equipment

  10. Business Continuity Planning (continued) • BCP information (continued) • Copies of • Lease agreements • Insurance policies • Emergency service agreements with utility and communications providers • A BCP and related disaster recovery plan must be reviewed and tested on an ongoing basis • Check with ISP or Web hosting company to verify their BCP and disaster recovery plans

  11. Business Records Management • Planning processes and actions necessary to make certain that business records are • Safely retained for an appropriate period of time • Guarded against unauthorized access • Destroyed per schedule when no longer needed

  12. Business Records Management (continued) • Establishing procedures for handling critical business records is part of overall business continuity planning • Primary records document key e-business activities • Secondary records include information that supports primary business activities

  13. Business Records Management (continued) • Identify primary and secondary records • Store records in a secure online or offline environment • Control access to the stored records • Search for records as needed • Maintain records-retention schedule • Destroy records as scheduled

  14. Business Records Management (continued)

  15. Network and Web Site Security • Threats against a private network can occur from anywhere on the public network • Viruses, worms, and Trojan horses • Virus: A small, malicious program that infects other programs • Worm: A type of virus that replicates itself • Trojan horse – Appears to be useful but actually does something destructive • Install and keep updated antivirus software

  16. Network and Web Site Security (continued) • Hackers and crackers • Individuals who gain unauthorized access to private networks for personal gain or to take malicious actions • Monitor network performance • Use well-formed passwords • Install software/hardware firewalls

  17. Network and Web Site Security (continued)

  18. Network and Web Site Security (continued) • Unauthorized or inappropriate network access by employees and other insiders • Surfing the Web for personal use • Sending and receiving personal e-mail or instant messages • Circulating offensive material using internal e-mail or instant messages • Using business high-speed Internet connections to download music and video files

  19. Network and Web Site Security (continued) • Unauthorized or inappropriate network access by employees and other insiders (continued) • Establish and circulate clearly worded acceptable use policies • Enforce acceptable use policies • Restrict physical access to network facilities and data • Install network and Internet monitoring software

  20. Network and Web Site Security (continued) • Distributed denial of service (DDoS) attacks • Designed to disable a network by flooding it with useless traffic • Can cause substantial financial damage • Reroute traffic • Filter traffic • Wait it out

  21. Network and Web Site Security (continued)

  22. Network and Web Site Security (continued) • Web site defacement • Web site vandalism • Common Web site threat • Causes embarrassment, frustration, and cost to remove defacement • Securing against hackers can protect a site against defacement

  23. Security Audits andPenetration Testing • Network and Web site security audit should be performed by a qualified third-party security or accounting firm • Security auditor looks for • Published security policies • How well employees understand and comply with security policies • Controls in place to restrict physical and electronic access to systems

  24. Security Audits andPenetration Testing (continued) • Security auditor looks for (continued) • System and application software and data file backups • Storage • Timeliness • Access • BCP and who is responsible for implementation • Rehearsed disaster recovery procedures

  25. Security Audits andPenetration Testing (continued) • Penetration testing uses real-world hacking tools to test network and Web site security • Use care when contracting with a security or accounting firm to perform penetration testing • Liability insurance coverage • Nondisclosure agreement • Background checks • Tools to be used • Scope of testing

More Related