1 / 31

Creating a Winning E-Business Second Edition

Creating a Winning E-Business Second Edition. Securing Your E-Business Chapter 10. Learning Objectives. Describe the risk management process Describe business continuity planning Discuss the importance of business records management

teenie
Download Presentation

Creating a Winning E-Business Second Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Creating a Winning E-BusinessSecond Edition Securing Your E-Business Chapter 10

  2. Learning Objectives • Describe the risk management process • Describe business continuity planning • Discuss the importance of business records management • List the security risks and remedies associated with networks and Web sites • Discuss the value of a security audit and network penetration testing

  3. Risk Management • A process that • Identifies a risk of business loss • Assesses the risk’s potential impact • Determines how to handle the risk • Protects physical assets from damage or theft • Protects nonphysical assets from network-related risks

  4. Risk Management

  5. Risk Management • Handling perceived risks • Strong security policies and procedures • Appropriate physical protections and security • Transferring all or part of the risk to someone else via insurance • Policy deductible is the retained portion of the risk

  6. Risk Management

  7. Risk Management

  8. Business Continuity Planning • A business continuity plan (BCP) • Specifies how an e-business will resume partial or complete operations after a major disruption • Identifies events that might cause a disruption • Determines the resources needed to maintain critical business functions

  9. Business Continuity Planning • A business continuity plan (BCP) (continued) • Specifies how an e-business will resume partial or complete operations after a major disruption • Develops the technical procedures to recover critical business systems (disaster recovery plan) • Establishes procedures for communicating with employees, clients, vendors, emergency service personnel, and so forth

  10. Business Continuity Planning • BCP information may include (but is not limited to) • Backup copies of software and data • Instructions on how to access backups stored offsite • Copies of • Electronic file backup procedures • Computer network configuration information • Emergency contact procedures

  11. Business Continuity Planning • BCP information (continued) • Copies of • Emergency duty rosters • Office space floor plans • Lists of computer and telecommunications equipment • Lease agreements • Insurance policies • Emergency service agreements with utility and communications providers

  12. Business Continuity Planning • A BCP and its accompanying disaster recovery plan must be reviewed and tested on an ongoing basis • Check with ISP or Web hosting company to verify their BCP and disaster recovery plans

  13. Business Records Management • Planning processes and actions necessary to make certain that business records are • Safely retained for an appropriate period of time • Guarded against unauthorized access • Destroyed per schedule when no longer needed

  14. Business Records Management • Establishing procedures for handling critical business records is part of overall business continuity planning • Primary records document key e-business activities • Secondary records include information that supports primary business activities

  15. Business Records Management • Identify primary and secondary records • Store records in a secure online or offline environment • Control access to the stored records • Search for records as needed • Maintain records-retention schedule • Destroy records as scheduled

  16. Business Records Management

  17. Network and Web Site Security • Threats against a private network can occur from anywhere on the public network • Viruses, worms, and Trojan horses • Virus – A small, malicious program that infects other programs • Worm – A type of virus that replicates itself • Trojan horse – Appears to be useful but actually does something destructive • Install and keep updated antivirus software

  18. Network and Web Site Security • Hackers and crackers • Individuals who gain unauthorized access to private networks for personal gain or to take malicious actions • Monitor network performance • Use well-formed passwords • Install software/hardware firewalls

  19. Network and Web Site Security

  20. Network and Web Site Security

  21. Network and Web Site Security • Unauthorized or inappropriate network access by employees and other insiders • Surfing the Web for personal use • Sending and receiving personal e-mail or instant messages • Circulating offensive material using internal e-mail or instant messages • Using business high-speed Internet connections to download music and video files

  22. Network and Web Site Security • Unauthorized or inappropriate network access by employees and other insiders (continued) • Establish and circulate clearly worded acceptable use policies • Enforce acceptable use policies • Restrict physical access to network facilities and data • Install network and Internet monitoring software

  23. Network and Web Site Security • Distributed denial of service (DDoS) attacks • Designed to disable a network by flooding it with useless traffic • Can cause substantial financial damage • Reroute traffic • Filter traffic • Wait it out

  24. Network and Web Site Security

  25. Network and Web Site Security • Web site defacement • Web site vandalism • Common Web site threat • Causes embarrassment, frustration, and cost to remove defacement • Securing against hackers can protect a site against defacement

  26. Security Audits andPenetration Testing • Network and Web site security audit should be performed by a qualified third-party security or accounting firm • Security auditor looks for • Published security policies • How well employees understand and comply with security policies • Controls in place to restrict physical and electronic access to systems

  27. Security Audits andPenetration Testing • Security auditor looks for (continued) • System and application software and data file backups • Storage • Timeliness • Access • BCP and who is responsible for implementation • Rehearsed disaster recovery procedures

  28. Security Audits andPenetration Testing • Penetration testing uses real-world hacking tools to test network and Web site security • Use care when contracting with a security or accounting firm to perform penetration testing • Liability insurance coverage • Nondisclosure agreement • Background checks • Tools to be used • Scope of testing

  29. Chapter Summary • Risk management is the process of protecting business assets by identifying risks, assessing their potential impact, and then managing the risks • Managing risks involves avoiding the risk where possible; reducing the potential loss from the risk when it can’t be avoided; retaining all or part of the risk; transferring all or part of the risk to someone else

  30. Chapter Summary • Insurance is the tool used to transfer risk • A business continuity plan (BCP) specifies how a business will resume partial or complete operations after a natural or human-made disaster • Business records management is an important part of a BCP • A private network is exposed to threats from anywhere on the public network (Internet)

  31. Chapter Summary • Network and Web site threats include viruses, worms, Trojan horses, hackers, unauthorized or inappropriate access by employees or other insiders, DDoS attacks, and Web site defacement • Security audits and penetration testing can provide an assessment of network and Web site security

More Related