|
Privacy for eBusiness
The whole issue of security in an ebusiness environment has evolved to encompass issues of privacy and trust. Security
does not always entail privacy, but privacy requires security. Keeping information confidential requires much more than a
technology solution.
It is about business policy and the processes they support. Data privacy is about choice: the freedom
of individuals to choose how they wish to be treated by organizations that control data that describes them. Data privacy has
emerged as a major societal issue as individuals have begun to question the levels of technological intrusiveness they will
tolerate. Privacy includes several aspects. First and foremost, privacy enables companies to protect personal and
organizational assets, such as information about customers and partners; these. good guys. must be let in to access and
modify this data, without unauthorized users being able to see it.
|
|
Infrastructure and Policy
Privacy must be built directly into the security infrastructure. Privacy is a matter of policy: determining who can see
what within the corporate IT environment. But any privacy policy is only as good as the security infrastructure that backs
it up. The security infrastructure is vital to the ongoing relationship with partners and customers. The combination of
security infrastructure and a sound privacy policy creates an environment of trust among partners and other users. This
protects not only users but also the enterprises that hold that data. and which could be held liable for its loss.
Businesses can harness their customers. Desire for privacy controls into a strategic competitive advantage. On the other hand,
a company needs to be aware of the impact of losing control of customer information.
|
|
Implementation of eBusiness Security
Installing an ebusiness security solution includes creating a blueprint of security needs, selecting skills and resources,
and implementation. Enterprises should recognize the need to implement security and privacy solutions that can span the
end-to-end ebusiness environment. These systems must provide a range of security controls, including intrusion detection,
authentication and authorization tools, vulnerability scanning, incident management, and firewall administration. The
system must take into account data control processes for sensitive information. This infrastructure must support a
comprehensive common security and privacy model that can expand to new applications and resources. This enables companies
to lower their total cost of ownership (TCO), focus on their core competencies, and rest assured their networks are
maintained with the latest technologies applicable to their particular needs and vertical industry.
|
|
Planning: The Blueprint
The first step in the process is creating a blueprint by assessing security needs and determining how to address them.
By definition, these needs should align with the company’s business objectives. There are several stages in creating
this blueprint. The assessment stage establishes a baseline or initial diagnosis of the overall security posture. Within
the assessment stage are two main pillars: the technical and the business components. Technical assessments generally
involve two main aspects: a vulnerability assessment to determine system weaknesses and a threat assessment to determine
likely threats. The business assessment can contain the following aspects:
- Physical environment assessment covers the actual office and hardware.
- Incident response assessment reviews the processes necessary to restore functionality in the event of attack or other incident.
- Information protection assessment examines all policies, procedures, and controls with respect to information access and retention.
- A privacy health check will evaluate all of the current processes and procedures, as well as levels of adherence. This check will also evaluate risk of disclosure of confidential data.
- Security awareness assessment of employees. The next step in the blueprint process is an architectural analysis, which is designed to look at the security solutions already in place and determine what aspects must change. Then the company must create a security strategy plan to implement these changes.
|
Selection Process for Skills and Resources
Once the security and privacy needs have been outlined, a company needs to determine if it has the necessary skills in-house
to implement the blueprint. Some companies will have all the necessary skills in-house, while others must outsource some or
all of the implementation. When looking at possible vendors, which come from many backgrounds, companies must ask and receive
answers to the following types of questions:
- Does the service provider have the necessary experience (backed by customer examples and reference accounts) to overcome the security challenges associated with a particular vertical industry or individual business?
- Have the necessary capital investments been made in tools, staffing, global infrastructure, and support?
- Does the service provider have alliances with other key industry players to deliver an integrated security service, or is it operating in a vacuum? Are these just paper alliances, or are they well coordinated and market tested? If outsourcing with multiple vendors, which vendor would act as the prime, and would one have contact with the other solutions vendors?
- Is the provider able to not only implement security solutions but also manage them on an ongoing basis if needed?
- Does the provider take into account privacy issues for empowering customers to control their own information? Examples of privacy issues include opt-in or opt-out controls for information gathering, data handling procedures, and data retention standards.
|
|
Implementation
Once these questions have been answered, the enterprise enters the implementation stage. On the technical side, a combination
of the assessment, architecture analysis, and strategy and planning stages will determine whether the hardware and software
requirements are fulfilled. The company must also decide whether to use a phase-over or cut-over strategy for moving to the
new security solution. Consequently, integration best practices involve the creation of a pilot implementation, which can be
performance-tested and debugged before migration to the new solution. This practice is designed to limit downtime, complications,
or disruption in business service. Testing and debug services will also continue to play a key role in the implementation of
information security engagements because the testing data from such services is used to calculate network device management
thresholds and performance baselines. Several human factors should also be considered, such as training, staffing, and
processes. A perfectly executed integration of the security system is rendered helpless if the IT staff has no idea how
to operate, manage, and maintain the network. Precisely documented policies, procedures, and specifications, in addition
to education and training of IT personnel, are critical success factors.
|
|
Conclusion
As security and privacy threats grow in both scope and sophistication, forward-thinking organizations of all shapes and sizes
will continue to strengthen their defenses against these threats. Some organizations will continue to rely on internal
systems and resources to manage the cyber risks associated with operating in the new economy. Others, however, may lack
the training, skills, resources, or interest needed to operate there IT infrastructure securely and will subsequently turn
to outside experts for help. Whether a company looks outside or in-house to implement a new security infrastructure, it
must take a series of specific steps. Without following this blueprint, a company cannot hope to create a system that is
both secure and up to date, encompassing the divergent needs of greater information sharing and greater privacy.
|
|
|
Back |
|
|
|