Über die Autorin bzw. den Autor

TIMOTHY BRAITHWAITE has spent more than fifteen years in senior security management positions and another twenty years in executive director positions for computer and communications services organizations in both the public and private sectors. He has also worked as a private consultant. Tim has previously published The Power of IT: Maximizing Your Technology Investments and Evaluating the Year 2000 Project: A Management Guide for Determining Reasonable Care (Wiley).

Von der hinteren Coverseite

"This is a must-read for the entire CXO community if businesses are to survive in cyberspace. Attack methodologies and the cyber threat poised against our business systems are advancing rapidly. Business leaders are soon to face downstream liability issues for the damage their unprotected and exploited systems cause not only to themselves but to all of those with whom they do business in cyberspace. American businesses are now the target of choice by our nation's enemies. We may secure the airways, ports, and borders, but only the boardrooms of America can ensure the survival of our economy." -John R. Thomas, Colonel, U.S. Army, Retired, Former Commander of the DoD, Global Operations and Security Center

Today's e-business depends on the security of its networks and information technology infrastructure to safeguard its customers and its profits. But with rapid innovation and the emergence of new threats and new countermeasures, keeping up with security is becoming more complex than ever. Securing E-Business Systems offers a new model for developing a proactive program of security administration that works as a continuous process of identifying weaknesses and implementing solutions. This book offers a real, working design for managing an IT security program with the attention it truly warrants, treating security as a constant function that adapts to meet a company's changing security needs.

Topics include:
* Security weaknesses
* Safeguarding technologies
* Countermeasure best practices
* Establishing an adaptable e-business security management program
* Essential elements of a corporate security management program
* Functions, structure, staffing, and contracting considerations in security management
* Implementing intrusion detection technology
* Designing tomorrow's e-business application for secured operations
* Contemporary rationales for justifying increased spending on security programs
* Emerging liability issues for e-businesses

Aus dem Klappentext

Securing E-Business Systems takes a pragmatic approach to a highly complex and ever-changing subject-the security of e-business networks and IT systems. With new threats, new dangers, and new capabilities arising virtually daily, keeping systems secure can be a challenge. This book proposes a new approach to e-business security, an approach founded on good management and built-in adaptability.

A successful e-business must be capable of managing the myriad risks associated with its growing dependency on information and communications technology by ensuring the continued integrity of its information, processes, and supporting IT infrastructure. Securing E-Business Systems presents a model for a proactive program of security administration that remains constantly alert for new vulnerabilities and capable of rapidly employing safeguards.

Timothy Braithwaite presents persuasive reasons why all e-businesses should control and manage IT security just as strictly and as thoughtfully as they would any other component of the company. He also offers methods and ideas that will help managers establish and sustain security management processes and procedures that will outlive the crisis of the moment and adapt to the changing security needs of an e-business over time.

For managers and executives concerned with the security of their e-business, Securing E-Business Systems offers unparalleled guidance, practical plans, and expert information on all the major issues, including:
* Components of an e-business infrastructure and the corresponding areas of greatest risk
* Oversight review models to ensure that e-business applications are designed, programmed, integrated, tested, and implemented with risk and security in mind
* Tips on justifying the expenditures required to establish and administer a program of effective and efficient e-business security controls
* Emerging liability issues that may arise from lack of security
* Best practices, sample guidelines, and ready-to-use forms and checklists

Auszug. © Genehmigter Nachdruck. Alle Rechte vorbehalten.

Securing E-Business Systems

John Wiley & Sons

Chapter One

What is it?

What does it include?

How important is it?

How to get started?

INTRODUCTION

One of the major computing challenges in today's economy is the manifest lack of adequate security over the information, computers, networks, and Internet applications on which business, government, and the economy depend. Many computer security threats have been identified over the past 25 years, and each has spawned a special category of corrective actions to address it. For example, in earlier times, efforts to address the lack of automated security were variously known as computer security (COMPUSEC), communications security (COMSEC), emanations security (EMSEC), information security (INFOSEC), and information technology security (ITSEC). More recently, information assurance (IA), Internet systems security (ISS), and cyber-security have grown in popularity. Each of these areas in turn have grown subcategories of security knowledge and special safeguarding techniques that are needed to secure today's electronic business systems. There is no one security solution for an e-business system because the e-business application sits at the pinnacle of modern computing and is therefore susceptible to all the security weaknesses of the various foundation technologies.

For our purposes, e-business security acknowledges all the threats identified by each of these security categories and employs the technical security safeguards and risk mitigation techniques associated with each category as determined by the actual risks found to be threatening the business. E-business security also calls on the traditional disciplines of personnel and physical security to complete the picture of safeguards that will be needed when addressing threats to the electronic business.

Conceptually, e-business security represents an accumulation and consolidation of information processing threats that identify the need to protect the integrity and confidentiality of information and the need to secure the underlying support technologies used in the gathering, storage, processing, and delivery of that information.

But what is e-business security and why is it important? How do threats to electronic business impact the world of contemporary commerce and what must be accomplished to improve an organization's security posture-especially when it comes to "new" e-business systems?

HOW IS E-BUSINESS SECURITY DEFINED?

Some definitions:

Assure-make safe, make certain, tell positively, give confidence.

Information-knowledge.

Information Technology (IT)-the technology of the production, storage, and communication of information using computers.

Electronic Business-the application of information technology to business activities.

Using these definitions, e-business security can be said to be concerned with making certain that the knowledge-value of business information is made safe and is available for business processing when needed. Consequently, e-business security is concerned that the technologies used for the production, storage, and communication of information are made safe so that the knowledge-value of the information is certain and can be trusted when used. If information and the processing technology are made safe, users will have confidence that the information positively tells (i.e., accurately portrays) the reality of that which the information is supposed to represent. In different words, e-business security is concerned with the confidentiality of information, maintaining its knowledge-value, and ensuring its availability to legitimate users and customers when required to perform an authorized business activity.

By comparison, if information, and its knowledge-value, are not made safe, cannot be trusted, and are not readily available to legitimate users and customers, business and government activities will be adversely impacted. If by accident or deliberate action, information is stolen, becomes inaccurate or misleading, or is not available for use, business and governmental decisions and actions may become compromised, distorted, or wrong, and/or decisions cannot even be made and actions cannot be taken. When this occurs, executives, stockholders, users, customers, and citizens lose confidence in the information and may no longer trust the system, process, or organizations that make use of the information. They also lose confidence in the organization responsible for maintaining the information and the integrity of the business process. E-business security, then, is concerned with being able to assure trust in all information and the computing processes used to conduct e-business.

CAN E-BUSINESS SECURITY BE EXPLAINED MORE SIMPLY?

Perhaps it is helpful to view the scope of e-business security as including all those actions required to prevent, minimize, and recover from the universally appreciated threats summarized by the acronym GIGO-garbage in-garbage out. Within this context, e-business security is concerned with preventing those accidental and/or deliberate actions that may result in the introduction of inaccurate data or information to a system (GI) as well as any accidental or deliberate processing, storage, and communication activity that may produce inaccurate, false, or misleading outputs from a system (GO).

These concerns are addressed by taking action to assure the integrity and confidentiality of information and processes while at the same time assuring the ready availability of information, processes, and other system resources when required for use by legitimate users and customers. For example, "denial of service" attacks, such as those often experienced by Internet users, are currently being viewed as the number one threat to our highly automated and interconnected way of conducting business and executing the functions of government. This is because a successful denial of service attack destroys the ability of the e-business system to function at all.

In conclusion, e-business security is concerned with all aspects of how business information is collected and handled, how hardware and software process and communicate that information, how information is stored and protected from eavesdroppers, and how system resources are configured and made safe to ensure their ready availability to legitimate users and customers.

IS E-BUSINESS SECURITY REALLY SUCH A BIG DEAL?

To the extent that business information and the technology used to produce, store, or communicate that information are considered important to an organization's e-business operations, the definitions and discussions outlined in this chapter are consistent with the intent of Presidential Decision Directive-63 (PDD-63) on Critical Infrastructure Protection and other initiatives calling for the protection of the nation's critical information infrastructure. In a practical sense, if information and/or its processing were considered mission-critical or mission-sensitive for Y2K purposes, it should probably now be considered critical for the intent of e-business security.

Presidential Decision Directive-63 directs that information integrity, confidentiality, and availability be assured, not only for government systems but also for all information processing systems on which the nation depends. E-business systems certainly...