362
A Practical Guide to Security Assessments
partners. The business partner or some other party may handle support issues.
However, regardless of who ends up supporting the B2B infrastructure and appli-
cation, the company is still responsible for ensuring that its information is secure.
One of the problems companies face is that they are dependent on the business
partner also having certain security standards. Consequently, B2B relationships
should be reviewed in detail from a security perspective.
Staying consistent with other questionnaires in these appendices, this question-
naire will be process focused and will not delve into specific technologies such as
EDI or vendor-specific technologies as they relates to B2B relationships. Instead,
the questionnaire will focus on process-oriented issues relevant to B2B, with some
high-level questions regarding technology. When you review B2B in the context of
a security assessment, individuals versed in the technology being used should review
specific technologies from a technical security perspective. Vendor-issued best practice
guidelines as well as independent review should be used to secure the technologies.
GENERAL
1. Does the company have a security policy governing B2B relationships?
Guidance:
A security policy should exist that outlines the minimum secu-
rity requirements for any B2B relationship. The policy should provide
guidance for business units as they enter into agreements with business
partners. It should outline security requirements as they relate to architec-
ture, transaction processing, and monitoring. The policy should also doc-
ument what groups should be involved in the process from initial
discussions to actual implementation and monitoring. One of the challeng-
es with B2B is that business units who strive for the strong B2B relation-
ships that will help the company are the ones who most often pursue these
relationships, and security is not always considered. Having a policy
brings awareness and hopefully, involvement from the right IT personnel.
Risk:
Without a security policy, personnel responsible for these relation-
ships will not be clear on the security requirements with which they should
comply. It is also difficult to hold personnel accountable for a policy if it is
not documented and communicated.
Client Response:
2. Before entering into B2B relationships, is any due diligence performed?
If so, is IT or the security group involved in the process to review any
security concerns?
AU1706_book.fm Page 362 Tuesday, August 17, 2004 11:02 AM