361
Appendix K
Business to Business (B2B)
Companies today have business-to-business (B2B) relationships with their trading
partners where the companies are linked electronically through various means. These
relationships create efficiencies in key business processes (e.g., supply chain) using
various methods such as sending transactional data electronically. B2B automates
certain transactions and reduces the level of human intervention to achieve these
efficiencies. In the past, companies utilized Electronic Data Interchange (EDI) to
electronically send transactional information to their trading partners. EDI is still
very much in use today, particularly by the Fortune 500 companies. “Industry
analysts estimate that 95 percent of Fortune 500 companies use EDI….However,
given the complexity and cost of EDI software, most companies only use EDI to
communicate with the top 15–20 percent of their trading partners. The remaining
80–85 percent of trading partners need a simpler, less expensive solution that lever-
ages the emerging XML
standard for information exchange over the Internet.”
1
Many
of these less expensive solutions leverage the Internet and secure communications
to facilitate B2B relationships. Some of the reasons for B2B relationships include:
• Business
process automation
– Supply chain management
– Reduction of lead time
– Improved forecasting
– Procurement activities
• Sharing information
B2B relationships are continuing to become more prevalent among companies.
These relationships can be between two or several companies and may leverage
many different technologies including EDI as well as newer eXtensible Markup
Language (XML)-based technology. Considering the sensitive and competitive infor-
mation being transmitted in these B2B relationships, security is a major concern. In
some cases, inadequate security may prevent companies from participating in B2B
relationships.
One of the challenges with B2B is that it falls into a bit of a gray area when it
comes to implementation, support, and ongoing maintenance. In some cases, the
internal information technology (IT) group may be doing something very minor,
such as opening up a port on a firewall to enable the communication between business
AU1706_book.fm Page 361 Tuesday, August 17, 2004 11:02 AM
362
A Practical Guide to Security Assessments
partners. The business partner or some other party may handle support issues.
However, regardless of who ends up supporting the B2B infrastructure and appli-
cation, the company is still responsible for ensuring that its information is secure.
One of the problems companies face is that they are dependent on the business
partner also having certain security standards. Consequently, B2B relationships
should be reviewed in detail from a security perspective.
Staying consistent with other questionnaires in these appendices, this question-
naire will be process focused and will not delve into specific technologies such as
EDI or vendor-specific technologies as they relates to B2B relationships. Instead,
the questionnaire will focus on process-oriented issues relevant to B2B, with some
high-level questions regarding technology. When you review B2B in the context of
a security assessment, individuals versed in the technology being used should review
specific technologies from a technical security perspective. Vendor-issued best practice
guidelines as well as independent review should be used to secure the technologies.
GENERAL
1. Does the company have a security policy governing B2B relationships?
Guidance:
A security policy should exist that outlines the minimum secu-
rity requirements for any B2B relationship. The policy should provide
guidance for business units as they enter into agreements with business
partners. It should outline security requirements as they relate to architec-
ture, transaction processing, and monitoring. The policy should also doc-
ument what groups should be involved in the process from initial
discussions to actual implementation and monitoring. One of the challeng-
es with B2B is that business units who strive for the strong B2B relation-
ships that will help the company are the ones who most often pursue these
relationships, and security is not always considered. Having a policy
brings awareness and hopefully, involvement from the right IT personnel.
Risk:
Without a security policy, personnel responsible for these relation-
ships will not be clear on the security requirements with which they should
comply. It is also difficult to hold personnel accountable for a policy if it is
not documented and communicated.
Client Response:
2. Before entering into B2B relationships, is any due diligence performed?
If so, is IT or the security group involved in the process to review any
security concerns?
AU1706_book.fm Page 362 Tuesday, August 17, 2004 11:02 AM
Appendix K
363
Guidance:
Once the business decides that the B2B relationship with a
business partner is worth pursuing, some level of due diligence should be
done so the company has an opportunity to validate and confirm certain
critical information prior to entering into a final agreement. As part of this
due diligence, someone who has responsibility for information security
should be involved to ensure that the business partner meets certain secu-
rity requirements based on the nature of the B2B relationship.
Risk:
The risk of not having an information security person involved in the
due diligence process is that the business partner might not have adequate
measures to secure the B2B transactions. Because the business partner will
potentially have access to some of the company’s data or systems, significant
security concerns exist related to confidentiality and integrity of information.
Client Response:
3. As B2B relationships are being implemented, is the internal audit depart-
ment involved to ensure that all audit and control requirements are met
(assuming there is an internal audit or similar function)?
Guidance:
To build on the preceding question related to the due diligence
effort, someone from internal audit should be involved in the B2B process
from start to finish to help ensure that the company’s audit and control re-
quirements are met. Internal audit, because of their knowledge of the com-
pany, is in a unique position to provide valuable input into this process.
Risk:
The risk of not involving internal audit when forming a B2B rela-
tionship is that the final B2B structure may not meet the company’s audit
and control requirements. Ensuring that the B2B structure is in compliance
with audit standards is easier and more efficient during the setup process
than after it has been completed.
Client Response:
4. What business process is the B2B relationship supporting and how critical
is it to the business?
Guidance:
To understand the importance of the B2B relationship, it is im-
portant to understand what business process it is supporting and what the
AU1706_book.fm Page 363 Tuesday, August 17, 2004 11:02 AM
364
A Practical Guide to Security Assessments
criticality of the process is. Is the B2B structure in place to share informa-
tion? Are actual transactions, that have revenue and expense impact being
performed? The answers will give a sense of the criticality and provide
some guidance about how much further testing might be warranted.
Risk:
Not applicable. The answer to this question gives an idea of the level
of risk associated with the B2B relationship.
Client Response:
5. Does someone in the company have overall ownership of the B2B rela-
tionship?
Guidance:
Once the company has signed the B2B agreement and it is
operational, someone in the company should be assigned the responsibility
of owning the relationship. The person in this role should ensure that the
requirements set forth in the agreement are met, act as the single point of
contact with the business partner, and work with relevant groups to manage
the relationship. Part of this function should also be to ensure that security
requirements are being met.
Risk:
Without someone officially owning the relationship with the B2B
partner, a risk exists that it will not be properly managed — i.e., everyone
says that another person owns it and in the end, no one ends up owning it.
As a result, there is no accountability related to ensuring that the contract
requirements are met.
Client Response:
6. Is there a Service Level Agreement (SLA) in place between the company
and the B2B partner?
Guidance:
An SLA is an important element of a B2B relationship. The
SLA should outline the scope of the relationship, roles and responsibili-
ties, performance metrics, and other miscellaneous information. If the
SLA is enforced, penalties (both financial and nonfinancial) are incurred
for not being compliant with the SLA. The company should monitor the
relationship with the business partner to ensure that SLA requirements are
being met. The SLA should reflect minimum requirements that the B2B
AU1706_book.fm Page 364 Tuesday, August 17, 2004 11:02 AM
Appendix K
365
partner should have in order for the company to do business with them via
a B2B relationship. Many of the items in the SLA will be operation oriented.
In addition to those requirements, the SLA should also address security.
Some items to look for when reviewing SLAs include the following:
•Tolerable downtime
• Disaster recovery
• Incident handling and related escalation lists
• Notification requirements related to any security incidents
• Backup and recovery of data
• Financial remedies for SLA noncompliance
• Auditing provisions — timing and notification, frequency, etc.
• Security requirements related to hardware and software used in con-
junction with B2B transactions
–Patch application
– Hardening standards
• Documented encryption standards
Risk:
The risk of not having a strong SLA in place is that the business part-
ner may not be accountable to specific service levels required by the com-
pany. From a security perspective, there is a risk that the company’s
information might not receive an adequate level of security. Security re-
quirements also cannot be enforced without the SLA, which obligates the
B2B partner to meet those requirements.
Client Response:
7. Does someone monitor SLAs to ensure they are being met?
Guidance:
Building on the earlier question concerning SLAs, they have
limited value if someone is not monitoring them. The person who owns the
relationship should work with the appropriate people to monitor the key
provisions of the SLA.
Risk:
Without monitoring of the SLA, a risk exists that the transactions be-
ing facilitated by the SLA and the company’s data are not secure because
the B2B partner is not meeting security requirements outlined in the SLA.
Client Response:
AU1706_book.fm Page 365 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.