374
A Practical Guide to Security Assessments
4. Is someone accountable for the B2C Web site and the related operations?
Guidance:
Ownership is one of the key components of security. In the
case of B2C, if no one owns security, there is a good chance that security
is not being adequately maintained. Someone should own the B2C opera-
tions and be responsible for them. This person should oversee the content
on the Web site, ensure that any updates are taking place, and interface
with the information technology (IT) and security personnel to ensure that
the site is available, functioning properly, and secure. This person may del-
egate certain portions of these responsibilities to the appropriate people in
the organization — e.g., some of the technical pieces can be delegated to
IT. However, one person should be ultimately accountable. Ideally, some-
one on the business side should own the B2C operations because such an
individual will have a better understanding of whether the site is working
as intended. B2C is a revenue-generating function and thus, someone from
the business should be responsible for it.
Risk:
Without ownership of the B2C operations, there is no accountability,
which is critical because this is a customer-facing revenue-generating
activity. Issues with the B2C operations that affect the customer can have
significant impact, including lost revenue and lost customers.
Client Response:
5. Does someone own the database supporting the B2C operations?
Guidance:
In the preceding section, all relevant systems supporting B2C
operations were alluded to. The database is highlighted here because of the
criticality of the data generated from B2C activity. The database is a critical
component of the B2C infrastructure because it contains myriad informa-
tion. Some of the information potentially contained includes catalog-related
information, pricing data, customers’ personally identifiable information,
and other information, depending on how it was set up. It is important to
ensure that this information is adequately secured.
Risk:
Without ownership of the database supporting the B2C operations,
there is potentially a lack of focus on securing B2C-related data. This can
lead to unauthorized access to critical data resulting in issues relating to
availability of B2C operations and the integrity of B2C data.
Client Response:
AU1706_book.fm Page 374 Tuesday, August 17, 2004 11:02 AM