371
Appendix L
Business to Consumer (B2C)
Business to consumer (B2C), for the purpose of this checklist, is the process by
which consumers purchase goods or services over the Internet. They can go to vendor
Web sites, look through catalogs, find what they want to buy, and then make the
purchase by supplying their credit card information and some personal information
such as name and address. Before the days of B2C, many companies started by
having a presence on the Internet where people could go to learn about the company
and what they do. Such Web sites are informational in nature. A significant number
of companies now also offer goods and services over the Internet where consumers
can make purchases. Some of the better-known sites include Amazon and the com-
mon department store chains. This has become very prevalent, and people use it
extensively because of convenience and in many cases, price. However, many people
do not use it, and one of the major reasons is that they are afraid of divulging
sensitive credit card or personal information on the Internet. One can argue that our
information is no safer when we shop in stores or go to restaurants and give our
credit cards to make a purchase. This is probably correct, but because a store or
restaurant is tangible and familiar, the risk does not seem to be as great. On the
other hand, with e-commerce activities, the idea of purchasing over the Internet is
still an unknown with risks related to the confidentiality of personal information
including credit card information. Considering the many publicized stories of hackers
gaining access to credit card information and with identity theft becoming a bigger
issue, security in the B2C space must be taken very seriously.
In a security assessment, B2C should be reviewed from a process and technology
perspective. Some of the key areas to review include:
Ensuring that consumer information is secure during transmission
Ensuring that customer information residing on the company’s systems
is adequately secured
Integrity of transactions
Ensuring that the architecture supporting the B2C environment is secure
e.g., Web servers, back-end systems
Ensuring that the infrastructure supporting the B2C environment can
provide the level of availability required
AU1706_book.fm Page 371 Tuesday, August 17, 2004 11:02 AM
372
A Practical Guide to Security Assessments
The potential risks associated with B2C can result in significant impact to the
business. If the B2C operations are not available or if a breach of security occurs,
some of the potential impacts include:
Operational —
Depending on how significant B2C is to the company,
operations can suffer.
Legal —
If a security breach occurs where customers’ personal informa-
tion is stolen, the company can face legal issues.
Financial —
If there are security or availability issues, there can be
immediate financial impact because customers cannot make purchases, as
well as long-term financial impact if a permanent loss of customers occurs.
Reputation —
A company’s reputation will most certainly be damaged.
The degree to which this happens depends on the severity of the incident.
This questionnaire is focused on the processes around B2C operations. Although
some references to technology are included, they are conceptual in nature. Specific
vendor technologies are not addressed in this questionnaire and should be evaluated
from a technical security perspective. Some questions involve technical concepts
that may require someone with the appropriate technical expertise to review. These
resources should be used in an assessment as necessary. The questionnaire should
be modified based on the company’s specific business requirements.
QUESTIONS
1. Does a security policy governing B2C processes exist?
Guidance:
As noted in the other questionnaires, having a security policy
has significant value because the policy outlines the minimum security
requirements that must be followed. In the case of B2C, a policy is very
useful because it can be used from the outset as B2C operations are being
planned so that security is built in to both the process and supporting tech-
nologies. In addition, the policy provides a mechanism to enforce good se-
curity practices for B2C.
Risk:
Risks of not having a security policy related to B2C include:
The B2C architecture and application will be developed with inade-
quate security. Addressing security after the fact can be expensive and
time consuming,
No mechanism exists to enforce good security practices as they relate
to B2C.
Client Response:
AU1706_book.fm Page 372 Tuesday, August 17, 2004 11:02 AM
Appendix L
373
2. How significant are the B2C operations?
What percentage of overall revenues do the B2C operations generate?
If the Web site providing B2C services had a security breach (e.g., site
defacement, denial-of-service attack), what would be the impact to the
company, financial and otherwise?
•How would a security breach impact the reputation of the company?
Guidance:
The purpose of these questions is to understand the signifi-
cance of the B2C activity and to help determine the extent of the review.
Depending on how significant B2C is, detailed system testing may or may
not be necessary. Another scenario is that B2C may be insignificant today
but plans to grow it are underway, in which case, there may be more of a
high-level architecture review to ensure security is properly built in as well
as an analysis of what to consider from a security perspective as the site
grows. In many cases, B2C operations are important enough to justify fur-
ther testing. Even if they do not account for significant revenue, the risk of
damaging the reputation of the company if a security incident were to hap-
pen always exists. For many companies, if B2C is not significant today, it
is probably going to become a significant part of the business.
Risk:
Not applicable. The purpose of this question is to understand the
scope of B2C operations and how the detailed review, if any, will be done.
Client Response:
3. Has there ever been a security breach related to the B2C operations?
Guidance:
Knowing whether any security breaches have occurred in the
past gives an indication of potential impacts and how the company handled
the incidents, both of which are important considerations in a security as-
sessment. It is also important to understand what steps the company took
to prevent the same type of security incident from happening again.
Risk:
Not applicable. The purpose of this question is to gather information
about past security incidents, why they happened, and what has been done
to ensure that similar incidents do not happen again. This can lead to find-
ings if the security weaknesses were not addressed.
Client Response:
AU1706_book.fm Page 373 Tuesday, August 17, 2004 11:02 AM
374
A Practical Guide to Security Assessments
4. Is someone accountable for the B2C Web site and the related operations?
Guidance:
Ownership is one of the key components of security. In the
case of B2C, if no one owns security, there is a good chance that security
is not being adequately maintained. Someone should own the B2C opera-
tions and be responsible for them. This person should oversee the content
on the Web site, ensure that any updates are taking place, and interface
with the information technology (IT) and security personnel to ensure that
the site is available, functioning properly, and secure. This person may del-
egate certain portions of these responsibilities to the appropriate people in
the organization — e.g., some of the technical pieces can be delegated to
IT. However, one person should be ultimately accountable. Ideally, some-
one on the business side should own the B2C operations because such an
individual will have a better understanding of whether the site is working
as intended. B2C is a revenue-generating function and thus, someone from
the business should be responsible for it.
Risk:
Without ownership of the B2C operations, there is no accountability,
which is critical because this is a customer-facing revenue-generating
activity. Issues with the B2C operations that affect the customer can have
significant impact, including lost revenue and lost customers.
Client Response:
5. Does someone own the database supporting the B2C operations?
Guidance:
In the preceding section, all relevant systems supporting B2C
operations were alluded to. The database is highlighted here because of the
criticality of the data generated from B2C activity. The database is a critical
component of the B2C infrastructure because it contains myriad informa-
tion. Some of the information potentially contained includes catalog-related
information, pricing data, customers’ personally identifiable information,
and other information, depending on how it was set up. It is important to
ensure that this information is adequately secured.
Risk:
Without ownership of the database supporting the B2C operations,
there is potentially a lack of focus on securing B2C-related data. This can
lead to unauthorized access to critical data resulting in issues relating to
availability of B2C operations and the integrity of B2C data.
Client Response:
AU1706_book.fm Page 374 Tuesday, August 17, 2004 11:02 AM
Appendix L
375
6. Is access to the database restricted to only those individuals who require
it?
Guidance:
Access control is an essential layer in an information security
program. Access to the database should be limited to those who need it to
perform their jobs. The level of access should depend on the person’s job
function. As for who has access, there should at least be a database admin-
istrator and a backup. Because administrator access has super rights, it
should be limited. Besides administrator access, there may also be some
individuals who require “read” access to view certain information. In any
case, whoever receives access should have some business justification for
the access.
Risk:
Without strict access controls on the database, the risks include:
Unauthorized access to sensitive information in the database
Damage to the integrity of the information in the database
Client Response:
7. If the B2C application was purchased, was any due diligence performed
to determine whether it has the appropriate security functionality?
Guidance:
Although functionality of applications is part of the initial
analysis when purchasing a COTS (Commercial Off the Shelf) package,
security is something that is often overlooked. As part of the security as-
sessment, it is important to review the application and determine whether
any associated security risks are present and what mitigating controls are
in place to address them. During the review, consider the following:
Access control —
Is access given on a “need to have” basis?
Information flow —
How is the application interfacing with other
systems (e.g., database) and is it secure?
In some cases, you may find that the application has security-related func-
tionality that is not being used. Some things to look for in the application
include access control (at the transaction level if possible), controls to en-
sure the integrity of the data, and integration points with other components
of the infrastructure.
Risk:
If the application does not have the necessary security features there
is a risk of:
Unauthorized access to the application transactions
Loss of integrity of B2C data
AU1706_book.fm Page 375 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.19.30.232