group presentations for lo205 e-business
DESCRIPTION
Group presentations for Lo205 e-business. Group 26: Lill Hege Harstad, Helene Dimmestøl Group 33: Virginie Crest March 19, 2002. LO 205. GROUP 33: Virginie Crest Security Risk Management Plan for the B2C site: Interflora.com. Security Risk Management Plan. - PowerPoint PPT PresentationTRANSCRIPT
Group presentations for Lo205 e-business
Group 26: Lill Hege Harstad, Helene DimmestølGroup 33: Virginie Crest
March 19, 2002
LO 205
• GROUP 33: Virginie Crest
• Security Risk Management Plan for the B2C site:
Interflora.com
Security Risk Management Plan
• Def: determine the security needs of the organization’site.
• It consists on 4 phases:
1. Assessment phase
2. Planning
3. Implementation
4. Monitoring
1. Assessment phase
Evaluation of assets, threats and vulnerabilities on the organisation’ site
1.1. Interflora objectives
• Def: select safeguards on the basis of interflora’s objectives and requirements
• Determine interflora objectives:- Flower ordering service around the globe
- Quality of their products and customer service.
= Ensure that these services are not disrupted
1.2. Site’s Assets• Def: anything of value that is worth securing
( tangible and intangible goods)
• Inventory assets: itemize all the critical tangible and intangible assets on the network in order to secure them:
- customer data ( name, adresses, phone number, credit card numbers...)
- passwords- digital signature
1.3. Site’s Threats• Def: any eventuality that represents a danger to an
asset.
• Types of breach: - infection of company equipment via viruses/ malicious
code- use of company computing resources for illegal or illicit
communications or activities- abuse of computer access controls- use of company computing resources for personal profit
1.3. Site’s threats
• Types of breach:
- viruses
- attacks related to protocol weaknesses
- attacks related to insecure passwords
- DoS (Denial-of-Service) attacks ( DNS spoofing, buffer overflows)
1.4. Site’s Vulnerabilities
• Def: weakness in a safeguard. List maintained by the Common Vulnerabilities and Exposures Board (CVE)
• Vulnerabilities:- authentification: do not need to verify the ID ( password
and signature)- auditing: personal information noted in the log file? How?
How long?- confidentiality or privacy: ensure that personal data (e.g,
credit card numbers) are not disclosed to unauthorized entities, individuals
1.4. Site’s vulnerabilities
• Vulnerabilities:
- integrity: ensure that personal data are not altered while in transit or after being stored
- non-repudiation: ability to limit parties from refuting that a legitimate transaction took place ( by mean of digital signature,e.g)
1.5. Quantitative risk analysis• Def: quantify the value of each risk in order to
prioritize those risks that need safeguarding
• Equation employed: Assets * Threats * Vulnerabilities
By using a range of 1 - 10 to estimate the value of an Asset, the probability of a Threat and the level of Vulnerability = computed risk ranged from 1 to 1,000. If result approached 1,000, high risk of insecured
system.
1.5. Quantitative risk analysis
• Total value of the risks:
- Value of Assets: 8
- Probability of threats: 9
- Level of vulnerabilities: 7
• Quantitative risk analysis:
8 * 9 * 7 = 504
Risk quite high = secure interflora’ system.
2. Planning phase
Set of security policies
2.1. Define specific policies
• Safeguard instituted through a privacy statement
• Implementation of safeguard in order to prevent the potential threats
• Enforced within 6 months
• Responsible for the safeguard: interflora headquarter ( Zurich, Switzerland)
2.2. Audit and review
• Perform reviews every 6 months
• Performed by a quality management team
2.3. Incident response team and contingency plan
• Responsabilities of the team:
- response to all attacks
- Report major incidents to the CERT ( Computer Emergency Response Team)
- Monitor public announcements of attacks at other sites
- Outline response in a contingency plan
3. Implementation phase
Choose particular technologies to deal with high priority threats
3.1. Types of security technology
• Access control ( users IDs/ passwords) and firewalls ( packet filtering routers and application- level proxies)
• Cookies
• Encrypted files
• Encrypted logins
• Intrusion detection system
3.2. Selection of software
• Antivirus software
• Web ( HTTP) proxy
• Intrusion Detection System ( IDS) software
4. Monitoring phase
Processes used to determine which measures are successful, unsuccessful
and need modification
4. Monitoring phase
• The technologies implemented have been a success
• Any new types of threats appearing
• Any changes in the technologies implemented required at the moment
Resume Lecture
• Today, Continue with Chapter 15….
• Friday is no lecture (begin Easter pause).
• Return lecture on April 09th (Tuesday).
Evolution of Software Integration
• Completely Independent of each other– MRP= Material Requirements Planning:
• Inventory
• Production
– MRPII=Manufacturing Requirements Planning• more integrated
• MRP+Finance+Labor
Evolution of Software Integration (cont.)
• Completely Independent of each other– ERP=Enterprise Resources Planning
• All functional areas
– Extended ERP includes• Suppliers
• Customers
From SAP to mySAP.com
• SAP=Traditional ERP=Automate and Integrate transactions
• MySAP.com = Web-based comprehensive system– Workplace - a personalized, role-based interface– Marketplace - one stop destination for business
professionals to collaborate– Business Scenarios - products for the Internet and
intranet– Application-hosing - hosting Web applications for SMEs
Developing ERP Systems
• Do-it-yourself, from scratch (only few will)
• Use Integrated packages such as R/3 from SAP
• “Best of Bread” approach, using integrating software
• Rent in from ASP service
Post-ERP (2nd Generation)
• 1st generation - transaction processing orientation• 2nd generation
– Including decision-making capabilities– EC requires decision support– EC requires business intelligence
• SCM software: Production Planning, Manpower utilization, Profitability models, market analysis
• Integration of SCM capabilities• Other added functionalities: CRM, KM
ASP and ERP Outsourcing
• Why ASP or lease?– Leasing information systems application– Back to the days of “time-sharing”– A risk prevention strategy– Very popular with ERP (expensive, cumbersome)
Managerial Issues• Planning order fulfillment–critical virtual vendors• Returns - can be a complex issue• Alliances and Software - support SCM• Connect - EC order taking to back-office ops• EC Applications – must integrate with SCM• Integration software – GE Integration Broker, IBM
MQ series, Active Software, NEON. • XML integration packages – from ViewLogic,
Extricity, WebMethods• Enterprise Application Integration –
http://www.gegxs.com/gxs/education/edu/wpecreports
• http://www.gegxs.com/gxs/education/edu/video2