Total E-Commerce Security Program

A total e-commerce security program consists of protection programs that utilize available technologies (hardware and software), people, strategic planning, and management programs designed and implemented to protect the firm's e-commerce resources and operations. Such a program is essential to the overall survivability and operations of the business's e- commerce efforts, and the organization should consider it an integral component of successful e-commerce strategy. Success of such a program depends on the complete support of top management and full participation of both the IT department and management in understanding the effectiveness and limitations of the program. In addition, such a program requires continuous assessment and evaluation to make sure that the program and its tools and solutions are up-to-date and have incorporated the latest technologies and management practices.

Assessing E-Commerce Operations

The first step toward developing a total e-commerce program is to conduct a full assessment of the value and importance of e-commerce in the overall success of the firm's business plan and objectives. The next step should be to assess the vulnerability of the firm's e-commerce system both in terms of threat posed to the system internally and the risks that exist externally. External vulnerabilities are much easier to identify, and internal vulnerabilities are more difficult to see. However, all attempts should be made to identify any areas in which the system can be misused internally. This task can be greatly accomplished by talking to both system users and developers. In addition, there are many software packages out there that will monitor the overall use and access of the system internally, and provide full analysis and possible suspicious activities of the internal users.

Continuity Plan

The next step is to begin developing an e-commerce continuity plan that will clearly map out all possible shortcomings, ways to prevent and deal with them, and contingency plans for recovering from security threats and breeches. Many businesses tend to believe that having anti-virus programs on their systems, and firewalls installed, totally protects their systems. These are excellent beginning steps; however, even with these measures, e-commerce systems still face the following shortcomings: (1) fire/explosion; (2) intentional destruction of hardware, software, and data/information; (3) theft of hardware, software; (4) loss of key e-commerce security personnel; (5) loss of utilities; (6) loss of technology; (7) loss of communications; and (8) loss of vendors. Threats to each one of these areas should be carefully assessed, and contingency plans should be developed which explain in detail how to deal with each potential shortcoming. Furthermore, the plan should identify individuals responsible in taking the lead in correcting the problems associated with the shortcomings.

E-Commerce Technologies

Next, organizations should assess the available hardware and software protecting the firm's e-commerce system. It is important to under- stand that the technologies used must be adequate to meet the needs of the firm's system and provide the level of protection for all of the possible security threats. Critical areas to consider include: the sensitivity of the data/ information accessed, the volume of access traffic and methods of access. Technology-based e-commerce security should consist of different layers of security by utilizing either SSL (Secure Socket Layer) or SET (Secure Electronic Transaction) security schema to provide full security in online transactions. The overall goal of technology-based security should be to provide effective authentication, integrity, encryption and non-repudiation. During this stage of developing the total e-commerce security program, many firms utilize the expertise of outside firms that are specialized in assessing technology-based security systems.

People

The most important component of any effective security program is the people who administer and operate the program. Security breaches are not committed by systems but rather by people who mange them and their users. Most studies in the past have indicated that the internal threats to e- commerce systems are often much greater than the outside threats. In many cases, the criminals who succeed in breaking into a system have either prior knowledge of the system or have internal co-conspirator. The most important tool in the hand of management in reducing the internal threats is educating all parties involved-both the internal user community as well as system management personnel-regarding the consequence of violating the system security and integrity. Many users are aware of the fact that breaking into an information system is considered a Federal crime, and violators can be prosecuted by law. By informing users, the firm creates a certain degree of deterrence that will discourage many not to violate the law.

Strategy

Developing a sound and effective strategic plan for e-commerce security is an important task. Such a strategy should include: the overall goal of the total e-commerce security program, its objectives and scope. This strategy should be in line with the overall e-commerce business strategy of the firm. One of the objectives of this strategy should be to provide full protection for all e-commerce resources of the firm and to allow the business to recover from any incident of operation interruptions as quickly as possible, minimizing the revenue losses and cost of recovery. The strategic plan should also include the needed resources in support of the goals and objectives, as well as the constraints and limitations facing this strategic plan. Additionally, the strategic plan should also include key human resources, management structures and decision-makers in implementing various e-commerce security programs developed as the part of the strategic plan.

Management

The success of a total e-commerce security program depends on the effective management of such a program. The management support begins from top management and continues to all other levels of management. Such a program must be directly managed and monitored by a senior manager in the case of a larger organization and perhaps directly managed by the owner or president of medium or smaller companies. The primary responsibility of the program manager should be to keep the strategic plan fully up-to-date, implement its programs and continuously reassess the effectiveness of the existing programs. Part of this person's responsibility should be to learn from the effective practices of other organizations regarding their e-commerce security programs. The knowledge can be gained through reading published case studies, books on the subject, as well as published articles.