1 / 29

Group presentations for Lo205 e-business

Group presentations for Lo205 e-business. Group 26: Lill Hege Harstad, Helene Dimmestøl Group 33: Virginie Crest March 19, 2002. LO 205. GROUP 33: Virginie Crest Security Risk Management Plan for the B2C site: Interflora.com. Security Risk Management Plan.

alaula
Download Presentation

Group presentations for Lo205 e-business

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Group presentations for Lo205 e-business Group 26: Lill Hege Harstad, Helene Dimmestøl Group 33: Virginie Crest March 19, 2002

  2. LO 205 • GROUP 33: Virginie Crest • Security Risk Management Plan for the B2C site: Interflora.com

  3. Security Risk Management Plan • Def: determine the security needs of the organization’site. • It consists on 4 phases: 1. Assessment phase 2. Planning 3. Implementation 4. Monitoring

  4. 1. Assessment phase Evaluation of assets, threats and vulnerabilities on the organisation’ site

  5. 1.1. Interflora objectives • Def: select safeguards on the basis of interflora’s objectives and requirements • Determine interflora objectives: - Flower ordering service around the globe - Quality of their products and customer service. = Ensure that these services are not disrupted

  6. 1.2. Site’s Assets • Def: anything of value that is worth securing ( tangible and intangible goods) • Inventoryassets: itemize all the critical tangible and intangible assets on the network in order to secure them: - customer data ( name, adresses, phone number, credit card numbers...) • passwords • digital signature

  7. 1.3. Site’s Threats • Def: any eventuality that represents a danger to an asset. • Types of breach: • infection of company equipment via viruses/ malicious code • use of company computing resources for illegal or illicit communications or activities • abuse of computer access controls • use of company computing resources for personal profit

  8. 1.3. Site’s threats • Types of breach: • viruses • attacks related to protocol weaknesses • attacks related to insecure passwords • DoS (Denial-of-Service) attacks ( DNS spoofing, buffer overflows)

  9. 1.4. Site’s Vulnerabilities • Def: weakness in a safeguard. List maintained by the Common Vulnerabilities and Exposures Board (CVE) • Vulnerabilities: • authentification: do not need to verify the ID ( password and signature) • auditing: personal information noted in the log file? How? How long? • confidentiality or privacy: ensure that personal data (e.g, credit card numbers) are not disclosed to unauthorized entities, individuals

  10. 1.4. Site’s vulnerabilities • Vulnerabilities: • integrity: ensure that personal data are not altered while in transit or after being stored • non-repudiation: ability to limit parties from refuting that a legitimate transaction took place ( by mean of digital signature,e.g)

  11. 1.5. Quantitative risk analysis • Def: quantify the value of each risk in order to prioritize those risks that need safeguarding • Equation employed: Assets * Threats * Vulnerabilities By using a range of 1 - 10 to estimate the value of an Asset, the probability of a Threat and the level of Vulnerability = computed risk ranged from 1 to 1,000. If result approached 1,000, high risk of insecured system.

  12. 1.5. Quantitative risk analysis • Total value of the risks: - Value of Assets: 8 - Probability of threats: 9 - Level of vulnerabilities: 7 • Quantitative risk analysis: 8 * 9 * 7 = 504 Risk quite high = secure interflora’ system.

  13. 2. Planning phase Set of security policies

  14. 2.1. Define specific policies • Safeguard instituted through a privacy statement • Implementation of safeguard in order to prevent the potential threats • Enforced within 6 months • Responsible for the safeguard: interflora headquarter ( Zurich, Switzerland)

  15. 2.2. Audit and review • Perform reviews every 6 months • Performed by a quality management team

  16. 2.3. Incident response team and contingency plan • Responsabilities of the team: • response to all attacks • Report major incidents to the CERT ( Computer Emergency Response Team) • Monitor public announcements of attacks at other sites • Outline response in a contingency plan

  17. 3. Implementation phase Choose particular technologies to deal with high priority threats

  18. 3.1. Types of security technology • Access control ( users IDs/ passwords) and firewalls ( packet filtering routers and application- level proxies) • Cookies • Encrypted files • Encrypted logins • Intrusion detection system

  19. 3.2. Selection of software • Antivirus software • Web ( HTTP) proxy • Intrusion Detection System ( IDS) software

  20. 4. Monitoring phase Processes used to determine which measures are successful, unsuccessful and need modification

  21. 4. Monitoring phase • The technologies implemented have been a success • Any new types of threats appearing • Any changes in the technologies implemented required at the moment

  22. Resume Lecture • Today, Continue with Chapter 15…. • Friday is no lecture (begin Easter pause). • Return lecture on April 09th (Tuesday).

  23. Evolution of Software Integration • Completely Independent of each other • MRP= Material Requirements Planning: • Inventory • Production • MRPII=Manufacturing Requirements Planning • more integrated • MRP+Finance+Labor

  24. Evolution of Software Integration (cont.) • Completely Independent of each other • ERP=Enterprise Resources Planning • All functional areas • Extended ERPincludes • Suppliers • Customers

  25. From SAP to mySAP.com • SAP=Traditional ERP=Automate and Integrate transactions • MySAP.com = Web-based comprehensive system • Workplace - a personalized, role-based interface • Marketplace - one stop destination for business professionals to collaborate • Business Scenarios - products for the Internet and intranet • Application-hosing - hosting Web applications for SMEs

  26. Developing ERP Systems • Do-it-yourself, from scratch (only few will) • Use Integrated packages such as R/3 from SAP • “Best of Bread” approach, using integrating software • Rent in from ASP service

  27. Post-ERP (2nd Generation) • 1st generation - transaction processing orientation • 2nd generation • Including decision-making capabilities • EC requires decision support • EC requires business intelligence • SCM software: Production Planning, Manpower utilization, Profitability models, market analysis • Integration of SCM capabilities • Other added functionalities: CRM, KM

  28. ASP and ERP Outsourcing • Why ASP or lease? • Leasing information systems application • Back to the days of “time-sharing” • A risk prevention strategy • Very popular with ERP (expensive, cumbersome)

  29. Managerial Issues • Planning order fulfillment–critical virtual vendors • Returns - can be a complex issue • Alliances and Software - support SCM • Connect - EC order taking to back-office ops • EC Applications – must integrate with SCM • Integration software – GE Integration Broker, IBM MQ series, Active Software, NEON. • XML integration packages – from ViewLogic, Extricity, WebMethods • Enterprise Application Integration – http://www.gegxs.com/gxs/education/edu/wpecreports • http://www.gegxs.com/gxs/education/edu/video2

More Related