Security Policy

Characteristics Important to Security in the SME The basis of using certificates in e-business for the protection of the organisations information assets, are as follows;

• Authentication - validating the identity of both parties in the transactions processes, which is crucial to the basis of e-business. (Done using public key cryptography as outlined earlier in this chapter.)
• Privacy - Confidentiality of communications and data - Encryption & Content Security.
• Confidentiality - Information travelling on the Internet may not be highly confidential but it may be sensitive enough to allow for a competitor to gain advantage. The cryptography algorithms associated with SSL, DES, and PKI will prevent any unwanted breach of confidential information to the outside world. In the case of some service companies such as solicitors, this confidentiality is very important.
• Integrity - Proof that content is not altered. Very important in areas where the correct information is required.
• Non-Repudiation - The use of digital certificates (signatures) provides ample proof of the transaction having taken place. Neither party in the transaction can repudiate the order or payment having been placed or received. Should third party arbitration be required to resolve a disagreement, these attributes of digital signatures prove that the transaction took place.

SME E-Business Security These organisations require different levels of security dependant upon their individual business areas, for example a solicitors firm would require very secure internal and external security to protect the confidence of their clients. In contrast a lesser level of security would be required within a travel agency for its clients. Different material may be sensitive for different reasons. For all organisations doing e-business there is a basic need for security from internal and external threats.

When becoming an e-commerce company, the business must ensure it has the correct hardware and software required for a secure interchange and processing of information between it and the customers.

Implementation of Security Within smaller companies such as Irish SMEs, knowledge dissemination may be needed to ensure that e-business is carried on regardless of any hurdles that might need to be overcome. In smaller companies security on an overall level should rest with a small number of people but trusting employees is imperative for the daily running of e-business. The Business Information that needs to be secured will be divided here and explained in detail and the emphasis will be the understanding of each of the areas involved.

Market Sensitive Proprietary Information This can easily be transmitted on the Internet and as such security must be put in place such as limiting access, on certain files by the security/network administrator. This prohibits any copies being made and transmitted erroneously or otherwise by employees.

Financial Information This is usually high on the security coverage list. Integrity and authenticity are key here even more so than confidentiality, as most decisions would be based on this type of information. Should a threat access this information then the company / organisation could be at great risk.

Trade secrets / Process technology Information These should not be made available on the Internet but should be secured behind security gateways that are warranted by the nature of the secret.

Human Resources Information Privacy is very much an issue here. Detailed personal information is held by the department and should be kept in a safe database that should not be directly connected to the Internet. It may be made available on a wide area network which is accessible only internally and which allows human resources personnel to use it for staff resource management within locations. If this WAN is open to connection through the Internet, it must be secured by use of a firewall. Although there is a risk still present, it has been greatly minimised.

Customer Information This may be subject to the contract between the organisation and the client. Some companies associated with the organisation may wish to have their profile information shown on web pages as key clients and as advertising to other business customers. This generally benefits both parties in the B2B transaction. This is usually subject to formal approval, and would more than likely involve a higher level of commitment to these customers and a better quality service to ensure their level of support for the service. Confidential and sensitive material on the account would be kept as secure as possible. Companies that keep the sensitive information regarding their clients or business partners would need to provide reassurance that they are a reputable and trustworthy company to do business with and they may publish a policy in accordance with the terms of the Data Protection Act (See Chapter 7 for more details).

Information Products: Transitory Information Day to day correspondences on the Internet, memos, draft proposals, plans, objectives, etc. Individually these things may not mean much but they could be of strategic importance to an outside user. For this reason the SMEs should depend on certificates for security and use a secure communications methodology such as Safemail from Post Truest. This utilises Public Key Cryptography which is safe, utilizing 64bit encryption technology.

Further Security Information The Information Security Forum "The forum is an independent, not-for-profit association of leading organisation dedicated to clarifying and resolving key issues in information security and developing security solutions that meet the business needs of it?s members"(Information Security Forum, 2000)

Conclusion In relation to SMEs, they should concentrate on keeping up to date systems. The System Administrator (SA) must ensure that anti virus and firewall software is upgraded at appropriate intervals. All security applications must have a guarantee from its manufacturer, within the license agreement, that there are no backdoors into the software. A good method is to use an overall anti-virus firewall package dedicated to the network OS. Regular maintenance of the network for upgrades while off line are essential and the SA should inform the company?s users when they are scheduled.

© Trinity Solutions 2002 ~ 2012