|
|
|
 |
|||||||||||||||||||||||||||||||||
Making Money on the Net CSSA's Electronic Commerce Group's highly successful one day event "Making Money on the Net" was hosted by IBM United Kingdom Ltd. on 3 April 1998 and chaired by David Baxter, Director of Information Society Initiative at the DTI. The conference was aimed at promoting the possibilities of E-Commerce with a particular focus on SMEs in the Software and Services Industry and the issues most pertinent to them. A synopsis of Gamma's paper "Easy Ways to Manage your Risk" follows .... Easy Ways to Manage your Risk by Dr. David Brewer The increase in risk associated with electronic commerce starts as soon as you connect your computer to someone else's. Your system is now open to being hacked or even shut down. Your business may be under cut, or people may even pass themselves off as you. The inability of an attacker to do any of these things successfully will depend on the effectiveness of the information security safeguards that you deploy. The impact on your business, should those safeguards prove wanting, will be a function of your dependency on electronic commerce. For example, the impact is likely to be greater if you are dependent on electronic payment than if payments are dealt with off-line. Information technology has advanced significantly over the past few decades. Once, the mainframe computer was king. Computers were slow and did not talk to other computers. Now, the popularity of personal computing and the World Wide Web, has made the hacker king. The recent flux of high quality security products into the market place is testimony that technology by itself is unable to cope. Consequently, information security has become a real-time risk management process. The traditional approach to risk management - scope the problem, determine your information security policy, perform the risk assessment and manage the risks - survives in today's technologically advanced world with carefully crafted scoping and security policy statements and the addition of a new feedback loop. In scoping the problem, take an "information-centric" view of the world. This will avoid the trap of failing to take account of less obvious vulnerabilities such as people, cell phones and laptops. Define a policy that clearly identifies what your business priorities are, concerning information, and why. In performing the risk assessment, make sure you really know your network; not what you think it is - what it really is! Identify the vulnerabilities and select the safeguards with a priority that matches the business priorities specified in your security policy. Reiterate, choosing alternate safeguards until you are satisfied with the residual risks and costs involved. Implement your chosen safeguards and monitor their effectiveness. Do not assume that they will work as intended. Regularly re-appraise the situation. Even if you do not think anything has changed, regularly repeat the risk assessment (this is the new feedback loop). Assume that your network has changed - most networks do with time! In any case, doubtless someone will have identified new vulnerabilities. Of course, if your business requirements change you should re-scope the problem and revise the security policy accordingly. What we have just described is an Information Security Management System (ISMS). If you run it with real time monitoring, it is a Real-Time ISMS. To make it work efficiently, it requires management expertise, technical skills and technology. There is even a scheme, to be formally announced on 15 April 1988 by Barbara Roche, Minister for Trade and Industry, to formally certify your ISMS against BS7799-2:1998. A systematic approach to security risk management is the easy way to manage your risks. The alternatives range from having no security to having too much security, or worse from having the wrong security to having a false sense of security. All such cases represent money down the drain. Gamma offers a comprehensive range of security risk management services. |
||||||||||||||||||||||||||||||||||
|
17 January, 2003 |
|
