Group presentations for Lo205 e-business

Group 26: Lill Hege Harstad, Helene DimmestølGroup 33: Virginie Crest

March 19, 2002

LO 205

• GROUP 33: Virginie Crest

• Security Risk Management Plan for the B2C site:

Interflora.com

Security Risk Management Plan

• Def: determine the security needs of the organization’site.

• It consists on 4 phases:

1. Assessment phase

2. Planning

3. Implementation

4. Monitoring

1. Assessment phase

Evaluation of assets, threats and vulnerabilities on the organisation’ site

1.1. Interflora objectives

• Def: select safeguards on the basis of interflora’s objectives and requirements

• Determine interflora objectives:- Flower ordering service around the globe

- Quality of their products and customer service.

= Ensure that these services are not disrupted

1.2. Site’s Assets• Def: anything of value that is worth securing

( tangible and intangible goods)

• Inventory assets: itemize all the critical tangible and intangible assets on the network in order to secure them:

- customer data ( name, adresses, phone number, credit card numbers...)

- passwords- digital signature

1.3. Site’s Threats• Def: any eventuality that represents a danger to an

asset.

• Types of breach: - infection of company equipment via viruses/ malicious

code- use of company computing resources for illegal or illicit

communications or activities- abuse of computer access controls- use of company computing resources for personal profit

1.3. Site’s threats

• Types of breach:

- viruses

- attacks related to protocol weaknesses

- attacks related to insecure passwords

- DoS (Denial-of-Service) attacks ( DNS spoofing, buffer overflows)

1.4. Site’s Vulnerabilities

• Def: weakness in a safeguard. List maintained by the Common Vulnerabilities and Exposures Board (CVE)

• Vulnerabilities:- authentification: do not need to verify the ID ( password

and signature)- auditing: personal information noted in the log file? How?

How long?- confidentiality or privacy: ensure that personal data (e.g,

credit card numbers) are not disclosed to unauthorized entities, individuals

1.4. Site’s vulnerabilities

• Vulnerabilities:

- integrity: ensure that personal data are not altered while in transit or after being stored

- non-repudiation: ability to limit parties from refuting that a legitimate transaction took place ( by mean of digital signature,e.g)

1.5. Quantitative risk analysis• Def: quantify the value of each risk in order to

prioritize those risks that need safeguarding

• Equation employed: Assets * Threats * Vulnerabilities

By using a range of 1 - 10 to estimate the value of an Asset, the probability of a Threat and the level of Vulnerability = computed risk ranged from 1 to 1,000. If result approached 1,000, high risk of insecured

system.

1.5. Quantitative risk analysis

• Total value of the risks:

- Value of Assets: 8

- Probability of threats: 9

- Level of vulnerabilities: 7

• Quantitative risk analysis:

8 * 9 * 7 = 504

Risk quite high = secure interflora’ system.

2. Planning phase

Set of security policies

2.1. Define specific policies

• Safeguard instituted through a privacy statement

• Implementation of safeguard in order to prevent the potential threats

• Enforced within 6 months

• Responsible for the safeguard: interflora headquarter ( Zurich, Switzerland)

2.2. Audit and review

• Perform reviews every 6 months

• Performed by a quality management team

2.3. Incident response team and contingency plan

• Responsabilities of the team:

- response to all attacks

- Report major incidents to the CERT ( Computer Emergency Response Team)

- Monitor public announcements of attacks at other sites

- Outline response in a contingency plan

3. Implementation phase

Choose particular technologies to deal with high priority threats

3.1. Types of security technology

• Access control ( users IDs/ passwords) and firewalls ( packet filtering routers and application- level proxies)

• Cookies

• Encrypted files

• Encrypted logins

• Intrusion detection system

3.2. Selection of software

• Antivirus software

• Web ( HTTP) proxy

• Intrusion Detection System ( IDS) software

4. Monitoring phase

Processes used to determine which measures are successful, unsuccessful

and need modification

4. Monitoring phase

• The technologies implemented have been a success

• Any new types of threats appearing

• Any changes in the technologies implemented required at the moment

Resume Lecture

• Today, Continue with Chapter 15….

• Friday is no lecture (begin Easter pause).

• Return lecture on April 09th (Tuesday).

Evolution of Software Integration

• Completely Independent of each other– MRP= Material Requirements Planning:

• Inventory

• Production

– MRPII=Manufacturing Requirements Planning• more integrated

• MRP+Finance+Labor

Evolution of Software Integration (cont.)

• Completely Independent of each other– ERP=Enterprise Resources Planning

• All functional areas

– Extended ERP includes• Suppliers

• Customers

From SAP to mySAP.com

• SAP=Traditional ERP=Automate and Integrate transactions

• MySAP.com = Web-based comprehensive system– Workplace - a personalized, role-based interface– Marketplace - one stop destination for business

professionals to collaborate– Business Scenarios - products for the Internet and

intranet– Application-hosing - hosting Web applications for SMEs

Developing ERP Systems

• Do-it-yourself, from scratch (only few will)

• Use Integrated packages such as R/3 from SAP

• “Best of Bread” approach, using integrating software

• Rent in from ASP service

Post-ERP (2nd Generation)

• 1st generation - transaction processing orientation• 2nd generation

– Including decision-making capabilities– EC requires decision support– EC requires business intelligence

• SCM software: Production Planning, Manpower utilization, Profitability models, market analysis

• Integration of SCM capabilities• Other added functionalities: CRM, KM

ASP and ERP Outsourcing

• Why ASP or lease?– Leasing information systems application– Back to the days of “time-sharing”– A risk prevention strategy– Very popular with ERP (expensive, cumbersome)

Managerial Issues• Planning order fulfillment–critical virtual vendors• Returns - can be a complex issue• Alliances and Software - support SCM• Connect - EC order taking to back-office ops• EC Applications – must integrate with SCM• Integration software – GE Integration Broker, IBM

MQ series, Active Software, NEON. • XML integration packages – from ViewLogic,

Extricity, WebMethods• Enterprise Application Integration –

http://www.gegxs.com/gxs/education/edu/wpecreports

• http://www.gegxs.com/gxs/education/edu/video2