How do you secure a webshop, an electronic car, an office management system? Securing an IT-enabled product requires you to consider many topics, and missing one topic could already result in a security flaw of that product.
Let us presume that you have a webshop that sells books. What security measures do you need, to protect the data about the books that you sell, their availability and prices, as well as your customers’ transactions?
Software developers will think about security in source code and application logic, whilst system and network administrators will think of the IT infrastructure on which the application will run. Who has the holistic view of all relevant security measures that should be in place? Realising an eCommerce webshop, are your IT processes well-equipped to be online, or are they only a fit for internal office automation? Being online implies being operational 24/7 and considering to be 24/7 under attack, is that also your requirement?
Also, what does creating an online webshop imply for your business processes? How do business processes support the protection of your webshop data? How do you ensure to not only have a selling webshop, but also to mitigate risks that are accompanied with having an eCommerce webshop, consider e.g. online fraud?
Naturally, the clean approach is to determine requirements for a product, applying the following steps:
- evaluate business sensitivity of the product
- determine potential risks, including likelihood and impact
- set security requirements to manage relevant risks from happening
Practically, for every IT-enabled product, security requirements consist of both manual and automated processes, as well as business-specific and generic functionality. Applying these two dimensions, the following topics are to be covered:
So, you should address the four topics:
- administrative business process controls
- Application controls
- IT infrastructure controls
- IT management process controls
And once you go in-depth, you will recognise that each of these four topics has its sub-topics to be considered:
This model can help you to effectively and efficiently set product security requirements, build an IT-enabled product, and also assess the risks of an IT-enabled product.
As your homework, I recommend applying this model to assess the security of a product in your organisation, for instance your newest website. It will be interesting to evaluate if all (sub) topics are covered, and if missing a (sub) topic causes risks to the website that you assess.
- 1. JJ vd Neut11-9-2015 - 08.32 uur
Inloggen voor Mijn Cqure leden
Bestaande leden kunnen inloggen met e-mail en wachtwoord. Heb je via een social media account geregistreerd of deze gekoppeld aan je account? Kies dan het gekoppelde platform om in te loggen.
Login met e-mail en wachtwoord:
Nog geen Mijn Cqure account?
Heb je nog geen account? je kunt je aanmelden door het registratieformulier in te vullen, of door een social media account te koppelen. Het aanmelden is eenvoudig en binnen enkele ogenblikken geregeld.
De voordelen op een rijtje:
- Reacties onmiddelijk zichtbaar in Kennisplatform
- Eenvoudig inschrijven voor events
- Snel inloggen met Facebook of Twitter
- Formulieren aangevuld met jouw profielgegevens