acs 3907 e-commerce · –how to improve protection of this info? • what level of risk are you...

©Bowen Hui, Beyond the Cube Consulting Services Ltd.

ACS 3907E-Commerce

Lecture 11-3

Instructor: Kerry Augustine


Policy Solutions


Developing an E-commerce Security Plan

Figure 5.12, 05

Copyright © 2013 Pearson Education, Inc. Slide 5-3


1. Risk Assessment

a) Create an inventory of information and knowledge assets– Ask “what info is at risk?”

– E.g., customer info, proprietary designs, secret processes, price schedules, payroll, etc.

b) For each type of info from (a), estimate the dollar value to the firm if that info is compromised

c) For each item in (a), estimate the chance that the info will be compromised or lost, and multiply this probability by the corresponding dollar value from (b)

d) Rank all items in (c) to obtain priority list of info assets

4


2. Security Policy

• Set of statements prioritizing information risks, identifying acceptable risk targets, identifying ways for achieving these targets

• Start with asset of highest priority– Who generates or controls this info in the firm?

– How is the info currently protected?

– How to improve protection of this info?

• What level of risk are you willing to accept for each asset?

5


3. Implementation Plan

• Actions taken to achieve goals set by security plan

• Establish or determine set of tools, technologies, policies, procedures needed to enforce the security policy

• Larger firms may employ security officer from an (external) security organization

6


4. Security Organization

• Responsibilities include:– Educates and trains users of the site

– Keeps management aware of security threats and breakdowns

– Maintains tools chosen in the implementation plan

• Small firms typically use website manager as security officer

• Administers:– Access controls = rules specifying which outsides can gain access into

network

• Outsider access control: firewalls, proxies

• Insider access control: login, access codes

– Authentication procedures = ways of determining one’s true identity

• Digital signatures, certs of authority, PKI, biometric devices (e.g., fingerprint scan)

– Authorization policies = specification of different levels of access to info assets per user (group)

• Authorization management system = system that establishes where/when user permissions to each portion of the site

7


5. Security Audit

• Involves routine review of access logs

• Identifies how outsiders are using the site

• Indentifies how insiders access site’s assets

• Monthly report on routine and non-routine ways of data access

• Identifies unusual patterns of behaviour/activities

8


Laws and Public Policies

• Governs and supervises certain aspects of Internet use

• Examples:– Computer Fraud and Abuse Act (1986)

– Electronic Communications Privacy Act (1986)

– CAN-SPAM Act (2003)

– U.S. SAFE WEB Act (2006)

• Additional efforts– Computer Emergency Response Team (CERT) Coordination Center

monitors and tracks online criminal activity

– Organization for Economic Co-operation and Development (OECD) released Guidelines for the Security of Information Systems and Networks

9

http://www.cert.org/

http://www.oecd.org/internet/ieconomy/oecdguidelinesforthesecurityofinformationsystemsandnetworkstowardsacultureofsecurity.htm

http://www.acs.uwinnipeg.ca/3907/OECD_Guidelines_for_Secuirty_of_IS.pdf


Legal Environment and Issues

See supplementary notes


Legal Environment of EC

• Online businesses must comply with same laws that govern operations of all businesses

• Same set of penalties are applied to online/traditional businesses– Fines– Court-imposed dissolution– Jail time for owners/operators

• Additional factors for EC businesses:– Reach beyond traditional boundaries – subject to more

regulations– Increased speed and efficiency of business

communications

11


Jurisdiction on the Internet

• Jurisdiction = ability for government to exert control over person/ corporation

• Governments that want to enforce laws on EC business conduct must establish jurisdiction over that conduct

• People/corps that wish to enforce their rights (via contract or tort law) must file claims in court for hearing– Contract = promises between two/more entities, exchange of value– Tort = intentional or negligent action taken by legal entity that causes

harm to another legal entity

• Court has sufficient jurisdiction if it has both:– Subject matter jurisdiction – different government levels are

responsible for handling predetermined issues– Personal jurisdiction – ability of legal entity (court) to assume control

and enforce its decisions on you• Complex area – which laws apply? foreign courts may take jurisdiction• Seek legal advice

12


Intellectual Property

• IP = general term that includes all products of the human mind

• IP rights include protections through granting copyrights, patents, trademarks

• Copyright infringement– Stolen rights to literary or artistic work

• Patent infringement– Stolen rights to make, use, sell an invention for fixed time

period

• Trademark infringement– Stolen rights to distinctive mark, device, motto, or

implement that company affixes to its products for identification purposes

13


Privacy Rights and Obligations

14

Personal Information Protection and Electronic Documents Act (PIPEDA)The law gives individuals the right to• know why an organization collects, uses or discloses their personal information; • expect an organization to collect, use or disclose their personal information

reasonably and appropriately, and not use the information for any purpose other than that to which they have consented;

• know who in the organization is responsible for protecting their personal information;

• expect an organization to protect their personal information by taking appropriate security measures;

• expect the personal information an organization holds about them to be accurate, complete and up-to-date;

• obtain access to their personal information and ask for corrections if necessary; and

• complain about how an organization handles their personal information if they feel their privacy rights have not been respected.


Privacy Rights and Obligations

15

Personal Information Protection and Electronic Documents Act (PIPEDA)

The law requires organizations to:• obtain consent when they collect, use or disclose their personal

information; • supply an individual with a product or a service even if they refuse consent

for the collection, use or disclosure of your personal information unless that information is essential to the transaction;

• collect information by fair and lawful means; and • have personal information policies that are clear, understandable and readily

available.


Bill C-51• Bill C-51, also known as the Anti-terrorism Act, 2015,

was designed to, “encourage and facilitate information sharing between Government of Canada institutions in

16

• The Conservative Party introduced the act in January 2015 after the Parliament Hill shooting October 2014. The government wants to allocate more power to police services and security institutions like the Canadian Security Intelligence Service (CSIS) to keep a closer eye on potentially dangerous terrorism situations and prevent future attacks.

• According to the act’s official summary, Bill C-51 would ensure safer transportation services for Canadians, allow law enforcement to step in and arrest, without question, a person they suspect is about to carry out a terrorist attack, and it would increase the protection of witnesses who come forward with information on a potential terrorist attack. Essentially, the government would increase its role in national security to keep a constant watchful eye on potentially harmful situations and end them before anyone is hurt or killed.

• Civil liberty groups and other critics have claimed the bill stretches the definition of security to potentially include peaceful protests, further restricts freedom of expression, and raises privacy concerns, since the act would allow federal institutions such as Health Canada and Revenue Canada to share private information with the RCMP. Critics have also expressed grave concerns that it fails to define terrorism clearly, and in attempting to remove all terrorist propaganda from the Internet will effectively try to censor freedom of expression on the Internet.

• Bill C-51 received royal assent on June 18, 2015 amidst much controversy.

order to protect Canada against activities that undermine the security of Canada.”

http://www.cbc.ca/news/canada/cse-monitors-millions-of-canadian-emails-to-government-1.2969687

http://www.cbc.ca/news/politics/c-51-controversial-anti-terrorism-bill-is-now-law-so-what-changes-1.3108608


MAINTAINING PROFESSIONALISM ON FACEBOOK

17


Maintaining a Professional Image Utilizing Social Network (Facebook)• Choose your “friends” wisely.

– Avoid “friending” individuals that may post inappropriate comments on your wall or send you inappropriate group requests.

– Do not accept friend requests from anyone you do not know.

• Post content with discernment.

– Any content posted on Facebook should be considered public information.

– Only display on your profile or page what you would display on your desk (Sohn, 2007).

– Think about your coworkers, supervisors, clients, or even the university president walking by.

• Never use Facebook as an outlet for frustration.

– You never want to post content that you will regret later.

18


Maintaining a Professional Image Utilizing Social Network (Facebook)• Be cautious with the applications that you add to any professional

Facebook page you create.

– If you create a Facebook group for your Extension program, be careful of the links that you share with group members. T

– These links should be relevant, timely, and of interest (professionally) to members of the group (Sohn, 2007).

• If you create it, you have to update it.

– If you do not update it frequently, visitors to your Facebook page will lose interest in the page, and you will lose an opportunity to share with people the great things you are doing!

19


• Take advantage of Facebook as a networking tool.

– Remember that your professional Facebook page is a chance to network with other Extension professionals.

– Search for other Facebook group pages for programs like yours to learn about what other states are doing and to share information.

• Spend time learning about privacy settings.

– Privacy settings are essential to ensuring a positive Facebookexperience.

– Facebook has implemented many privacy settings, from controlling the privacy of each element of your page to creating lists that help you organize your friends.

Maintaining a Professional Image Utilizing Social Network (Facebook)

20


If you are going to have a professional Facebook page for yourself:

• Keep the “Info” section to a minimum.

– Think about this section of your Facebook page as your resume—what you include in that, you can include in this section.

• Err on the side of caution.

– Remember to exercise caution when posting photos to your page, especially if you are working with youth.

• Be intentional.

– Have a reason for the comments you make. Again, would you be comfortable with your coworkers, clients, and supervisors reading what you have posted?


21


Additional resources regarding your personal privacy and protection on Facebook:

• Maintaining a Professional Image Utilizing Facebook

• How to protect your personal info on Facebook

• In wake of Facebook Cambridge Analytica scandal, does the tech sector need a code of conduct?


22

http://www.acs.uwinnipeg.ca/1803-052/Professionalism-Facebook.pdf

http://www.cbc.ca/news/technology/facebook-data-privacy-settings-cambridge-analytica-1.4586185

http://www.cbc.ca/radio/thecurrent/the-current-for-march-20-2018-1.4583785/this-is-not-an-accident-would-a-code-of-ethics-prevent-another-facebook-data-scandal-1.4583912


Who is Responsible for Information Security