What basic Security Requirements and Security Architecture Model components are

Question

Explanation / Answer

Developing the Security Architecture Model

How does an organization go about developing security architecture model specifically
for eCommerce? When referring to eCommerce, one often thinks of online storefronts
such as amazon.com, or industry exchanges such as covisint.com. These large-scale
business models are not representative of most corporate needs. The entry points for
most companies into eCommerce are less aggressive in nature. Often consisting of web
enabling an existing application to the Internet.

Information Security and eCommerce go hand in hand. “Unauthorized users are
targeting companies' Internet connection as a point of attack, with the percentage of
attacks rising steadily over the past five years, while breaches occurring via internal
systems and remote dial-in are still heavily exploited by various means. Most of which
could have been prevented with a security architecture in place.”
While it is apparent why companies regard security highly when embarking on an
eCommerce initiative, the reasons for building a security architecture are:
a) enable a business gain (productivity enhancements and/or revenue growth),
b) sustain existinggrowth, and
c) prevent a business loss.
The following is a more comprehensive list of Security Architecture drivers:
Brand image customer and consumer confidence and trust
Avoids costs associated with loss
Increases business focus
Privacy Regulations (i.e.,Health Care and Financial Services Industries)
Secure Information Exchange
Business process improvement
Remote access to internal operations.

Basic Security Requirement Model

An integrated risk management program is critical in securing business objectives requiring the enforcement
of confidentiality, integrity, availability, and accountability.Confidentiality
Confidentiality ensures the protection of data from unauthorized access
throughout an organization’s information architecture, which extends to all data
directly associated with the architecture’s applications, data stores,
communication links and/or processes.
Integrity
Integrity ensures that data, services, and other controlled resources are not altered
and/or destroyed in an unauthorized manner. Integrity based controls provide
safeguards against accidental, unauthorized, or malicious actions that could result
in the alteration of security protection mechanisms, security classification levels,
addressing or routing information, and/or audit information.
Availability
Availability ensures the reliable and correct operation of information and system
resources for which the loss of information and/or resource access would cause
adverse results. Availability based security requirements include controls to
prevent, detect, and/or monitor accidental, unauthorized, and/or malicious
activities that could negatively impact the availability of critical information.
Accountability
Accountability requirements ensure that events can be associated to specific users
and/or processes responsible for those actions. The overall goal is to be able to
verify, with 100% certainty, that a particular electronic message can be associated
with a particular individual, just as a handwritten signature on a bank check is tied
back to the account owner. Accountability based controls include identification
and authentication mechanisms, and access control

The following two processes are key components within the management category:

Change Control Process
Change management is the process of effectively managing the necessary changes
to the Security Architecture Model. Use of this process is imperative to
maintaining the effectiveness and accuracy of the Information Classification and
Security Models as effective change management allow the models to stay
consistent with the organizations tolerance to risks.
Furthermore, an effective well-integrated change management process includes
workflow mechanisms to ensure that change requests are monitored, reviewed,
approved and tested prior to implementation.
Compliance Monitoring Process
Periodic compliance reviews of security components associated with the Security
Architecture Model are critical in maintaining the acceptable risk level and
managing the effectiveness and appropriateness of the controls in place.
Compliance reviews may include use of the classification and security models,
compliance to the classification and security models and procedures, compliance
to the exception processes and documentation reviews. In addition, as part of an
internal audit program (role for internal audit within the leverage model), process
audits may include reviews of the classification of information to determine if the
appropriate levels of classification and security assigned were assigned. An
active compliance monitoring process is also a positive indicator of an
organizations continuous commitment to security. The lack of any type of
monitoring process only breed’s contempt within an organization, which only
serves to increase the potential risk of unauthorized activity.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.