During my career as IS auditor and consultant I have been challenged many times from business owners on why I need to invest in security. I am sure that we all as security professionals whether internal or external consultants have faced such situation. Throughout this article I will discuss the importance of information security to the business module, development cycle activities and daily activities with an emphasis on integration in the early design stages. Secondly; security should be simple in order to be achievable, implementable and maintainable.

Information security comprises three primary elements including confidentiality, integrity and availability (CIA). Confidentiality is the protection of information for authorized users only. Integrity is the protection of information from unauthorized change. Availability is having the information handy for authorized users when needed. Ideally, the businesses’ information system performance should be optimized along these three parameters.

Current ecommerce business modules are typically websites built to be available 24x7 to ensure that customer can purchase and/or order items anytime. The problem here is some of these ecommerce websites are built with one element in mind such as availability and does not reflect adequate attention to the other elements (confidentiality & integrity). A model built primarily for access “availability“ without equal attention to security and integrity will be poorly built and most likely will be hacked and out of business.

In addition the same principle applies to other internal and integrated systems. Such as accounting, orders, inventory, HR, and the other systems that are used by the business to manage different back-office functions. In reality regardless of the function of this system end users expect instant access and unfortunately assume that confidentiality of their data is maintained and integration with other systems ensures the integrity of data between these connected systems. In another word end users make sure that availability is in place and assume other elements which may not be the case.

Violation of any of these three security elements is called “security breach”. It does not matter what is the cause of this break or disruption to the operation since there is always an impact on the business either with short term or long term affect. At the personal level we all heard about identity theft, credit card fraud, and physical theft, etc... At the business side we hear of intruders obtaining credit card data, personal, health information, and other confidential information. These attacks can be classified as external performed by external parties for example attacked over the internet or internal where these are conducted by internal staff either intentionally or unintentionally. The motive behind these breaches is another subject. Regardless of all reasons behind these illegal activities, there are always an impact on businesses and individuals. Business brand is always the biggest concern in addition to all other potential losses due to this breach. Individuals are the victims of these incidents and could potentially affect their credit score. I am using these examples since there it is difficult to put a value to these things, but in the mean time they are the most important factors.

I believe that adopting any of the security frameworks (COBIT, ISO, ITIL, etc…) should be the starting point for any system and applying PCI DSS “Payment card Industry – Data Security Standard” could be the recipe for any ecommerce application. This is applicable whether it is processing credit card transactions or not. At the end of the day each business has some important information that must be protected in order to stay in business. As you know the cost of building system right is typically cheaper than the cost of fixing it after implementation and going live. Also, considering three security elements with the right delicate balance between them and business requirements will be the solid foundation for any business application.

After selecting the right security framework, we will start building the business application along with necessary information security controls. This will give the application the right foundation strength by having the balance between all these security elements and business requirement.

Below is a highlight for some of the key components and building blocks that should be considered by an ecommerce system:

Security policy and procedures: These documents are the key elements for building and managing any environment. They should identify critical data elements and handling procedures per each. To clarify this let us consider our daily life at home, where we keep our important documents like passports and other documents in fireproof safe or at least protected from being list at home. We keep our money at the bank and other jewellery and very important documents that we do not use often in a safe box at the bank. So we practice this in our daily life where we apply different protection methods for different assets. The same thing should be applied to elements of the ecommerce system. This being said data and information elements must be part of this classification and protection because it an important piece for any business.

Network design and other IT technology components’ configurations: Proper network design by following a multi tier design and appropriate technology devices configuration according to industry best practices are important to provide different layers of defence and again those are important for the continuation of the business and the protection of critical assets. So let us take the example in our daily life where we have car alarm and we parked in the garage. Also, even we have home alarm we make sure that all doors and windows and locked at night. The same scenario; we apply multi layer of protection at home to have the level of comfort that our family is protected.

Physical protection: This is necessary to ensure that only certain people will have access to physical technology components necessary for the business and housing critical information. Again, this should be multi layer of physical protection to provide necessary level of protection from physical theft and unauthorized access. We apply the same thing in our daily life when we keep our keys and wallet on ourselves or in secure places to avoid theft.

Encryption and additional protection: This could be the last level and additional protection measures for the most critical data elements. Those are very important to provide that extra control in case in a breach where we do not want the intruders to be able to benefit from it or to use it against the business or to cause more harm. I do not think that this is widely applied in our daily life, but use the example of married couples who are trying to write down the so many passwords and to make sure the kids will not use them. So in this case they should agree on using certain formula and words that only they understand and no one else. The idea behind this is replacing the actual password with something else and only they can reverse it and use it.

Managing security incidents: We talked about applying encryption in order to prevent thieves from benefiting of the stolen information. This means that there is nothing called bullet proof when it comes to technology; there are always external risks of hacker on the internet trying to break into the system. Also, there is the risk of internal employees or contractors whether it is intentional or non-intentional where the result is the same and it can be security breach. In all these events process and mechanism should be in place to ensure that these events are identified and reported to the right people in order to reduce the looses as much as possible by containing it, report it to higher authority and finally try to avoid it in the future. Quick example on what we do in our daily life is that if a breach happen we call the 911, police, insurance, or for teenagers they will call their parents. In other circumstances we just do not report the event; because it could cost us more and some business do the same.

We see that security is an integral part of our daily business and personal life and we should always think of ways to maintain it and enhance. At the personal level we consider number and location of air bags when we buy a car and we pay extra for this feature, also we pay extra for additional insurance policy features. Business usually buy new servers with high specification and extended warranty since they consider business growth and high availability, also, whey purchasing software packages they consider the vendor and or require an escrow agreement. So for sure we care about security but in a different meaning from the definition of information security that we “IS auditors” talk about.

We know of preventive actions when we secure our personal belonging and detective actions when we deploy different camera at home and work.

What about out important business jewellery from intellectual property and other confidential information. Do not they deserve some kind of protection? We talked about business branding that is very important and it is hard to put an exact dollar to it because it was built over many years. Many other items that it is impossible to list since they differ from one business to another, but they all share the importance to the continuation and growth of any business.

As we care about our personal health and consider different prevention and remedial medication the same thing applies to any business. Preventive and dedicative controls must be considered for all important business elements and at different levels. These security controls must consider the life cycle of these elements from inception until disposal and should be wisely crafted and efficiently managed to balance the cost with effectiveness.

I do not think that I can explore all possible scenarios here, but I advise all business to consider the main items I listed above to the a starting point for achieving minimum security controls that will have a noticeable factor on the business growth.

Let me use this example or protecting a warehouse with fire protection system, guards, cameras, and sophisticated entry doors. We pay thousands or may millions of dollar for physical protection because accounting records give you an accurate dollar figure for these assets and items in the warehouse, but what about this critical information for your business we just tend to forgot about the value and important of this information.

Security is like a chain, which means that all controls must be applied and implemented with an accurate balance in order to achieve desired protection. The protection can be applied by different mechanism and based on the value or importance of the asset, technology device and data. It is worth to mention the rule of thumb is that the control should not cost more than the protected asset value.

Integrating IT security requirements with the core business model at the earliest planning stages is the most cost effective and efficient approach. Adopting an appropriate security standard for the project is essential to realising this benefit. Project development and definition incorporating these considerations and coordination will assist the IT security team and management in fully realising the project objectives within the project budgets.

Brief Bio
Muwaffaq Mashaal, CGEIT, CISM, CISA, QDSP, CABM.

Muwaffaq has 20 years experience in the information technology field with more than 15 years dedicated to the IS security, working across all levels of the Enterprise, and specialising in security/business compliance and assurance projects. He has extensive experience performing audit and compliance engagements and is the author of the comprehensive audit and compliance methodology for some of the largest North America e-Commerce, Health and Financial institutions. He developed different security modules for internal implementation and external consulting. He is one the first certified ISO17799 Auditors security professionals in North America, and has recently started an independent IT security consultancy Security Secrets.