Guidelines for e-business Security

E-Business systems possess a higher degree of risk than mainstream applications, and thus require a greater degree of security. Because of this risk, security should be considered as a fundamental aspect of an e-business system design. The following guidelines will be beneficial while designing e-business systems.

Physical Security
1)The servers should be kept in a secure room with restricted access. Be wary of potential access points such as windows, dropped ceilings, large air ducts, and raised floors. Server racks and machine cases should be locked when possible. The room should provide proper environmental conditions and safety for the equipment. Servers should not be placed directly on the floor in case of flooding. An approved fire extinguisher should be kept near the server room.

2)Physical security of hard copies and data storage media containing sensitive customer information must be maintained. Windows, doors, and file cabinets should be locked in areas where sensitive information is stored. Where feasible, safes should be used to store especially sensitive data such as credit card information, checks, and currency. Access control to sensitive areas must be maintained and limited to individuals who require access as a result of their job.

3)High availability hardware should be used in all e-business servers (e.g. high quality components, redundant storage and power supplies, mirrored servers, error correcting memory, multiple NICs). Uninterruptible power supplies should be used on all servers and tested regularly.

4)Backups should be performed on a frequent and regular basis, and the backup media should be kept in a secure location. The backup media should be rotated and moved off-site as frequently as possible.

5)Modems should not reside in e-business servers unless absolutely necessary. If a modem is installed, it should be kept powered off or disabled except when needed. For added security, the modem should be configured to utilize features such as automatic call back and data encryption. Firewalls will not protect against attacks by way of the modem.

6)To provide more reliable and secure network access, servers and sensitive PCs should utilize switched network ports, not a shared medium such as coaxial cable or a repeated segment. Visible ports and exposed network cabling should not be present in vulnerable or public areas.

Data Storage
Sensitive information, especially credit card data, should never be stored on the web server. The data collected by the web server should be passed to another physical machine for storage. Ideally, the data collected by an e-business web site should be stored in a location that is not directly accessible to the Internet. Sensitive information should be stored encrypted when possible. Be wary of sensitive data that may be stored in a web server’s cache or log files.