Professional Documents
Culture Documents
How The Computer Records Data and Shares It With Others
How The Computer Records Data and Shares It With Others
Data Security
Data security is commonly referred to as the confidentiality, availability,
and integrity of data. In other words, it is all of the practices and
processes that are in place to ensure data isn't being used or accessed by
unauthorized individuals or parties. Data security ensures that the data is
accurate and reliable and is available when those with authorized access
need it. A data security plan includes facets such as collecting only the
required information, keeping it safe, and destroying any information
that is no longer needed. These steps will help any business meet the
legal obligations of possessing sensitive data.
Data Privacy
Companies need to enact a data security policy for the sole purpose of
ensuring data privacy or the privacy of their consumers' information.
More so, companies must ensure data privacy because the information is
an asset to the company. A data security policy is simply the means to
the desired end, which is data privacy. However, no data security policy
can overcome the willing sell or soliciting of the consumer data that was
entrusted to an organization.
How Companies Ensure Data Privacy Through a Data Security
Policy
Making sure all company data is private and being used properly can be
a near-impossible task that involves multiple layers of security.
Fortunately, with the right people, process and technology, you can
support your company's data security policy through continual
monitoring and visibility into every access point. EIQ Networks
provides managed security services that can extend your team's
capabilities and help keep data privacy in tact for your company.
How You Can Gain Peace of Mind
EiQ offers two SOCVue® hybrid security-as-a-service solutions that can
help organizations of any size affordably and effectively improve their
cybersecurity and compliance posture:
Risk of E-commerce
There are several types of risks involving with e-commerce due to its
nature and the methodologies that involve with it. Parties who are
involving in e-commerce transaction are facing these risks.
Privacy
Privacy has become a major concern for consumers with the rise of
identity theft and impersonation, and any concern for consumers must be
treated as a major concern for e-Commerce providers. Both EU and US
legislation at both the federal and state levels mandates certain
organizations to inform customers about information uses and
disclosures. Such disclosures are typically accomplished through privacy
policies, both online and offline.
Trust in turn is linked to increased customer loyalty that can be
manifested through increased purchases, openness to trying new
products, and willingness to participate in programs that use additional
personal information. Privacy now forms an integral part of any e-
commerce strategy and investment in privacy protection has been shown
to increase consumer’s spend, trustworthiness and loyalty.
Business Practices
E-Commerce often involves transactions between strangers. However,
appearances can be deceiving and several questions arise: How can a
consumer know
Whether a company will really carry out its orders for products and
services as it claims?
Whether there are product guaranties, or whether the company will
allow the return of products?
How a company will use any information submitted by him/her?
With the anonymity of E-Commerce, the unscrupulous can establish
(and abandon) electronic identities with relative ease. This makes it
crucial that people know that those companies, with which they are
doing business, disclose and follow certain business practices. Without
such information, and the assurance that the company has a history of
following such practices, consumers could face an increased risk of loss,
fraud, inconvenience, or unsatisfied expectations.
Digital Signatures
One of the key developments in e-commerce security and one which has
led to the widespread growth of e-commerce is the introduction of
digital signatures as a means of verification of data integrity and
authentication. In 1995, Utah became the first jurisdiction in the world to
enact an electronic signature law. An electronic signature may be
defined as "any letters, characters, or symbols manifested by electronic
or similar means and executed or adopted by a party with the intent to
authenticate writing". In order for a digital signature to attain the same
legal status as an ink-on-paper signature, asymmetric key cryptology
must have been employed in its production. Such a system employs
double keys; one key is used to encrypt the message by the sender, and a
different, key is used by the recipient to decrypt the message. This is a
very good system for electronic transactions, since two stranger-parties,
perhaps living far apart, can confirm each other’s identity and thereby
reduce the likelihood of fraud in the transaction. Non-repudiation
techniques prevent the sender of a message from subsequently denying
that they sent the message. Digital Signatures using public-key
cryptography and hash functions are the generally accepted means of
providing non-repudiation of communications.
Server Logs
Most WWW servers log every access to them. The log usually includes
the IP/DNS address, the time of the download, the user's name (if known
by user authentication or obtained by the indented protocol), the URL
requested, the status of the request, and the size of the data transmitted.
Some browsers also provide the client used by the reader, the URL that
the client came from, and the user's e-mail address. Revealing any of
these data could be potentially damaging to a user. Therefore we can
prevent this privacy issue by logging only the type of information about
users that the users recommend being logged, the page and the time of
its request, and the browser being used. Many users seem to be
comfortable with providing demographic information if its intent and
application was made clear to them.
Transaction Security
Client/Server and Network Issues In many ways the transaction security
of a WWW site can be compromised. There are numerous means for an
unsavory individual to snoop into what you are sending or receiving
from the other end, including, but not limited to, the following:
Spoofing. The client can trick your server into believing that the request
or post that it's sending is from some other site. This is known as IP
and/or DNS spoofing. Your server may respond believing that the client
is "trusted", when it isn't.
Sniffing. In some cases, it is possible for an unsavory individual to
snatch packets as they are being communicated over the network,
especially with the newer cellular modems, unsecured phone lines, and
so on.
Traffic Analysis. Using sampling techniques on the packets or, more
commonly, the server log files, an individual can learn about the nature
of the transactions that your site processes. This may be used, for
instance, in analyzing the competitive level of your site by a site that
provides the same services or products.
In each of these cases, the risk can be alleviated (or greatly reduced). In
the cases of spoofing and sniffing, the preferred technique is to use data
encryption, or signed data for the transaction. When the receiving end
gets what your server sends them, they must have the appropriate key to
decrypt and make use of it. In the case of traffic analysis of the data
files, assigning the file permissions on the directory, logs, and the files
themselves is the preferred technique. The logs themselves can be
encrypted for permanent archival. Nowadays, most commercially
available servers and their respective clients implement encrypted
transactions via some, usually proprietary, means.
In order to gain consumer confidence, nowadays many companies have
joined programs to make their privacy administered by third parties and
their business practices explicit. Two particularly notable initiatives in
that direction are, the WebTrust E-Commerce seal of assurance from the
public accounting profession and the TRUSTe "trustmark" program that
takes users directly to the privacy statement of a company that has
joined a program..
WebTrust
In response to the concerns related to E-Commerce and to increase
consumer confidence, the public accounting profession has developed
and is promoting this set of principles and criteria for business-to-
consumer E-Commerce, referred to as the WebTrustTM Principles and
Criteria, and the related WebTrust seal of assurance. Independent and
objective certified public accountant (CPA) or chartered accountant
(CA), who are specifically licensed by the American Institute of
Certified Public Accountants (AICPA) or Canadian Institute of
Chartered Accountants (CICA), can provide assurance services to
evaluate and test whether a particular WWW site meets these principles
and criteria.
The WebTrust seal of assurance is a symbolic representation of a
practitioner's objective report. It also indicates to consumers that they
need to click to see practitioner's report. This seal can be displayed on
the company's WWW site together with links to the practitioner's report
and other relevant information. This seal was developed by AICPA,
CICA and VeriSign. VeriSign encryption and authentication technology
and practices help assure the consumer that the seal on a WWW site is
authentic and the site is entitled to display it:
http://atlas.kennesaw.edu/~tnguyen4/webtrust.gif
TRUSTe
TRUSTe offers a program that addresses the privacy concerns of
consumers and WWW sites. The TRUSTe program enables companies
to develop privacy statements that reflect the information gathering and
dissemination practices of their site. Its goal is to provide:
Online consumers with control over their personal information.
WWW publishers with a standardized, cost-effective solution for both
satisfying the business model of their site and addressing consumers'
anxiety over sharing personal information online.
U.S. Government regulators with demonstrable evidence that the
industry can successfully self-regulate.
A cornerstone of the program is the TRUSTe "trustmark," an online
branded seal that takes users directly to a company's privacy
statement:http://atlas.kennesaw.edu/~tnguyen4/truste.gif
The trustmark is awarded only to sites that adhere to TRUSTe's
established privacy principles and agree to comply with ongoing
TRUSTe oversight and resolution process. The privacy principles
embody fair information practices approved by the U.S. Department of
Commerce, Federal Trade Commission, and prominent industry-
represented organizations and associations.
P3P
W3C's Platform for Privacy Preferences Project (P3P) provides a
framework for informed Internet interactions. The goal of P3P is to
enable WWW sites to express their privacy practices and users to
exercise preferences over those practices. P3P is designed to help users
reach agreements with services, such as WWW sites that declare privacy
practices and make data requests