Describe Security Risks and preventive Measures to be taken
The first objective for any e-commerce site is to assure clients or customers that their personal data remains private and safe as it passes across the Internet.
You also have to assure clients that personal information will remain private after it reaches your site.
Security risks include attacks on middleware[1] common gateway interface (CGI) programs, credit card fraud, the generation of false orders, and virus and Trojan infiltration.
These attacks are designed to expose confidential company information, which results in the loss of customer trust.
Although there is no such thing as a completely secure site, you can achieve a sufficient level of security that the effort involved to penetrate the site exceeds the gain of doing so. This is the essence of successful Internet security. If the required effort to penetrate security costs more than the gain that results from doing so, perpetrators will seek out easier targets.
Security policy
A well-defined, well-written security policy[2] should be the foundation of your e-commerce site. This policy should include a private series of documents that discusses procedures for purchasing equipment, as well as procedures to follow in case of a break-in. The public series of documents has two purposes:
To inform employees about accepted activity. This is often called an acceptable use policy (AUP).
To inform customers about their expectations of privacy.
If you do not have a security policy in place, your company is unprotected. You should endeavor to publish this security policy in as many ways as possible, so that employees and clients have free access to it. Elements of your employee security policy may include the following best practices:
Advice about protecting passwords. For example, employees should not write passwords down on sticky notes or under the keyboard.
Stipulations about proper conduct in regard to email use and access to the World Wide Web.
Directions for contacting individuals in case of a security breach.
Authorized procedures for logging on to systems.
Statements about acceptable and unacceptable software loaded on systems. For example, you could stipulate that a specific browser that must be used. You could even stipulate that only the IT department can load software on systems.