Manualshelf

Specifications

ManualsBrandsMaxxus ManualsExercise BikePRO SPK-23
311312313314315316317318319320
Creating a Security Policy
A security policy is a document that describes
The general philosophy towards security in your organization
What is to be protectedsoftware, hardware, data
Who is responsible for protecting these items
Standards for security and metrics, which measure how well those standards are being met
A good guideline for writing your security policy is that its like writing a set of functional
requirements for software. The policy shouldnt talk about specific implementations or solu-
tions, but instead about the goals and security requirements in your environment. It shouldnt
need to be updated very often.
You should keep a separate document that sets out guidelines for how the requirements of the
security policy are met in a particular environment. You can have different guidelines for dif-
ferent parts of your organization. This is more along the lines of a design document or a proce-
dure manual that documents what is actually done in order to ensure the level of security that
you require.
Authentication Principles
Authentication attempts to prove that somebody is actually who she claims to be. There are
many possible ways to provide authentication, but as with many security measures, the more
secure methods are more troublesome to use.
Authentication techniques include passwords, digital signatures, biometric measures such as
fingerprint scans, and measures involving hardware such as smart cards. Only two are in com-
mon use on the Web: passwords and digital signatures.
Biometric measures and most hardware solutions involve special input devices and would limit
authorized users to specific machines with these attached. This might be acceptable, or even
desirable, for access to an organizations internal systems, but takes away much of the advan-
tage of making a system available over the Web.
Passwords are simple to implement, simple to use, and require no special input devices. They
provide some level of authentication, but might be not be appropriate on their own for high
security systems.
A password is a simple concept. You and the system know your password. If a visitor claims to
be you, and knows your password, the system has reason to believe he is you. As long as
E-commerce Security Issues
C
HAPTER 13
13
E-COMMERCE
SECURITY ISSUES
291
17 7842 CH13 3/6/01 3:36 PM Page 291