Online systems and networks are vital organs in today's successful organisation, a life source for developing products and services, doing business with customers and suppliers, and managing workers. Online security is a priority for all organisations doing business online. If your electronic supply and demand chain is not secure, business partners and customers will go elsewhere for peace of mind.
However, without proper security measures in place, for example encryption, they can be vulnerable and compromise the most important asset that an organisation owns - information. From theft of computers, through inappropriate use of software, networks attacks and human operator errors, to failure of the technology, these can all have a devastating impact upon the organisation, including bad publicity, loss of shareholder confidence and at worst, business closure.
Organisations can also face civil or criminal action for failing to protect workers adequately against another's misuse or abuse of technology, or for inadequate protection of personal information. The Information Commissioner's Office has stated that an organisation's failure to do a proper risk assessment, implement adequate processes and procedures will result in prosecution. The maximum penalty for gross failure to implement UK Data Protection rules increased to £500,000 in 2010.
Security risks to consider
- Physical equipment
- Physical environment
- Physical by-products
- Identity authentication
- Application privileges
- Input validation
- Appropriate behaviour patterns
- Reporting logs
- Permanent network connections
- Intermittent network connections
- Network maintenance
- Remote censors and control systems
- Back-up procedures
- Human maintenance of security procedures
- Intentional actions threatening security
- Internal policies for software development
- Policies for dealing with external vendors
20 questions to ask security software vendors
Organisations should consider online security when purchasing software products from vendors. We’ve suggested some basic questions to ask below, albeit it is not an exhaustive list. Additional protections can then be built into the supplier contract.
- Which SDL (Secure Development Life-cycle) programme does your development team adhere to?
- What methodologies do you use for security testing your products? (Automated testing, code-review, fuzzing, manual tests etc.)
- How frequently and using which methodology do third parties conduct security assessments on your products?
- What training do your development and testing teams receive specific to application security?
- Do you have a dedicated team to assess and respond to security vulnerabilities reported in your products?
- What is your patch release strategy and what tools do you offer for patch deployment?
- Do you disclose all vulnerabilities that affect your software, and how/when are customers notified?
- How did you Threat-Model the application?
- Do you conduct security testing separately from functional testing?
- What technical guidance do you provide about vulnerabilities, including how they could be exploited, how they are currently being exploited, and how to mitigate vulnerability?
- For applications developed on Microsoft platforms: do you utilise Microsoft's D.R.E.A.D model to assess the security of your software?
- What is a typical vulnerability to patch delivery time frame?
- Would you support a future product health check?
- Are there any outsourced / subcontracted components related to your product? And how do you assess the security impact of such components?
- Who do I talk to if there is a (security) problem with your product?
- If the operating system is patched or upgraded, will the application continue to work and how will security be affected?
- Is your organisation ISO 27001 compliant?