| |
| |
Acknowledgments | |
| |
| |
Introduction | |
| |
| |
| |
Electronic Commerce and the Concept of Trust | |
| |
| |
Definition of Trust | |
| |
| |
The Basics of Trust | |
| |
| |
Trust as a Foundation for EC | |
| |
| |
The Trusted System | |
| |
| |
Complexity | |
| |
| |
Interdependency | |
| |
| |
The Trust Economy | |
| |
| |
Telecommunications Networks | |
| |
| |
Addressing New Risks | |
| |
| |
Action Items for it Managers | |
| |
| |
Understand the Business Environment | |
| |
| |
Categorize and Respond to Specific Areas of Concern | |
| |
| |
Monitor the Relationship | |
| |
| |
| |
The Dark Side of the Force: The Risks of Electronic Commerce | |
| |
| |
Risks Common to all Distributed Networks | |
| |
| |
Limitations of Traditional Risk Management | |
| |
| |
New Awareness | |
| |
| |
Technology-Induced Risks: What's New | |
| |
| |
Process-Oriented Technical Risks | |
| |
| |
Public Communications Paths | |
| |
| |
Automation Amplification | |
| |
| |
Risk-Reduction Measures to Consider | |
| |
| |
Uneven Quality of Black Box Processes | |
| |
| |
What Control Professionals and Auditors Say | |
| |
| |
Get the Big Picture | |
| |
| |
Put Risk in the Right Context | |
| |
| |
The Role of the it Manager in Risk Management | |
| |
| |
Beyond Technology Risk | |
| |
| |
| |
Gaining Control of Electronic Commerce | |
| |
| |
Control is More than Security | |
| |
| |
Benefits and Importance of Control | |
| |
| |
Control Objectives of a Trusted Commercial System | |
| |
| |
Criteria of Control | |
| |
| |
EC Controls: The Macro View | |
| |
| |
Control Is an Evolutionary Process | |
| |
| |
Steps to Create a Safe EC Environment | |
| |
| |
Identification of "Crown Jewels" | |
| |
| |
Management Controls: People and Process | |
| |
| |
Technology Dependent Controls (Tools) | |
| |
| |
Role of the IT Manager: Point--Counterpoint | |
| |
| |
| |
Maintaining the Trust Bond: Certainty, Confidentiality, and Privacy | |
| |
| |
Introduction | |
| |
| |
Definitions and Implications for EC | |
| |
| |
Protection | |
| |
| |
EC Information Flow | |
| |
| |
Corporate Data Flow and Interactions | |
| |
| |
Data Flows Between Trading Partners | |
| |
| |
Data-in-Transit | |
| |
| |
Data with ISP | |
| |
| |
Data at Client Sites, Server Site, and Outsourced Vendors | |
| |
| |
Trans-Border Information Flow | |
| |
| |
The Auditor's Perspective | |
| |
| |
Confidentiality/Privacy Regulations: An International Sample | |
| |
| |
Total Quality in the EC Transaction Factory | |
| |
| |
| |
Security: What Are You Protecting ... and Why? | |
| |
| |
Look After the Information First: Linking Security With Data Protection | |
| |
| |
Value and Approach for Public Key Versus Private Key | |
| |
| |
Framework for Building Confidence | |
| |
| |
Understanding the Risks of Distributed Systems | |
| |
| |
Cost of Risk Protection | |
| |
| |
Risk Management | |
| |
| |
Layers of Risk Protection | |
| |
| |
Perimeter | |
| |
| |
User Authentication | |
| |
| |
Public Key Infrastructure (PKI) | |
| |
| |
Other Authentication Techniques | |
| |
| |
Access Control and Authorization | |
| |
| |
Information Transformation Layers and Associated Security Schemes | |
| |
| |
Social Aspects of Security | |
| |
| |
Social Engineering | |
| |
| |
Removable Data | |
| |
| |
Legal Aspects | |
| |
| |
Retaining Expertise | |
| |
| |
| |
Looking After Business: The Core Components of Electronic Commerce | |
| |
| |
EC as a Catalyst for Change | |
| |
| |
EC Defined | |
| |
| |
Person to Person | |
| |
| |
Person to Computer | |
| |
| |
Computer to Computer | |
| |
| |
Edi as the Primary Business-to-Business EC Component | |
| |
| |
The EC Value Proposition | |
| |
| |
Sales | |
| |
| |
Customer Service | |
| |
| |
Procurement | |
| |
| |
Procurement Cards | |
| |
| |
Information Management and Dissemination to Internal Resources | |
| |
| |
Business Issues | |
| |
| |
Technical Issues | |
| |
| |
Communications | |
| |
| |
Data Storage and Retrieval | |
| |
| |
Message Conversion | |
| |
| |
Application Interface | |
| |
| |
EC in the Payments Business | |
| |
| |
Future Direction and Implications for it Managers | |
| |
| |
Extended Reach | |
| |
| |
Micropayments | |
| |
| |
Digital Cash | |
| |
| |
Smart Cards | |
| |
| |
Mondex | |
| |
| |
Encrypted Credit Cards | |
| |
| |
Electronic Checks | |
| |
| |
Electronic Bill Presentment | |
| |
| |
Implications of New EC Delivery Channels | |
| |
| |
Key EC Issues for the IT Manager | |
| |
| |
Factors for the IT Manager to Consider | |
| |
| |
Steps for EC Success | |
| |
| |
| |
Business First and Safety First: Protecting Electronic Commerce Relationships | |
| |
| |
From Systems Defense to Business Enhancement | |
| |
| |
Putting Both Safety and Service First | |
| |
| |
Key Players in EC Development | |
| |
| |
Business Policy as Big Rules | |
| |
| |
The Link Between Big Rules and Standards | |
| |
| |
Determining Compelling Reasons for the Big Rules | |
| |
| |
Questions for the Big Rule | |
| |
| |
Choosing the Big Rules | |
| |
| |
Relationship Design | |
| |
| |
Reputation and Performance in an Online Relationship | |
| |
| |
The Perfect EC Relationship | |
| |
| |
Front-Ending | |
| |
| |
Business Enhancement | |
| |
| |
| |
Auditing for a New Age, New Purpose, and New Commerce | |
| |
| |
The Changing Role of the Internal Auditor | |
| |
| |
Internal Control: Trends and Recent Developments | |
| |
| |
Internal Control: Integrated Framework, 1994 | |
| |
| |
Guidance on Assessing Control, 1999 | |
| |
| |
Guidance on Control, 1995 | |
| |
| |
Control Objectives for Information and Related Technology, 1998 (CobiT) | |
| |
| |
An Integrated Control Framework for EC | |
| |
| |
The EC Control Environment | |
| |
| |
The Payoff Idea | |
| |
| |
| |
External Audit Requirements and Regulatory Compliance | |
| |
| |
Overview | |
| |
| |
The External Auditor's Role | |
| |
| |
What External Auditors Look For | |
| |
| |
The Question of Corporate Governance: The Regulator's Role | |
| |
| |
FDIC Electronic Banking: Safety and Soundness Examination Procedures, 1998 (U.S.) | |
| |
| |
Independent Report on "Electronic Commerce and Canada's Tax Administration," 1998 | |
| |
| |
CDIC Standards of Sound Business and Financial Practices: Internal Control 1994 (Canada) | |
| |
| |
Financial Aspects of Corporate Governance, 1992 (U.K.) | |
| |
| |
External Requirements Harmonization | |
| |
| |
The Common Ground | |
| |
| |
Action Items for Control Designers | |
| |
| |
Apply Safety Tools | |
| |
| |
Add New Control Self-Assessment Topics | |
| |
| |
Promote Quality Documentation | |
| |
| |
Action Items for EC Professionals | |
| |
| |
| |
Trends to Follow and Opportunities to Take | |
| |
| |
How to Plan When You Can't Predict | |
| |
| |
The Near Term | |
| |
| |
Transforming the Nature of Security with Agents | |
| |
| |
ANSI and Internet/Extranet Growth | |
| |
| |
The Medium Term | |
| |
| |
Safe Payments | |
| |
| |
The Unknown Time Frame | |
| |
| |
Digital Cash | |
| |
| |
Changes in Payment Mechanisms | |
| |
| |
The Death of Copyright | |
| |
| |
Recommendations to Managers | |
| |
| |
| |
Electronic Commerce in Action: The Case for Secure Electronic Transaction (SET) | |
| |
| |
| |
What is Set? | |
| |
| |
| |
Why Set at All? | |
| |
| |
| |
Risk Profile With Implementing a Set Payment System | |
| |
| |
Set Payment Cardholders | |
| |
| |
Set Merchants | |
| |
| |
Set Payment Gateways | |
| |
| |
| |
The Trust Dimension: The Public Key Infrastructure | |
| |
| |
| |
Set Implementation Issues | |
| |
| |
Vendor Products May Not Be Fully Certified at Time of Implementation or Self-Audit | |
| |
| |
Merchant Sign-Up Process Change | |
| |
| |
Certificate Management | |
| |
| |
Performance | |
| |
| |
Backup of Set-Sensitive Files | |
| |
| |
Managing Vendors and Outsourcing Partners | |
| |
| |
Self-Audits and Independent Audits | |
| |
| |
| |
What Set Does Not Cover | |
| |
| |
Index | |
| |
| |
The Authors | |