| |
| |
| Acknowledgments | |
| |
| |
| Introduction | |
| |
| |
| |
| Electronic Commerce and the Concept of Trust | |
| |
| |
| Definition of Trust | |
| |
| |
| The Basics of Trust | |
| |
| |
| Trust as a Foundation for EC | |
| |
| |
| The Trusted System | |
| |
| |
| Complexity | |
| |
| |
| Interdependency | |
| |
| |
| The Trust Economy | |
| |
| |
| Telecommunications Networks | |
| |
| |
| Addressing New Risks | |
| |
| |
| Action Items for it Managers | |
| |
| |
| Understand the Business Environment | |
| |
| |
| Categorize and Respond to Specific Areas of Concern | |
| |
| |
| Monitor the Relationship | |
| |
| |
| |
| The Dark Side of the Force: The Risks of Electronic Commerce | |
| |
| |
| Risks Common to all Distributed Networks | |
| |
| |
| Limitations of Traditional Risk Management | |
| |
| |
| New Awareness | |
| |
| |
| Technology-Induced Risks: What's New | |
| |
| |
| Process-Oriented Technical Risks | |
| |
| |
| Public Communications Paths | |
| |
| |
| Automation Amplification | |
| |
| |
| Risk-Reduction Measures to Consider | |
| |
| |
| Uneven Quality of Black Box Processes | |
| |
| |
| What Control Professionals and Auditors Say | |
| |
| |
| Get the Big Picture | |
| |
| |
| Put Risk in the Right Context | |
| |
| |
| The Role of the it Manager in Risk Management | |
| |
| |
| Beyond Technology Risk | |
| |
| |
| |
| Gaining Control of Electronic Commerce | |
| |
| |
| Control is More than Security | |
| |
| |
| Benefits and Importance of Control | |
| |
| |
| Control Objectives of a Trusted Commercial System | |
| |
| |
| Criteria of Control | |
| |
| |
| EC Controls: The Macro View | |
| |
| |
| Control Is an Evolutionary Process | |
| |
| |
| Steps to Create a Safe EC Environment | |
| |
| |
| Identification of "Crown Jewels" | |
| |
| |
| Management Controls: People and Process | |
| |
| |
| Technology Dependent Controls (Tools) | |
| |
| |
| Role of the IT Manager: Point--Counterpoint | |
| |
| |
| |
| Maintaining the Trust Bond: Certainty, Confidentiality, and Privacy | |
| |
| |
| Introduction | |
| |
| |
| Definitions and Implications for EC | |
| |
| |
| Protection | |
| |
| |
| EC Information Flow | |
| |
| |
| Corporate Data Flow and Interactions | |
| |
| |
| Data Flows Between Trading Partners | |
| |
| |
| Data-in-Transit | |
| |
| |
| Data with ISP | |
| |
| |
| Data at Client Sites, Server Site, and Outsourced Vendors | |
| |
| |
| Trans-Border Information Flow | |
| |
| |
| The Auditor's Perspective | |
| |
| |
| Confidentiality/Privacy Regulations: An International Sample | |
| |
| |
| Total Quality in the EC Transaction Factory | |
| |
| |
| |
| Security: What Are You Protecting ... and Why? | |
| |
| |
| Look After the Information First: Linking Security With Data Protection | |
| |
| |
| Value and Approach for Public Key Versus Private Key | |
| |
| |
| Framework for Building Confidence | |
| |
| |
| Understanding the Risks of Distributed Systems | |
| |
| |
| Cost of Risk Protection | |
| |
| |
| Risk Management | |
| |
| |
| Layers of Risk Protection | |
| |
| |
| Perimeter | |
| |
| |
| User Authentication | |
| |
| |
| Public Key Infrastructure (PKI) | |
| |
| |
| Other Authentication Techniques | |
| |
| |
| Access Control and Authorization | |
| |
| |
| Information Transformation Layers and Associated Security Schemes | |
| |
| |
| Social Aspects of Security | |
| |
| |
| Social Engineering | |
| |
| |
| Removable Data | |
| |
| |
| Legal Aspects | |
| |
| |
| Retaining Expertise | |
| |
| |
| |
| Looking After Business: The Core Components of Electronic Commerce | |
| |
| |
| EC as a Catalyst for Change | |
| |
| |
| EC Defined | |
| |
| |
| Person to Person | |
| |
| |
| Person to Computer | |
| |
| |
| Computer to Computer | |
| |
| |
| Edi as the Primary Business-to-Business EC Component | |
| |
| |
| The EC Value Proposition | |
| |
| |
| Sales | |
| |
| |
| Customer Service | |
| |
| |
| Procurement | |
| |
| |
| Procurement Cards | |
| |
| |
| Information Management and Dissemination to Internal Resources | |
| |
| |
| Business Issues | |
| |
| |
| Technical Issues | |
| |
| |
| Communications | |
| |
| |
| Data Storage and Retrieval | |
| |
| |
| Message Conversion | |
| |
| |
| Application Interface | |
| |
| |
| EC in the Payments Business | |
| |
| |
| Future Direction and Implications for it Managers | |
| |
| |
| Extended Reach | |
| |
| |
| Micropayments | |
| |
| |
| Digital Cash | |
| |
| |
| Smart Cards | |
| |
| |
| Mondex | |
| |
| |
| Encrypted Credit Cards | |
| |
| |
| Electronic Checks | |
| |
| |
| Electronic Bill Presentment | |
| |
| |
| Implications of New EC Delivery Channels | |
| |
| |
| Key EC Issues for the IT Manager | |
| |
| |
| Factors for the IT Manager to Consider | |
| |
| |
| Steps for EC Success | |
| |
| |
| |
| Business First and Safety First: Protecting Electronic Commerce Relationships | |
| |
| |
| From Systems Defense to Business Enhancement | |
| |
| |
| Putting Both Safety and Service First | |
| |
| |
| Key Players in EC Development | |
| |
| |
| Business Policy as Big Rules | |
| |
| |
| The Link Between Big Rules and Standards | |
| |
| |
| Determining Compelling Reasons for the Big Rules | |
| |
| |
| Questions for the Big Rule | |
| |
| |
| Choosing the Big Rules | |
| |
| |
| Relationship Design | |
| |
| |
| Reputation and Performance in an Online Relationship | |
| |
| |
| The Perfect EC Relationship | |
| |
| |
| Front-Ending | |
| |
| |
| Business Enhancement | |
| |
| |
| |
| Auditing for a New Age, New Purpose, and New Commerce | |
| |
| |
| The Changing Role of the Internal Auditor | |
| |
| |
| Internal Control: Trends and Recent Developments | |
| |
| |
| Internal Control: Integrated Framework, 1994 | |
| |
| |
| Guidance on Assessing Control, 1999 | |
| |
| |
| Guidance on Control, 1995 | |
| |
| |
| Control Objectives for Information and Related Technology, 1998 (CobiT) | |
| |
| |
| An Integrated Control Framework for EC | |
| |
| |
| The EC Control Environment | |
| |
| |
| The Payoff Idea | |
| |
| |
| |
| External Audit Requirements and Regulatory Compliance | |
| |
| |
| Overview | |
| |
| |
| The External Auditor's Role | |
| |
| |
| What External Auditors Look For | |
| |
| |
| The Question of Corporate Governance: The Regulator's Role | |
| |
| |
| FDIC Electronic Banking: Safety and Soundness Examination Procedures, 1998 (U.S.) | |
| |
| |
| Independent Report on "Electronic Commerce and Canada's Tax Administration," 1998 | |
| |
| |
| CDIC Standards of Sound Business and Financial Practices: Internal Control 1994 (Canada) | |
| |
| |
| Financial Aspects of Corporate Governance, 1992 (U.K.) | |
| |
| |
| External Requirements Harmonization | |
| |
| |
| The Common Ground | |
| |
| |
| Action Items for Control Designers | |
| |
| |
| Apply Safety Tools | |
| |
| |
| Add New Control Self-Assessment Topics | |
| |
| |
| Promote Quality Documentation | |
| |
| |
| Action Items for EC Professionals | |
| |
| |
| |
| Trends to Follow and Opportunities to Take | |
| |
| |
| How to Plan When You Can't Predict | |
| |
| |
| The Near Term | |
| |
| |
| Transforming the Nature of Security with Agents | |
| |
| |
| ANSI and Internet/Extranet Growth | |
| |
| |
| The Medium Term | |
| |
| |
| Safe Payments | |
| |
| |
| The Unknown Time Frame | |
| |
| |
| Digital Cash | |
| |
| |
| Changes in Payment Mechanisms | |
| |
| |
| The Death of Copyright | |
| |
| |
| Recommendations to Managers | |
| |
| |
| |
| Electronic Commerce in Action: The Case for Secure Electronic Transaction (SET) | |
| |
| |
| |
| What is Set? | |
| |
| |
| |
| Why Set at All? | |
| |
| |
| |
| Risk Profile With Implementing a Set Payment System | |
| |
| |
| Set Payment Cardholders | |
| |
| |
| Set Merchants | |
| |
| |
| Set Payment Gateways | |
| |
| |
| |
| The Trust Dimension: The Public Key Infrastructure | |
| |
| |
| |
| Set Implementation Issues | |
| |
| |
| Vendor Products May Not Be Fully Certified at Time of Implementation or Self-Audit | |
| |
| |
| Merchant Sign-Up Process Change | |
| |
| |
| Certificate Management | |
| |
| |
| Performance | |
| |
| |
| Backup of Set-Sensitive Files | |
| |
| |
| Managing Vendors and Outsourcing Partners | |
| |
| |
| Self-Audits and Independent Audits | |
| |
| |
| |
| What Set Does Not Cover | |
| |
| |
| Index | |
| |
| |
| The Authors | |