Business Continuity Planning

ICT systems are expected to be available 24/7 to internal and external users regardless of the circumstances, but the nature of uncertainty in complex and dynamic environments makes Business Continuity Planning more relevant today than ever before. Organisations providing 24/7 ICT availability become strategic dilemmas for decision makers, hence, to ensure operations, managers must balance the costs involved in providing an almost zero downtime infrastructure for information availability with the trust ICT users have on a given organization. Decision makers need to assess possible disruptions and vulnerabilities that can impact on ICT availability to all users. This chapter argues that approaches, such as virtualisation, can provide cost advantages to organizations by ensuring availability and resilience through flexible system implementation, and to achieve this objective, committed strategic managers must have arguments to defend this view.

The Effectiveness of Privacy Policy Statements

An expectation exists in the U.S.A. that operators of business-to-consumer (B2C) Web sites will provide public notice of their privacy and security practices in relation to the personal data that they hold. Such documents are referred to in this paper as Privacy Policy Statements (PPS). The use of PPS has become mainstream in many other countries as well. Privacy and security of personal data are important elements in consumer trust, and hence in a consumer‘s decision to make purchases using Internet commerce services. PPS could therefore be expected to play an important role in overcoming the impediments to consumer purchases online. This paper adds to the growing research literature on PPS by developing a research design involving comparison of an organisation’s PPS against a normative template developed on the basis of professional practice and laws, policies, practices, and public expectations around the world. A study of six B2C sites was undertaken, in order to assess the practicability of the design, and provide some initial substantive insight into the contributions that PPS currently make to consumer trust. It appears that many organisations’ PPS may be seriously inadequate, and hence may be more of an impediment to trust than an enabler of Web-commerce adoption.

Overview of Digital Business Security Issues

This chapter provides an overview of digital business security. It is informed by a contemporary analysis of perceived threats through the eyes of information technology managers both from a representative public institution (a University) and from a private company (a retail sales company). A brief overview of malicious software leads into more general consideration of the risks and threats of security breaches, which are analysed from both a company and a customer perspective. Common to both sectors is the requirement to secure corporate records and other digital information and management and policy guidance is provided here. Cybercrime remains rife, but is both under-reported and under-prosecuted. As managers may become involved in legal issues associated with information technology security breaches, this chapter also overviews the special nature of digital evidence.

Recent Developments in Simplified Sign-On

Authentication is the process of determining whether a user is to be granted access and verifying that they are whom they claim to be. This is generally done via a login system; typically consisting of a user ID and a corresponding password. An intrinsic weakness of this system of authentication is that passwords are easily forgotten, accidentally revealed, can be second guessed, or even stolen. Users today have multiple email accounts; manage their financial affairs, buy, and even sell regularly online. Many sites offer the opportunity to sign up. This can be problematic for managing usernames and passwords and it encourages insecure practices, such as writing them down, storing them electronically, or reusing the same login data on multiple Web sites repeatedly. One of the most common online security issues faced today is that every Web site has its own diverse authentication system that significantly heightens the probability of online crime, such as fraud and identity theft and, furthermore, can compromise the privacy of the individual. A common network identity-verification method is Simplified Sign-On, which allows users to roam between sites without having to repeatedly enter identifying information. Privacy of user’s information should be maintained, as only relevant details are passed on to other sites. A number of organizations are already taking Simplified Sign-On on board and have had successful outcomes using this type of system. Some companies, such as Microsoft Passport, have used a Single Sign-On password system but they have had security and privacy issues after the launch. The future for most, if not all, users may be a secure and private single logon to access different sites and accounts on the Internet via Simplified Sign-On. This paper discusses Simplified Sign-On in more detail.

Digital Evidence

Digital evidence, now more commonly relied upon in legal cases, requires an understanding of the processes used in its identification, preservation, analysis and validation. Business managers relying on digital evidence in the corporate environment need a greater understanding of its true nature and difficulties affecting its usefulness in criminal, civil and disciplinary proceedings. This chapter describes digital evidence collection and analysis, and the implications of common challenges diminishing its admissibility. It looks at determining the evidentiary weight of digital evidence that can be perplexing and confusing because of the complexity of the technical domain. Digital evidence present on computer networks is easily replaced, altered, destroyed or concealed and requires special protection to preserve its evidentiary integrity. Consequently, business managers seeking the truth of a matter can find it a vexing experience, unless provided with a clear appraisal and interpretation of the relevant evidence. Validating evidence, that is often complex and incomplete, requires expert analysis to determine its value in legal cases to provide timely guidance to business managers and their legal advisers. While soundly configured security systems and procedures enhance data protection and recovery, they are often limited in the way they preserve digital evidence. Unprepared personnel can also contaminate evidence unless procedural guidelines and training are provided. The chapter looks at the benefits for prudent organisations, who may wish to include cyber forensic strategies as part of their security risk contingency, planning to minimise loss or degradation of digital evidence which, if overlooked, may have adverse legal repercussions.