Learning Objectives
By the end of this chapter, you will be able to:
- Understand that technology alone is not enough to ensure security.
- Describe the purpose of a risk assessment.
- Explain the importance of a written security policy.
Management Policies for E-commerce Security
Technology is only one part of a good security plan. Effective security also requires a set of management policies and procedures.
Risk Assessment
A risk assessment is the process of identifying, analyzing, and evaluating the security risks to your organization’s assets. The goal is to determine the likelihood and potential impact of different threats, which allows you to prioritize your security spending.
Security Policy
A security policy is a written document that outlines the rules and procedures that must be followed to protect the organization’s assets. It should define who is responsible for security and what actions should be taken in the event of a security breach.
Auditing
A security audit is a systematic evaluation of an organization’s security policies and procedures to ensure they are being followed and are effective.
Summary
Technology provides the tools for security, but management policies provide the strategy and the rules. A comprehensive security plan starts with a risk assessment to identify the most significant threats. This is followed by the creation of a formal, written security policy that outlines the rules for protecting company assets. Regular security audits are then used to ensure that the policies are being followed and remain effective.
Key Takeaways
- Security requires both technology and management policies.
- A risk assessment is used to identify and prioritize security risks.
- A written security policy is essential for communicating security rules and procedures.
Discussion Questions
- Why is a written security policy so important?
- Who should be involved in creating a company’s security policy?
- What are some of the things that a security audit might look for?