How to Minimize E-Commerce Risk

Top infosecurity pros offer 5 strategies for protecting corporate networks even as you link more closely with your business partners

The three levels are defined as follows. For a supplier with simple data requirements, a five to 10 minute simple dial-up connection will do. The manufacturer audits these connections and conducts parameter logging. For suppliers that need to get their hands on a wider breadth of information, such as a large manufacturing report to help better plan production, the company uses a wider bandwidth connection with a firewall at each end. For heavy-duty users, it offers a standing, perpetual connection over a virtual private network with firewalls. Both sides agree on how each end is monitored, and to ensure security for both parties, either side can shut down at any time if there are security issues, according to the CSO.

To better control requests for network access, according to Washington Mutual's Cullinane, any new network connection that doesn't adhere to an established policy should require the signature of both the CSO and a senior executive in the business unit requesting access. Any request that's approved should be for a limited period of time, he says.

3. Share Standards

Another way to boost e-commerce security is to ensure your company's policies make their way to every person within the supply chain. Evolving standards and guidelines from organizations such as the International Organization for Standardization (commonly known as ISO) and National Institute of Standards and Technology (NIST) are helping to simplify this process by creating common terminology and requirements.

Charles Ryan, director of information security at Molex, a $1.7 billion electronics manufacturer with 55 locations, frets over the amount of data that his company sends over the Internet. Keeping that data safe is critical to ensuring on-time delivery, which is a top priority for Molex, a huge supplier to auto and consumer electronics companies. Ryan is building the company's information security policy around ISO 17799, a detailed security guideline. He says it has simplified his job immensely, especially during a recent meeting with a big business partner. Ryan thought the meeting would be a deal breaker because of the complexity involved with ensuring security. Not so. "When we mentioned ISO was our standard, the conversation stopped right there," he explains. "They said, 'Yeah, we accept that as the way going forward.' It was a big surprise to us. Right off the bat we came up with common ground." Ryan recently used a questionnaire he drafted using ISO 17799 to audit Molex's security at a Singapore corporate office. He hopes to make the audit, which ranks companies on a 1-to-5 scale (5 being "best practice"), part of the standard process Molex will use in the future with partners. While the policy provides some security, a drawback exists: There's not yet a way to certify a company as ISO 17799 compliant, so companies must take each other's word. Ryan admits his efforts are a work in progress. "We're not at the stage yet where we have a firm process and security to reject someone," he says. "This is pretty much a maturing standard." (For more about this maturation process, see "Guiding Lite.")