Ebusiness Auditing Revised on 2014 Introduction Ebusiness vs
E-business Auditing Revised on 2014
Introduction • E-business vs E-commerce Are they similar? E -business and e-commerce are terms that are sometimes used interchangeably, but the terms are actually different E-business E-commerce
What is Difference Between e-commerce and e-Business? • e-commerce - buying and selling using an electronic medium. • ICT is used in inter-business or inter-organizational transactions (transactions between and among firms/organizations) and in business-to-consumer transactions (transactions between firms/organizations and individuals). Eg: Accepting credit and payments over the net, doing banking transactions using the Internet, selling commodities or information using the World Wide Web and so on.
What is Difference Between e-commerce and e-Business? e-Business - on top of e-commerce, it also includes both front and back-office applications that form the engine for modern E-commerce. • e-business is not just about e-commerce transactions; it's about re-defining old business models, with the aid of technology to maximize customer value. • ICT is used to enhance one’s business. It includes any process that a business organization conducts over a computer-mediated network • e-Business is the overall strategy and e-commerce is an extremely important facet of e-Business. •
What is Difference Between e-commerce and e-Business? Thus e-business involves not merely setting up the company website and being able to accept credit card payments or being able to sell products or services on time. • It involves fundamental re-structuring and streamlining of the business using technology by implementing enterprise resource planning (ERP) systems, supply chain management, customer relationship management, data ware housing, data marts, data mining, etc. • (Source: http: //www. eresourceerp. com/What-is-the-difference-between-E-commerce-and-E-Business. html, http: //en. wikibooks. org/wiki/E-Commerce_and_E-Business/Concepts_and_Definitions)
e-commerce • It involves three types of integration: o Vertical integration of front-end Web site applications to existing transaction systems; o Cross-business integration of a company with Web sites of customers, suppliers or intermediaries such as Web-based marketplaces; o Integration of technology with modestly redesigned processes for order handling, purchasing or customer service
e-business Three primary processes are enhanced in e-business: 1. Production processes, which include procurement, ordering and replenishment of stocks; processing of payments; electronic links with suppliers; and production control processes, among others; 2. Customer-focused processes, which include promotional and marketing efforts, selling over the Internet, processing of customers’ purchase orders and payments, and customer support, among others; and 3. Internal management processes, which include employee services, training, internal information-sharing, videoconferencing, and recruiting. Electronic applications enhance information flow between production and sales forces to improve sales force productivity. Workgroup communications and electronic publishing of internal business information are likewise made more efficient
e-business • Involves four types of integration: o Vertical - between Web front- and back-end systems; o Cross-business integration - between a company and its customers, business partners, suppliers or intermediaries; o Horizontal - among e-commerce, enterprise resource planning (ERP), customer relationship management (CRM), knowledge management and supply-chain management systems; o Integration of technology with radically redesigned business processes
Risks with e-business 1. Fraud A deception deliberately practiced in order to secure unfair or unlawful gain (Source: http: //en. wikipedia. org/wiki/Fraud) http: //www. nbcnews. com/id/4648378/ns/technology_and_sciencesecurity/t/foreign-fraud-hits-us-e-commerce-firms-hard/
Risks with e-business 2. Loss of privacy/ confidentiality Losing the ability for an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively (Adapted from: http: //en. wikipedia. org/wiki/Privacy) http: //yourbusiness. azcentral. com/risks-ebusiness-1368. html
Risks with e-business 3. Lack of authentication Absence in verifying whether someone or something is, in fact, who or what it is declared to be. (Adapted from: searchsecurity. techtarget. com/definition/authentication) 4. Corruption of data Errors in computer data that occur during writing, reading, storage, transmission, or processing, which introduce unintended changes to the original data (Source: http: //en. wikipedia. org/wiki/Data_corruption) 5. Business interruption
Controls in e-business applications 1. Authenticity mechanism User-id and password PIN 2. Non-repudiation mechanism The ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated Digital signature 3. 4. Encryption Policies
e-Business Security Audit The most important controls for auditing ebusiness security are the following: • • Access control policy and procedures Account management • Separation of duties - Which manages system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts. − The system enforces separation of duties through assigned access authorizations. − The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals. • Least privilege - The system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.
e-Business Security Audit (cont. ) • Unsuccessful login attempts − The system enforces a limit of consecutive invalid access attempts by a user during a time period. • System use notification − The system displays an approved, system use notification message before granting system access informing potential users: − That the user is accessing the system − That system usage may be monitored, recorded, and subject to audit − That unauthorized use of the system is prohibited and subject to criminal and civil penalties − That use of the system indicates consent to monitoring and recording. • Previous logon notification − The system notifies the user, upon successful logon, of the date and time of the last logon, and the number of unsuccessful logon at-tempts since the last successful logon.
e-Business Security Audit Session lock − The system prevents further access to the system by initiating a session lock that remains in effect until the user reestablishes access using appropriate identification and authentication procedures. Supervision and review access control − Which supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. Remote access − Which documents, monitors, and controls all methods of remote access (e. g. , dial-up, broadband, Internet) to the information system − Appropriate organization officials authorize each remote access method for the information system and authorize only the necessary users for each access method. (Source: NĂSTASE, NĂSTASE and ŞOVA (2007): Information Security Audit in e-business applications )
- Slides: 15