In a bid to address the security concerns surrounding electronic commerce, Ernst & Young`s Information Systems Assurance and Advisory Services (ISAAS) practice has launched CyberProcess Certification, a methodology culminating in a higher degree of confidence in a company`s identified business processes and specifically its eCommerce activities.
According to ISAAS Information Security Services and eCommerce national manager, Grant Brewer, the growth of eCommerce has been inhibited by the increased vulnerability and threat to customer privacy and business information assets as companies move their processes and applications online.
"The necessary infrastructure and enabling technologies for electronic commerce are available now in South Africa," he says, "but the lack of security, trust and reliability are viewed as the main obstacles in pursuing electronic commerce as a business strategy.
Using new technologies, eCommerce allows businesses to reduce costs, attain greater market penetration and develop closer partner relationships with customers and suppliers. However, there are hurdles and challenges such as security and trust.
EY`s 2nd Annual Global Information Security Survey, asked the question: "Would your organisation increase or begin to use the Internet for important business information or transactions if its security was enhanced?"
The response was 74% positive. A clear indicator of the threat that the perceived lack of security poses to a successful eCommerce strategy.
Further, the firm`s 2nd Annual Global Information Security Survey also highlighted that almost 50% of South African organisations believe their information security risks have increased over the past year. Unauthorised internal users, hackers and former employees are seen to be the largest threats to organisations.
The major barriers to achieving adequate levels of security were identified as employee awareness and lack of budget. Only 45% of organisations have formal information security policies and procedures, and just 19% run security awareness and training programmes.
Ernst & Young`s CyberProcess Certification will help its clients meet the needs of an electronic world by leveraging Ernst & Young`s position of trust in the global market place to their electronic business processes.
Explains Brewer: "It is difficult to translate the trust and sense of security that consumers or business partners get from the bricks and mortar of physical offices, shops or branches. Trust is built on personal relationships that cannot easily be duplicated online.
"CyberProcess Certification combines a series of ISAAS`s service lines and industry disciplines to provide an eCommerce solution that combines on strong authentication, transaction security, and the maintenance of online customer privacy.
"This is drawn together by Ernst & Young acting as an independent third party that is neither a trading or technology partner, to deliver trust and enable the growth of electronic commerce.
"Ernst & Young is hired to refine trust in enterprise systems, provide assurance in an objective role, assess integrated applications, certify multi-enterprise business processes, and may use a dynamic set of technologies to achieve the objectives we jointly identify with the client.
"The client also engages Ernst & Young to provide additional confidence to management, customers, and business owners that the company has adequately addressed its data integrity, data protection, process controls, and data recovery postures.
"In the same way an auditor signs off a company`s accounts, ISAAS will sign off the components of the electronic business processes ensuring that the claims made by the company are indeed valid.
"A client who has been taken through the CyberProcess Certification methodology (which was developed by Ernst & Young in the USA and South Africa), will then be entitled to reproduce the `stamp of approval` on its web site."
Brewer says Ernst & Young are unique in the industry in their ability to deliver a highly customised trust mark solution.
"Because of greater flexibility that WebTrust, defining the area of assessment is often the most challenging portion of the engagement.
"Each CyberProcess Certification has unique characteristics determined by the degree of data sensitivity, the business sector, and the process being assured. Most definitely many more new products will emerge as the networked economy continues to adopt new technologies to new business processes.
"In each case, Ernst & Young can work with clients to establish adequate assurances to ensure that they are fulfilling their management objectives."
Sample Business Case for CyberProcess Certification
A bank allows customer accesses their financial records and banking facilities across the Internet. All of the bank`s regional branches will also access this information.
The bank feels there may be inadequate controls in place to control how customers access this sensitive information over the Internet. They are also concerned about data integrity of information entered into the system.
The bank wants to talk with Ernst & Young to improve its corporate IT posture and to prove to its customers and regulators that the bank is doing what they said they would be doing - "processing secure, private, non-discriminatory online banking."
ISAAS offers a three phased approach, to meet the bank`s needs:
Phase 1
In phase one, the ISAAS team will determine with management what the controls are that they want to verify. Ernst & Young will co-develop the goals that bank management has with regards to the Internet banking process. Special care will be take to identify clear measurable objectives.
Second, with these management assertions about the desired level of bank controls, the engagement team will proceed to assess the quality of existing bank controls. Ernst & Young will evaluate server access controls, run a network security scans, provide Attack and Penetration testing, and conduct any other evaluations required.
Third, the engagement team will present a detailed report documenting the bank`s vulnerabilities and exposures discovered during the Ernst & Young CyberProcess Certification review. This discovery process sets up the next phase of the engagement.
Phase 2
In phase two, the Ernst & Young`s ISAAS CyberProcess Certification team will now provide consulting advice on how the bank can improve their security posture with regards to the issues discovered in phase one. The criteria will be measured against the defined management assertions.
Findings from phase one may call for Security Consulting, Application Control Consulting, Data Integrity Review, or Business Continuity Planning, to meet the bank`s management objectives. When satisfactory improvements have been made to the online banking information systems operation, such as documenting server access and a developing a verifiable audit trail, the final phase of the CyberProcess Certification engagement can commence.
Phase 3
In phase three, the engagement team will determine and develop an appropriate compliance program to attest to the objectives management identified in phase one. This CyberProcess Certification compliance program may involve quarterly or annual reviews depending on several factors.
The degree of process changed, employee turnover rates and adoption of new technology are all potential elements that will influence the structure and nature of the compliance program. Existing industry standards may be required for consideration.
At the conclusion of the engagement by Ernst & Young, offering a customised CyberProcess Certification, the bank not only has gained increased confidence in its ability to promote and defend its management assertions, it also will have a clear plan going forward on how to address future technology and organisation changes and the associated vulnerabilities. The bank is also able to establish trust in its online banking practices amongst customers in the market place. Certification could become a significant competitive advantage.
"All clients using web-enabled information systems to support their revenue generation and mission critical applications will require some assurance of their Cyber business process," claims Brewer.
"The current demonstrated need for CyberProcess Certification is often political or consumer liability. However, there are other drivers that will help to demonstrate the need for Ernst & Young`s CyberProcess Certification services.
"For instance, there is the threat of impending government regulation, peer pressure to comply with industry leading practices, defence of brand name integrity, and international data compliance issues such as the Open Democracy Bill on privacy or Corporage Governance. In all, there, is already a compelling list of reasons to call on a client with Internet systems to explore their Certification needs," Brewer concluded.
@EditorNote = Editors note
Additional input on electronic commerce:
According to Brewer, the re-engineering of business process as companies expand to integrate with other companies is fuelling the growth of eCommerce. The Internet has also become a backbone alternative to costly leased lines to expand an enterprises` information assets and business systems.
This will enable companies to meet the challenge of connecting their information assets in order to share corporate information.
Electronic marketplaces, that enable people and companies to transact business, are transforming real world commercial and consumer transactions into the virtual world. "The creation of virtual malls by M-Web and ECNet are examples of this in South Africa, although their success within the country is still unproven."
As South Africa moves forward toward the 21st century, Ernst & Young are expecting an unprecedented proliferation of eCommerce applications, and increasing commercialisation of eCommerce capabilities, resulting in a complete re-engineering of commerce.
Brewer says: "South African companies should see themselves as at the forefront of the technology. We have very skilled people in the country that are world beaters. The success of the Internet banking industry is a testament to that."
The biggest potential of eCommerce, beyond allowing companies to reach millions of online users, is that it yields access to highly specialised market segmentation. "Businesses can gain greater knowledge of buyer behaviour and attain mass customisation of both the message and the goods or services being purchased," Brewer says.
While the expectation that eCommerce will grow into a $20billion market by 2001 is creating strong interest in eCommerce, statistics provide few insights as to which technologies and specific eCommerce market applications will yield significant returns for enterprises.
Even those companies least likely to embrace eCommerce will need a strategy to move into the eCommerce world to preserve their existing markets and remain competitive. To help its clients meet their goals, Ernst & Young is assisting them in building essential components of their infrastructure.
The CyberProcess Certification Service: Individual Product Offerings
There are several CyberProcess Certification products, for example:
Certificate Authority Certification
Certification Authority Certificaton provides a framework that helps certificate authority service organisations define global relationships between high level domains, and provides attestation around the process definitions for current practices and other emerging standards. Ernst & Young is working with several Certification Authority vendors, and standards organisations such as ANSI X9. In South Africa, Ernst & Young are also working together with Thawte Certificate Authority and the South African Certificate Authority to provide certification services in this market.
Privacy Assurance
CyberProcess Assurance for Privacy is one of the most exciting CyberProcess Certification products. Giving the proliferation of databases and data collection techniques, there is a real concern that individuals are personally identifiable and other sensitive information such as web site visits, financial, and medical records are potentially vulnerable to abuse. The primary concept with Privacy Assurance is to work with the host company to follow emerging standards for adequate protection of private information and to attest to management assertions on how the data the company holds is handled. This certification gives the management a higher degree of confidence that their company will be in compliance with emerging standards on the national and international level. This need is driven by the need to comply with corporate governance requirements and by the emergence of the Open Democracy bill in the South African parliament.
Share
Editors note
Additional input on electronic commerce:
According to Brewer, the re-engineering of business process as companies expand to integrate with other companies is fuelling the growth of eCommerce. The Internet has also become a backbone alternative to costly leased lines to expand an enterprises` information assets and business systems.
This will enable companies to meet the challenge of connecting their information assets in order to share corporate information.
Electronic marketplaces, that enable people and companies to transact business, are transforming real world commercial and consumer transactions into the virtual world. "The creation of virtual malls by M-Web and ECNet are examples of this in South Africa, although their success within the country is still unproven."
As South Africa moves forward toward the 21st century, Ernst & Young are expecting an unprecedented proliferation of eCommerce applications, and increasing commercialisation of eCommerce capabilities, resulting in a complete re-engineering of commerce.
Brewer says: "South African companies should see themselves as at the forefront of the technology. We have very skilled people in the country that are world beaters. The success of the Internet banking industry is a testament to that."
The biggest potential of eCommerce, beyond allowing companies to reach millions of online users, is that it yields access to highly specialised market segmentation. "Businesses can gain greater knowledge of buyer behaviour and attain mass customisation of both the message and the goods or services being purchased," Brewer says.
While the expectation that eCommerce will grow into a $20billion market by 2001 is creating strong interest in eCommerce, statistics provide few insights as to which technologies and specific eCommerce market applications will yield significant returns for enterprises.
Even those companies least likely to embrace eCommerce will need a strategy to move into the eCommerce world to preserve their existing markets and remain competitive. To help its clients meet their goals, Ernst & Young is assisting them in building essential components of their infrastructure.
The CyberProcess Certification Service: Individual Product Offerings
There are several CyberProcess Certification products, for example:
Certificate Authority Certification
Certification Authority Certificaton provides a framework that helps certificate authority service organisations define global relationships between high level domains, and provides attestation around the process definitions for current practices and other emerging standards. Ernst & Young is working with several Certification Authority vendors, and standards organisations such as ANSI X9. In South Africa, Ernst & Young are also working together with Thawte Certificate Authority and the South African Certificate Authority to provide certification services in this market.
Privacy Assurance
CyberProcess Assurance for Privacy is one of the most exciting CyberProcess Certification products. Giving the proliferation of databases and data collection techniques, there is a real concern that individuals are personally identifiable and other sensitive information such as web site visits, financial, and medical records are potentially vulnerable to abuse. The primary concept with Privacy Assurance is to work with the host company to follow emerging standards for adequate protection of private information and to attest to management assertions on how the data the company holds is handled. This certification gives the management a higher degree of confidence that their company will be in compliance with emerging standards on the national and international level. This need is driven by the need to comply with corporate governance requirements and by the emergence of the Open Democracy bill in the South African parliament.
Editorial contacts