ACC 626: Research Paper. Website Integrity. Jeannie Wu

Transcription

1 ACC 626: Research Paper Website Integrity Jeannie Wu July 1,

2 Introuction Most companies toay have a, either because they are engage in e-commerce activities, or because it is an effective tool to provie information to their current an prospective clients. Although there are many benefits to possessing a, such as the ability to reach a wier auience, convenience, an increase gross margins by conucting business online, there are also many risks that companies may face. This research paper ientifies these risks an iscusses the tools available for managing web content as well as tools for etecting problems with corporate s. Risks Major risks that companies face with respect to their s are cyber intrusions. As the popularity of the Internet continues to grow, so oes the number of cyber intrusion incients. A corporation that became a recent victim of cyber intrusion is Sony Corporation. In April, Sony s PlayStation Network was hacke an over 77 million customer s personal information (incluing names, passwors, an aresses) were stolen over the network. 1 Within two months of this incient, a number of other Sony s were compromise. In aition to the theft of ata, companies IP aress can be spoofe to ivert traffic, web page content can be altere, an malware can be inserte for various criminal activities. 2 The events of external parties gaining unauthorize access to popular s are not new. In January 2009, Twitter allowe a hacker to easily gain aministrative control over its by setting a passwor that was easy to guess. 3 The hacker simply use a passwor-guessing tool an was able to correctly guess the lower case common ictionary wor. 4 As a result, the hacker gaine unauthorize access to many users accounts an passwors, was able to resent these passwors, an also the passwors on another. 5 A few months later, there was another breach where another hacker was able to access a Twitter employee s personal account by simply guessing the passwor an was able to access private information of Twitter users. 6 Twitter faile to enforce strong an harer to guess aministrative passwors an i not suspen the passwors after a certain number of unsuccessful 1 Osawa, Juro. (). As Sony Counts Hacking Costs, Analysts See Billion-Dollar Repair Bill. Wall Street Journal (Online). Retrieve June 5, from D. 2 Website Integrity Seal. BranProtect Retrieve June 6, from 3 Curran, John, & Hammon, B. (2010).Twitter to Establish Data Security Plan As It Settles FTC Charges on Privacy. Cybersecurity Policy Report. Retrieve June 4, from QD&cfc=1. 4 Iem. 5 Iem. 6 Iem. 1

3 login attempts. 7 In response to the FTC charges for failing to safeguar users personal information, Twitter must now evelop an information security program an have it reviewe by an inepenent thir party every 10 years. 8 Another risk relating to the alteration of web page content by unauthorize parties is the appearance of unauthorize content on the. 9 Unauthorize content can result from not only unauthorize access to the company s by outsiers, but also unauthorize access obtaine by insiers, such as employees. The implications associate with unauthorize content are that the company may be subject to increase litigations as a result of false or misleaing claims mae on the, an the company may also face humiliation if the content oes not align with the company s values, is inconsistent with other authorize content, an contains errors. With respect to privacy policies an the collection of ata, companies must ientify who are the users of their s. If their users are minors or California resients, they may nee to comply with the Chilren s Online Privacy Protection Act (COPPA), California Online Privacy Protection Act, an/or the California Shine the Light Law. The COPPA requires companies to isclose their ata collection practices an requires that parental consent be obtaine before ientifiable information may be collecte 10. To be compliant with the California Shine the Light Law, the company must allow users to opt out of having their information inclue in any isclosures 11. Companies must carefully examine other foreign laws that are applicable to their business. To avoi the risk of breaching these privacy laws, companies shoul have a privacy policy an terms of use statement available on their. Other risks which a company may face inclue copyright an traemark infringements. 12 On one han, the content on the company s may infringe on others copyright an traemark rights. On the other han, the content on the of others may infringe on the company s copyright an traemark rights. In some cases, unknown users an competitors may engage in cybersquatting, which involves creating a omain name that is confusingly similar to a traemark that was registere by the company, an using it in ba faith to profit from the company s traemark. 13 Therefore, it is important that the company has a reporting process in place to etect possible copyright an traemark infringements an 7 Iem. 8 Iem. 9 Bialek, Aam R., & Smeresman, S. Internet Risk Management: A Guie to Limiting Risk Through Web Site Terms an Proactive Enforcement. Intellectual Property & Technology Law Journal. Vol. 20, No Retrieve June 4, from RQT=309&VName=PQD. 10 Iem. 11 Iem. 12 Iem. 13 Runyan, Charles. (2008). Domain Name Disputes: FAQ: The Anticybersquatting Consumer Protection Act. KEYTLaw, LLC. Retrieve June 20, from 2

4 to protect its own intellectual property by registering for copyright an traemark protection an enforcing their rights when necessary, to prevent others from exploiting their intellectual property. If a company oes not have any strategies in place to mitigate these risks, there may be negative implications on the company s ability to remain competitive. The company s assets may ecrease in value, trae secrets can be stolen, an litigation may increase from thir parties, users/clients, an regulatory agencies. 14 In Sony s case, the lack of strong security measures mae its more vulnerable to cyber intrusions. In aition to the loss in profits as a result of the isruptions to its operations, Sony must now spen billions of ollars to try to recover its corporate image. Issues with Managing Web Content Before we iscuss the alternatives companies can take to manage their s content, we will first iscuss the common issues with content management issues. The first issue are bottlenecks. Due to the fact that web content can arrive in ifferent formats, this can cause elays in publishing content to the web since the content must first be manually converte into a suitable format. 15 If the content on the company s is outate, this may affect the company s reputation, especially if the company has many stakeholers that rely on them to provie upate information in a timely manner. The next issue is consistency. Variations in the quality of the layout an content can lea to inconsistencies in the look an feel of the. 16 This may have been cause by the segregation of the amongst ifferent epartments. At a lower level, content quality variations can result in the company losing style an esign of its. 17 However, at a higher level, there may be a negative effect on the s strategic value. 18 Another common issue is navigation. If there is no control over the structure an content of the, there is a risk that navigation an search capabilities will eteriorate an users will have ifficulty fining information efficiently. 19 The next issue is content auit an control. As mentione earlier, unauthorize content may appear on the. Therefore, there shoul be controls in place to manage the publishing process for web content, which inclues review an authorization. 20 In relation to unauthorize content, tracking changes may also become an issue. In orer to use content effectively there must be a 14 Bialek, Aam R., & Smeresman, S. Internet Risk Management: A Guie to Limiting Risk Through Web Site Terms an Proactive Enforcement. Intellectual Property & Technology Law Journal. Vol. 20, No Retrieve June 4, from RQT=309&VName=PQD. 15 Barnes, Stuart, Steve Goowin, & Richar Vigen. (2001). Web Content Management. Ble econference. Retrieve June 4, from 16 Iem. 17 Iem. 18 Iem. 19 Iem. 20 Iem. 3

5 way to track changes, which inclues ientifying the creator of the content, when the content was create, an when it was last upate. 21 Finally, there nees to be integration between the web content management an the business process. 22 Since there may be upates or revisions to final reports poste on the web, web content shoul be internally for review an inspection an shoul only be release upon approval. 23 Web Content Management Tools Content Life Cycle The tools neee to manage web content can be separate into the ifferent stages of the content life cycle. The life cycle iscusse in this paper consists of seven stages/phases: organization, workflow, creation, repositories, versioning, publishing, an archives. 24 We will now analyze the seven stages in greater etail. 1) Organization The first stage is the organization or structuring of information. Tools such as Extensible Markup Language (XML) or Resource Description Framework (RDF) enable metaata to be ae to all of the elements of information, an metaata enables information to be retrieve an reuse in multiple ways. Retrieval of ata through search engines also becomes easier. 25 In aition, the organization stage involves creating an esigning classification schemes, controlling vocabularies, an matching the company s content strategy with the business strategy. 26 2) Workflow Due to the fact that the creators of content may involve many people in the company, in this stage, the company nees to carefully esign rules that are flexible an will keep the content moving to avoi bottlenecks. 27 These rules shoul be consistent with the company s business rules, policies an proceures. The roles an responsibilities of content owners, contributors, eitors, an rs shoul be efine. 28 3) Creation 21 Iem. 22 Iem. 23 Iem. 24 Seven Stages of the Content Lifecycle. CMS Review. Retrieve June 20, from 25 Iem. 26 Iem. 27 Iem. 28 Iem. 4

6 In this stage, the information is classifie into the categorie schemes that were esigne in the organization stage. 29 The tools neee in the stage inclue authoring, conversion, igital rights management (DRM), eiting tools, an metaata tagging. 30 4) Repositories At this stage, the company nees to ientify where content will be store. 31 The options available inclue relational atabase structures, files system objects, or a combination of both. 32 In aition, the company shoul ientify the format that the content will be store, such as unstructure text an binary graphic images, or as XML elements that are tagge with metaata. 33 5) Versioning Web Content an presentation may nee to be revise. Therefore, the company will nee version control an check-in an check-out templates since it may be ifficult to have multiple people making changes to the same ocuments at the same moment. 34 The company will nee to ientify the multiple languages that it wants its content to be isplaye. 35 Also, the company shoul ensure that it is able to rollback to prior versions of web content when there are errors in the newer version, an the errors cannot be fixe or it is not efficient to fix. 36 6) Publishing Users may retrieve the company s content through multiple methos, such as through the web or , an using ifferent evices such as cell phones or personal igital assistants (PDAs). 37 Therefore, the company shoul test these elivery methos to ensure that the quality of user experiences is maintaine. 38 Aitional tools for this stage inclue personalization, an user testing. 39 7) Archives 29 Iem. 30 Iem. 31 Iem. 32 Iem. 33 Iem. 34 Iem. 35 Iem. 36 Iem. 37 Iem. 38 Iem. 39 Iem. 5

7 In the archiving stage, the company nees to etermine which content nees to be retaine an preserve, an which content shoul be estroye. 40 The company shoul ensure that internal an external requirements/regulations are complie with. 41 Content Management Systems The broa term for tools use to manage web page content is a content management system (CMS). Commercial CMSs are available on the web either self-hoste where the user installs the software an provies the hosting space, or hoste where the service provier takes care of all the hosing space an upgraes. 42 Examples of self-hoste CMS are proprietary an open source web content management systems (WCMS). A WCMS is software that enables users to manage their web content with relative ease an with little knowlege of any programming coe 43. A couple of popular proprietary WCMS inclue Microsoft Office SharePoint Server an IBM Lotus Web Content Management. Due to the fact that there are many venors that offer WCMS an each WCMS may have ifferent features, selecting a content management tool can be overwhelming. Therefore, before eciing whether or not to invest in a WCMS or another content management tool, the company shoul consier the following: whether the system integrates well with the company s IT infrastructure an enterprise systems, whether the system inclues features an functionalities that are important an critical to the company s nees, the level of customization an available companion proucts, the costs, an venors an solutions. 44 An alternative to proprietary WCMS are open source WCMS. Three popular open source WCMS inclue WorPress, Joomla, an Drupal. The benefits of using open source WCMS over proprietary WCMS inclue: lower costs, increase security an transparency, an better support. 45 With open source WCMS, upfront or continuing licensing costs can be avoie. However, there is a limitation on the cost savings. While some open source WCMS are free, not all of them are. In aition, if the company plans to customize the open source WCMS, the company may nee to invest aitional time an resources. Next, since some open source WCMS are always available to the public, there are web evelopers that review an revise the coes of the software to eliminate possible problems. 46 In aition, some open source WCMS coes are transparent so that users are able to customize it to meet their nees. Finally, 40 Iem. 41 Iem. 42 Richars, Aria. Builing a Better Website. Black Enterprise. Vol. 41, No Retrieve June 6, from PQ. 43 Iem. 44 Heck, Mike. (2008). InfoWorl Test Center Guie: Content management systems. InfoWorl, Inc. Retrieve June 20, from 45 Content Management System. Outsourcing Partners. (). Retrieve June 20, from 46 Iem. 6

8 companies may get quicker support from some open source WCMS since most of the popular open source WCMS have a eveloper an an international user base. 47 Since the company is not locke in an epenent on one WCMS venor, companies can easily switch from one open source WCMS to another if they o not receive aequate support. 48 Therefore a company shoul consier an open source WCMS if they have high customization nees, strong IT staff, an have the patience an resources to buil usable interfaces. 49 WCMSs are consiere conventional tools that organizations use to manage web content. An alternative to these self-hoste tools are Software-as-a-Service web content management (SaaS). Popular SaaS venors inclue Clickability, CrownPeak, an OmniUpate. While the WCMSs may be effective in the areas of creating, eiting, managing, an publishing content, the isavantages of these tools are that they can be expensive, complex to implement an configure, ifficult to maintain, an complicate to use an aopt within an organization. 50 SaaS allows companies to subscribe to software elivere over the Internet; thus, installation, harware, software, an infrastructure are not require. 51 In exchange for a fixe monthly subscription fee, the company can elegate the venor to manage, maintain, an upgrae the software. 52 One of the benefits of SaaS is that it is generally less costly than traitional content management tools since there is no harware or software to install. Next, without the nee to install any harware, software, or infrastructure, the spee of eployment for Saas may be much quicker than traitional content management tools an integration with other applications may be easier. 53 Content management through SaaS enables organizations to manage an track the history of all of their s content; therefore, compliance with regulations may be easier through features such as complete system auiting an reporting. 54 Similar to open source WCMS, the organization can simply switch to another venor if the venor s services no longer meet the organization s nees. The company can also choose to buil its own CMS rather than purchasing a commercially available content management solution. Builing a customize CMS requires a significant commitment of time an resources. 55 Therefore, this option may not be a viable option for smaller companies that our constraine on financial resources an technical staff. More time will be neee to test, fix, an ocument the 47 Iem. 48 Iem. 49 Iem. 50 Software-as-a-Service: The Alternative for Web Content Management. A Whitepaper Perspective from CrownPeak. CrownPeak Technology, Inc Retrieve June 20, from 51 Iem. 52 Iem. 53 Iem. 54 Iem. 55 Effective Web Content Management: Empowering the Business User While IT Maintains Control. Winett Associates Retrieve June 20, from 7

9 internally evelope system, as well as training employees on how to use the new system. 56 Whether the company ecies to buy or buil a CMS, there are some features that are recommene that a content management must have, which inclues: versatile Web application, content authoring/management, version control, anywhere anytime access, easy-to-use, workflow an ocument management functions, security an authentication, an workgroup creation. 57 Tools for Detecting Problems with Corporate Websites Before we iscuss the tools for etecting problems with corporate s, we must first ientify what these problems are. Common problems that corporations face with respect to their inclue owntime, network failure, broken links, security, unauthorize changes an efacement of the, connectivity or system outage issues, an hijacking of the. These problems relate to the risks that were ientifie in the earlier section of this paper. Web server monitoring is an essential tool for corporations. 58 Monitoring can be efine as an automate process of testing, tracking an reporting on the availability an conition of the system, services an networks that make up a Web presence. 59 An effective monitoring system can help reuce the amount of owntime an prevent problems by revealing patterns of resource consumption an performance. 60 In aition, by being able to ientify the source of the problems an iagnosing the problems immeiately, this can reuce the amount of owntime. 61 A monitoring system inclues a set of monitors, mechanisms for alerting aministrators if failures occur, an a historical log of ata collecte by monitors. 62 In aition, the monitoring system shoul provie three ifferent types of information: exceptions, trens, an historical ata. 63 Exceptions are usually events that signal that there is a problem that nees to be aresse. 64 Examples of exceptions inclue the availability an health of networks an services, an security relate information. 65 Trens supply the company with information about the changes in usage an activity over time. 66 Examples of trens inclue banwith utilization, server isk utilization an capacity, an activity counts. 67 Trens are useful for planning the timing of upgraes an expansions. 68 Finally, the purpose of historical ata is to track an log occurrences of failures, outages, an activity 56 Iem. 57 Iem. 58 Popa, Sorin. Web Server Monitoring. University of Craiova. (2008). Retrieve June 20, from 59 Iem. 60 Iem. 61 Iem. 62 Iem. 63 Iem. 64 Iem. 65 Iem. 66 Iem. 67 Iem. 68 Iem. 8

10 levels for items incluing service level reporting an problem tracking. 69 In general, there is a broa range of monitor tests, from eep monitor tests to shallow monitor tests. 70 Deep monitor tests multiple components of a at the same time, while shallow monitor tests only measure a single aspect of a single component. 71 In orer to test the overall security of a, the following categories must be carefully examine for flaws: 1) authentication mechanism, 2) role-base authorization, 3) input valiations, 4) custom cryptographic algorithms an management of keys, an 5) logging controls. 72 The lack of input valiations may lea to cross-site scripting, SQL injection, an other injection attacks. In aition, the lack of custom cryptographic algorithms an management of keys increases the risk of ata being compromise. 73 Tools for testing role-base authorization controls inclue planning test cases from three perspectives: elevation of privilege from one role to another, within the same role, an one-click vulnerabilities (cross-site forgery). 74 To test the elevation from one role to another, the corporation may try to open up two accounts of users with ifferent roles (e.g. an aministrator account an a regular user account) in the same web browser to ensure that the regular user only has limite access to certain content an functionalities. 75 Similarly, the corporation may try to open up two accounts of users with the same role to see whether one user can view an tamper with the ata of the other user. 76 While companies can implement a monitoring strategy that involves mainly manual testing of the, there are many automatic monitoring tools that are available in the market, incluing commercial proucts, shareware, freeware scripts an solutions. 77 In aition, there are several thir parties that provie integrity services to help aress some of the common problems ientifie above. BranProtect, is an example of a provier of integrity services. Their services inclue inboun link checking, outboun an internal link checking, an monitoring. 78 The link checking services ensure that the links on the are functioning properly an monitoring reuces the risk of hijacking an efacement. 79 In aition, critical pages that are monitore inclue the 69 Iem. 70 Iem. 71 Iem. 72 Sharma, Varun. Testing Role-base Authorization. Information Security Journal. Vol. 18, No. 4: pages Retrieve June 4, from PQ. 73 Iem. 74 Iem. 75 Iem. 76 Iem. 77 Popa, Sorin. Web Server Monitoring. University of Craiova. (2008). Retrieve June 20 from 78 Website Integrity Seal. BranProtect Retrieve June 6, from 79 Iem. 9

11 home page, shopping care, contact us, an about us pages. 80 The following inclues some tests that BranProtect conucts an the objectives of each test: 1. Content test This test catches corrupte upates an content change Eit test This test etects unauthorize changes to the web site Domain Name System (DNS) test The omain is checke on hunres of DNS servers to ensure that it maps to the intene IP aress Ping test This test confirms that the web server respons to basic internet requests Fetch test This test confirms that the web server is operating an respons in a reasonable amount of time. 85 These tests are examples of shallow monitor tests. Other shallow monitoring tests that a company can inclue in their monitoring strategy inclue process, CPU, an memory monitoring. 86 Finally, BranProtect offers a integrity seal that corporations can put on their. The seal also inclues tracking capabilities that can etect where traffic comes from. Common features foun in software package monitoring systems inclue polling, traps an alerts, hierarchy of monitore elements, aggregation an e-uplication of ata, an notification an reporting. 87 The following provies more etail about each of these elements: Polling - In orer to ensure that evices an services are operating, the monitoring system will poll these evices an services perioically (every few minutes) to see whether there are any errors or exceptions. 88 In aition, the pollers collect ata points an reports them in a central atabase. 89 Traps an alerts - Monitoring systems usually have trap hanlers that eal with synchronously generate traps, an that are usually not part of the normal polling process. 90 Hierarchy an epenencies of monitore elements These are usually implemente in the evices being monitore uring the configuration an reporting of the monitoring systems. 91 In aition, they are 80 Iem. 81 Iem. 82 Iem. 83 Iem. 84 Iem. 85 Iem. 86 Popa, Sorin. Web Server Monitoring. University of Craiova. (2008). Retrieve June 20 from 87 Iem. 88 Iem. 89 Iem. 90 Iem. 91 Iem. 10

12 critical for a monitoring system because it can allow other evices an elements to continue to operate when one of the evices in the network has faile or generates an error. 92 Aggregation an e-uplication of ata Due to the fact that monitoring systems can have several pollers that monitor each evice, there can be multiple copies of ata points that are sent to the central monitoring servers. 93 Therefore, the uplicates must be eliminate before it reaches the central atabase an there shoul be mechanisms in place to aggregate an summarize the ata so that trens can be retaine. 94 Notification an reporting Most monitoring systems have stanar notification mechanisms for reporting failures or exceptions. Examples of these notification mechanisms inclue sening messages to pagers, fax, an Although web server monitoring through software can be mainly internal, it is important for companies to fin a balance between internal an external monitoring when it implements its monitoring system since external monitoring can be more reliable an it can also etect failures that coul not otherwise be etecte from internal monitoring. Some benefits of external monitoring (through a service company) inclue the etection of configuration errors that affect external users an the etections of problems with internet service proviers (ISP) backbone links. 96 Impact on the Profession The nee for trust has increase as a result of factors incluing the anonymity of e-commerce, globalization, an increasing reliance on complex an powerful IT systems. 97 From an e-commerce perspective, consumers nee the assurance that corporate s live up to their promises an that their private information will be protecte while businesses nee to ifferentiate themselves from their competitors an thus want to be examine. 98 In a survey conucte by the AICPA, 91% of online users woul not give out information about their income an 85% woul not give their creit car information 92 Iem. 93 Iem. 94 Iem. 95 Iem. 96 Iem. 97 Overview of Trust Services. The Canaian Institute of Chartere Accountants Retrieve June 20, from 98 Farmer, Braley, Christopher J. Leach, & Marshall B. Romney. E-commerce an CPA WebTrust. New Accountant.. Retrieve June 4, from 11

13 online 99. On the other han, users like the iea of a seal of assurance that are grante by inepenent thir parties. 100 To meet the nees of both consumers an business, the AICPA evelope two new services calle SysTrust an WebTrust that are base on the principals an criteria of Trust Services. Trust Services are efine as a set of professional assurance an avisory services base on a common framework. 101 The principals an criteria of Trust Services can be separate into four categories policies, communications, proceures, an monitoring. 102 (See Appenix 1 for a summary of the criteria for each of these categories.) The principles an criteria that practitioners must use when proviing WebTrust an SysTrust services can be organize into five categories security, availability, processing integrity, confientiality an privacy. 103 (See Appenix 2 for a summary of the criteria for each of these categories.) Corporate s that meet all of the principles an criteria will be grante a seal that can be use to ifferentiate themselves from competitors an provie consumers with greater confience to o business with them. Although WebTrust i not succee commercially, there is still opportunity for CAs an CPAs to istinguish themselves from competitors by proviing assurance over the reliability of clou service proviers. Not only are more an more businesses moving to the clou, but proviers of CMS are also moving their technologies to the clou. 104 CMS proviers are creating clou base versions of their software which will further help companies to reuce the costs of owning WCMS software an harware, an also allows them to implement better quality web content at a faster pace. 105 Conclusion There are many risks that companies may face with respect to their, ranging from security to availability. If these risks are not minimize, through the implementation of controls, web content management tools, an tools to etect problems, companies may suffer through the form of ecline reputation, an profitability. Therefore top management shoul get more involve to ensure that the proper controls an tools are in place. 99 Iem. 100 Iem. 101 Overview of Trust Services. The Canaian Institute of Chartere Accountants Retrieve June 20, from Iem. 103 Iem. 104 Garg, Manish an Mehta, Chirag. Drupal On The Clou, Beyon Content Management.. Retrieve June 20, from Johnston, Mike. ptools Launches Web Content Management for Clou Computing. CMS Critic.. Retireve June 20, from 12

14 We have seen how the major corporation Sony an the popular social network Twitter compromise their users/customers ata. These events coul have been avoie ha they implemente stronger security controls. Content management is also an area that companies nee to focus more on since the amount of information on corporate s are continuing to expan. Although there are many tools available for companies to have a content management system in place, it is important that the companies incorporate both internal an external monitoring elements into their content monitoring system. Similarly, there are many alternatives available in terms of tools to etect corporate problems. However, companies shoul assess the nees of the business an integrate it with their business an strategy, an conuct a cost-benefit analysis before selecting a WCMS. Furthermore, CAs an CPAs can also play a role in integrity. They can continue to offer Trust Services that will provie assurance to both the companies as well as their clients. In aition, if CAs an CPAs ecie to follow companies into the clou, they may be able to ifferentiate themselves from competitors an be able to take avantage of the new streams of revenue. 13

15 Appenices Appenix 1 Summary of the Principles an Criteria of Trust Services* Policies Communications Proceures Monitoring The entity has efine an ocumente its policies relevant to the particular principle. The entity has communicate its efine policies to authorize users. The entity uses proceures to achieve its objectives in accorance with its efine policies. The entity monitors the system an takes action to maintain compliance with its efine policies. Appenix 2 Summary of the Principles an Criteria of WebTrust an SysTrust* Security Availability Processing Integrity Confientiality Privacy The system is protecte against unauthorize access (both physical an logical). The system is available for operation an use as committe or agree. System processing is complete, accurate, timely, an authorize. Information esignate as confiential is protecte as committe or agree. Personal information is collecte, use, retaine, an isclose in conformity with the commitments in the entity s privacy notice an with the criteria set forth in Generally Accepte Privacy Principles issue by the AICPA/CICA. *These appenices were retrieve irectly from the following source: Overview of Trust Services. The Canaian Institute of Chartere Accountants Retrieve June 20, from 14

16 Appenix 3 Annotate Bibliography Author Perioical/ Eition ata base, Johnson, Lee J. Keep your riskfree Meical Economics Vol. 84, No June 4, ABI Inform, web?i= &si= 2&Fmt=4&clie nti=16746&r QT=309&VNa me=pqd In the fiel of meicine, a practice web site can be useful for informing patients an improving communication. However, the following elements shoul be consiere: 1. Putting a isclaimer that the intention of the is for informative purposes only an not to provie specific meical avice. 2. Guaring patient privacy by complying with HIPAA stanars, assigning login passwor to each patient, an encrypting messages. 3. Placing a statement that the site shoul not be use for emergencies. 4. Documenting all corresponences between patients. 5. Being careful not to exten the uty of care beyon the purpose of the. 6. Avoi claims an guarantees that cannot be kept. This is to reuce the risk of liability for the malpractice, breach of contract an consumer protection laws. 7. Ensuring that any aitional information poste has been reviewe beforehan. Potential liability may also increase if poor or inaccurate information is communicate. Author Perioical/ Eition ata base, Bialek, Aam R., & Smeresman, S. Internet Risk Management : A Guie to Limiting Risk Through Web Site Terms an Proactive Enforcement. Intellectual Property & Technology Law Journal Vol. 20, No June 4, ABI Inform, y.lib.uwaterloo.ca/pqweb?i = &si=3&Fmt =3&clientI=1 6746&RQT=3 09&VName=P QD Potential risks businesses face when establishing an online presence inclue cyber intrusions, the 15

17 appearance of unauthorize content on the, infringements of copyright an traemarks, failing to comply with regulations for the proper treatment of personal ata, arguments relating to sales, etc. In orer to minimize these risks, a privacy policy an web site terms of use shoul by evelope. In aition, the web site esign shoul be registere for copyright protection an a reporting system shoul be in place to eal with copyright an traemark infringements issues. If the risks are not ealt with, the business may be expose to ecreasing value of their assets, trae secrets being stolen an increase litigation from thir parties, users, an regulatory agencies. With respect to privacy policies an the collection of ata, businesses must ientify whether their clients or users are minors or California resients because they may nee to comply with the Chilren s Online Privacy Protection Act, California Online Privacy Protection Act, an the California Shine the Light Law. If the allows others to post material on the, the business must ensure that it complies with the Digital Millennium Copyright Act an the Communications Decency Act. A tool to etect copyright or traemark infringement is to have users report them. Author Perioical/ Eition ata base, Savell, Lawrence Fifteen Steps to Reucing Web Site Liability Risks Journal of Internet Law Vol. 10, No June 4, ABI Inform, y.lib.uwaterloo.ca/pqweb?i = &si=2&Fmt =3&clientI=1 6746&RQT=3 09&VName=P QD To reuce the risk of legal liability, the following principles shoul be kept in min: 1. Review the taking the position of a plaintiff s libel lawyer. 2. Reconsier whether or not to allow thir parties to post content onto the since there is a risk that the business may be hel liable for efamatory statements that is poste. 3. Recognize the possible consequences of employee postings. 4. Ensure that content oes not infringe on the copyrights of others. 5. Carefully structure an use agreements with content proviers. 6. Ensure that permission s is obtaine to use the traemark of others. 7. Aggressively protect the business intellectual property rights. 8. Be minful of potential privacy invasions. 9. Determine an comply with applicable avertising an relate law an regulations. 10. Use iscretion in proviing links to external sources. 11. For law firm an lawyer sites, make a clear istinction that no attorney-client relationship is create. 12. Develop an make public the protective terms of use. 13. Being aware of the implications of proviing RSS fees. 14. Assess liability insurance coverage. 15. Consier obtaining outsie legal review. 16

18 Author Perioical/ Eition ata base, Curran, John, & Hammon, B. Twitter to Establish Data Security Plan As It Settles FTC Charges on Privacy Cybersecurit y Policy Report N/A 2010 N/A June 4, ABI Inform, web?i= &si= 1&Fmt=3&clie nti=16746&r QT=309&VNa me=pqd&cfc =1 In January 2009, Twitter allowe a hacker to easily gain aministrative control over its by setting a passwor that was easy to guess. The hacker use a passwor-guessing tool an was able to correctly guess the lower case common ictionary wor. As a result, the hacker gaine unauthorize access to user accounts an passwors, was able to resent these passwors, an also the passwors on another. A few months later, there was another breach where a hacker was able to access an employee s personal account by simply guessing the passwor an was able to access private information of Twitter users. Twitter faile to enforce strong an har to guess aministrative passwors an i not suspen the passwors after a certain number of unsuccessful login attempts. In response to the FTC charges for failing to safeguar users personal information, Twitter must now evelop an information security program an have it reviewe by an inepenent thir party every 10 years. Author Perioical/ Eition ata base, Sharma, Varun Testing Rolebase Authorization Information Security Journal Vol. 18, No June 4, ABI Inform, web?i= &si= 1&Fmt=2&clie nti=16746&r QT=309&VNa me=pqd In orer to test the overall security of a, the following categories must be carefully examine for flaws: 1. Authentication mechanism. 2. Role-base authorization. 3. Input valiations. Lack of input valiations may lea to cross-site scripting, SQL injection, an other injection attacks. 17

19 4. Custom cryptographic algorithms an management of keys. The risk is compromising ata. 5. Logging controls. Tools for testing role-base authorization controls inclue planning test cases from three perspectives: elevation of privilege from one role to another, within the same role, an one-click vulnerabilities (crosssite forgery). Author Perioical/ Eition ata base, Farmer, Braley, Christopher J. Leach, & Marshall B. Romney E-commerce an CPA WebTrust New Accountant N/A N/A June 4, waccountantu sa.com/newsf eat/t2k1/t2k1_ cpawebtrust.ht ml A recent stuy from AICPA reveale that 91% of online users woul not give out information about their income an 85% woul not give their creit car information online. On the other han, the users like the iea of a seal of assurance that was grante by inepenent thir parties. CPA WebTrust helps to meet the nees of businesses wanting to istinguish themselves from less-reputable sites an consumers nee of knowing that their information will be protecte. To qualify for WebTrust, the business nees to abie by the following three principles: They must isclose an follow their business an information privacy practices an they must maintain effective controls to complete customer transactions as agree an to protect consumers information. Author Perioical/ Eition ata base, Barnes, Stuart, Steve Goowin, & Richar Vigen Web Content Management Ble econference N/A June 4, ov.unimb.si/proceei ngs.nsf/0/7c7 400ba27ace cc1256e9f003 0c530/$FILE/2 9_Vigen.pf Issues in web content management inclue the following: 1. Bottlenecks - Since web content can arrive in ifferent forms, this may elay publishing to the web since the content must be manually revise into a format suitable for publishing on the web. 2. Consistency Variations in the quality of the layout an content can lea to inconsistencies in the look an feel of the. 3. Navigation If the structure an content is not closely controlle, there is a risk that navigation 18

20 an search capabilities will eteriorate an users will have trouble fining information efficiently. 4. Data uplication 5. Content auit an control Unauthorize web content may appear. There shoul be controls in place to manage the publishing process for web content, which inclues review an authorization. 6. Tracking In orer to use content effectively there must be a way to track changes, such as the creator of the content, when it was create an last upate. 7. Business processes There nees to be integration between the web content management an the business process. Author Perioical/ Eition ata base, Osawa, Juro As Sony Counts Hacking Costs, Analysts See Billion-Dollar Repair Bill Wall Street Journal (Online) N/A N/A June 5, ABI Inform, pq?i= &si=3 &Fmt=3&cliecl cl=16746&rr R=309&VNaV V=PQD Sony s PlayStation Network was recently face with a ata breach an it is currently struggling to restore its image an regain the trust of its customers. Over 77 million customers personal information (incluing names, passwors an aresses were stolen over the network. An analyst forecaste that the overall impact of the ata breach was about $2.74 billion. The aftermath inclues the lost of revenues ue to the temporary suspension of services, costs of reissuing creit cars, reinforcing security systems an complimentary access to premium services. 19

21 Author Perioical/ Eition ata base, Satter Raphael G., & Cassanra Vinogra Hackers taunt Sony, posting new ata online The Globe an Mail N/A N/A June 5, globeanmail. com/news/tec hnology/technews/hackerstaunt-sonyposting-newataonline/article / Sony faces a new ata breach not long after the PlayStation incient. Sony Pictures was attacke by the hacker group known as LulzSec. The ata that was stolen (inclues passwors, aress, phone number, aress, an ates of birth) was never encrypte, thus making it easily obtainable by the hackers an further emonstrating the poor security Sony has in place. Author Perioical/ Eition ata base, Barnett, Jeff A new prescription for builing trust online Health Management Technology Vol. 31, No June 5, ABI Inform, web?i= &si= 3&Fmt=3&clie nti=16746&r QT=309&VNa me=pqd Organizations in the healthcare inustry can buil trust online by implementing the following measures: 1. Strong authentication In aition to the stanar user name an passwor login, customers must provie a six-igit security coe that is generate by the users creentials an changes with every sign-on. 2. Extene valiation SSL These are security protocols use by web browsers an servers to help protect the transfer of users ata an phishing schemes. 3. Public key infrastructure These solutions combine strong authentication with encryption an uses igital signatures to ensure auitable communications an transactions. 4. Frau etection It works by learning the behaviours of users an then etection an respons to unusual behaviours that coul be potential frauulent activities. 20

22 Author Perioical/ Eition ata base, McKeever, Susan Unerstanin g Web content management systems: evolution, lifecycle an market Inustrial Management & Data Sytems Vol. 103, No June 6, eralinsight.co m/journals.ht m?articlei= &show= abstract Common problems that occurre with early s inclue poorly coe HTML, broken tables an links, poor quality content an missing graphics. However in the late 1990s the complexity of s increase ue to higher volumes of content, visitors, an complex harware an software. Software companies have aresse the nee for strong content management tools an offer proucts calle content management systems. Web site errors are not longer acceptable to users, an can be amaging to the business reputation an profitability. Web content management can be efine as a four layer hierarchy from lowest to highest: content layer, activity layer, outer layer, an the auience layer. The web content management cycle is base on four main phases: content collection, elivery workflow, an control an aministration. Author Perioical/ Eition ata base, Richars, Aria Builing a Better Website Black Enterprise Vol. 41, No June 6, ABI Inform, web?i= &si= 2&Fmt=3&clie nti=16746&r QT=309&VNa me=pqd A stuy conucte by Stanfor University showe that 46% of responents consier the esign an look of a web site are important factors in etermining creibility. Content management systems enable users to a content to their s without neeing to learn any programming coe. They are available on the web either through self-hoste where the user install the software an provies the hosting space, or hoste, where the service provie takes care of all the hosing space an upgraes. Three popular proucts for small businesses inclue WorPress, Intuit, an Squarespace. WorPress is open source an is quick an easy to use. Intuit offers more templates; however, there is a higher risk that the will not be ranke high in search engines. Finally, Squarespace, similar to WorPress can support both a main an a blog within the same location an also imports photos an posts from other systems. 21

23 Author Perioical/ Eition ata base, N/A Website Integrity Seal BranProtect N/A 2010 N/A June 6, nprotect.com /inboun-linkchecking.html Corporate s can be subject to many attacks. For example, the IP aress can be spoofe to ivert traffic, web page content can be altere, an malware can be inserte for various criminal activities. Common services provie by external parties, such as BranProtect inclue inboun link checking, outboun an internal link checking, an monitoring. The link checking services ensure that the links on the are functioning properly an monitoring reuces the risk of hijacking an efacement. The critical pages that are monitore inclue the home page, shopping care, contact us, an about us pages. Certain test that can be conucte inclue the following: 6. Content test catches corrupte upates an content change 7. Eit etects unauthorize changes to the web site 8. DNS the omain is checke on hunres of DNS servers to ensure that it maps to the intene IP aress 9. Ping confirms that the web server respons to basic internet requests 10. Fetch confirms that the web server is operational an respons in a reasonable amount of time 11. integrity seal seal with tracking capabilities to know where traffic comes from Author Perioical/ Eition ata base, N/A Automatic Repair of Hacke Web Sites an Information Security Best Practice Lockstep Systems Inc. N/A June 6, kstep.com/we bagain/autom atic-repair.pf Businesses can face several risks if their web site integrity is compromise or have been altere by unauthorize users. These risks inclue: business isruption (owntime an lose opportunity), the cost to recover, public image (eteriorate confience in the enterprise), transaction theft, an legal liability. Current best practices which can be categorize into intrusion prevention measures (firewalls, encryption, user authorization, an virus protection) an intrusion etection systems may not be sufficient enough to eal with aggressive hackers. WebAgain, a software evelope by Lockstep Systems, Inc. uses a patentpening process to automatically repair the content of hacke s without any human intervention. It etects unauthorize changes to web site content an then automatically restores the original content. 22

24 Appenix 4 - Bibliography Garg, Manish an Mehta, Chirag. Drupal On The Clou, Beyon Content Management.. Retrieve June 20, from Heck, Mike. (2008). InfoWorl Test Center Guie: Content management systems. InfoWorl, Inc. Retrieve June 20, from Johnston, Mike. ptools Launches Web Content Management for Clou Computing. CMS Critic.. Retireve June 20, from Popa, Sorin. Web Server Monitoring. University of Craiova. (2008). Retrieve June 20, from Runyan, Charles. (2008). Domain Name Disputes: FAQ: The Anticybersquatting Consumer Protection Act. KEYTLaw, LLC. Retrieve June 20, from Content Management System. Outsourcing Partners. (). Retrieve June 20, from Effective Web Content Management: Empowering the Business User While IT Maintains Control. Winett Associates Retrieve June 20, from Overview of Trust Services. The Canaian Institute of Chartere Accountants Retrieve June 20, from Seven Stages of the Content Lifecycle. CMS Review. Retrieve June 20, from Software-as-a-Service: The Alternative for Web Content Management. A Whitepaper Perspective from CrownPeak. CrownPeak Technology, Inc Retrieve June 20, from 23