EDI/ B2B Risk Assessment Process
Risk Assessment of an EDI/B2B infrastructure (system, network, people, partners) presents complexity and unique challenges to the evaluation process. These challenges include:
| • |
EDI connectivity to multiple VANs.
|
| • |
B2B web portals for a portion of the trading partners and/or trading-partner-specific portals.
|
| • |
Internal partners as well as external trading partners.
|
| • |
Third-party processors-service bureaus-that become part of the supply chain.
|
| • |
Changing custody of the data at various points along the supply chain.
|
| • |
Multiple front-end and back-end applications feeding to and from the EDI/B2B network.
|
For assessing an EDI/B2B department and system, we examine the following key factors:
| 1. |
Physical security
|
| 2. |
Personnel security
|
| 3. |
Contractual security
|
| 4. |
Data/Transaction security
|
| 5. |
System security
|
| 6. |
Network security
|
| 7. |
Business Resumption/Disaster Recovery
|
Each key factor is evaluated during the risk assessment according to:
| • |
Existing security controls (physical/logical)
|
| • |
Current weaknesses
|
| • |
External risk sources/internal risk sources
|
| • |
Past events
|
| • |
Potential events
|
| • |
Cost vs. consequence
|
| • |
Compliance (e.g., Sarbanes-Oxley, ISO/IEC, GS1)
|
We lead a collaborative assessment project, where your IT management designates staff to work with our risk management consultant. We facilitate this process with an organized framework, including scheduled interviews and questionnaires, which eliminates wasted time and time away from core tasks.
1. Physical security factors
| • |
Premises: building, external suite, computer/server room, offices
|
| • |
During business hours, after hours
|
| • |
Card-key access management
|
| • |
Key-secured computer cabinetry
|
| • |
Key-secured desks
|
| • |
Guards, monitoring, CCTV, cameras
|
| • |
Visitor escort/sign-in logs
|
2. Personnel security factors
| • |
Background checks
|
| • |
Network, system, application log-ins
|
| • |
User IDs/passwords
|
| • |
Trace of individual accounts and time stamping
|
| • |
Logs-network, system, application |
| • |
Audited actions-success/failure audits
|
| • |
Add/delete/change, download/print directives
|
| • |
Disclosure/confidentiality
|
| • |
Security awareness/training-risk response readiness
|
3. Contractual security factors
| • |
Customer contracts/requirements
|
| • |
Trading partner agreements
|
| • |
Confidentiality agreements
|
| • |
Employee contracts and code of conduct
|
| • |
Contractor contracts and code of conduct
|
| • |
Service level agreements with internal partners
|
| • |
Offsite storage facility contract
|
| • |
Third party-service bureau-contracts
|
4. Data/Transaction security factors
| • |
Encryption
|
| • |
Digital certificates
|
| • |
Transport protocols
|
| • |
Sensitivity: high, medium, low
|
| • |
Integrity
|
| • |
Confidentiality
|
| • |
Authentication
|
| • |
Reliability
|
| • |
Non-repudiation
|
| • |
Audit logs/reporting
|
| • |
Archival and recoverability
|
| • |
Document classification/retention
|
5. System security factors
| • |
Log-in management: users, administrators, management, software vendors
|
| • |
Passwords/PINs
|
| • |
Use of personal computers and PDAs
|
| • |
Administrative levels of access
|
| • |
Modification restrictions/protection of software code
|
| • |
Anti-virus software parameters
|
6. Network security factors
| • |
Firewall, VPN, Tunnel
|
| • |
VAN connectivity
|
| • |
Web connectivity
|
| • |
Security protocols
|
| • |
ACLs-Access Control Lists
|
| • |
Domain level authority, access, control
|
| • |
Intrusion-detection technology
|
| • |
Partitioning of internal networks
|
7. Business Resumption/Disaster Recovery factors
| • |
Online archival and retention
|
| • |
Backup copies of: operating system software, system data and security files/tables, production libraries/directories and databases (including program source), development tables, libraries/directories, and databases
|
| • |
Backup rotation/transport schedule
|
| • |
Retention of tape/disks
|
| • |
Security of offsite storage facility
|
| • |
Escalation levels for problem resolution and recovery
|
« Back to Risk Assessment page
|
800 821 4644
(download .pdf)
