2134
A Security Blueprint for E-Business Applications
and good functionality can be provided at the same
time. A secure e-business environment must also
be resilient and scalable.
This section will develop a security blueprint
for an e-business environment based on a three-
tiered e-business architecture and major compo-
nents described in the previous section.
Security Blueprint Overview
This security blueprint emulates as closely as
possible the functional requirements of the
typical e-business environment discussed in the
previous section, which can help people to build
or maintain a secure e-business environment for
e-business applications.
As illustrated in Figure 3, this security blue-
print consists of four security control layers, start-
ing from physical access, network communication,
operating system, to application. As part of this
security blueprint, to maintain a secure e-business
environment, the major security management
processes included and staged are planning, de-
ployment, administration, and auditing.
Security Control Layers
As part of the security blueprint for e-business
environment, the security control layers cover all
PDMRUFRPSRQHQWVLGHQWL¿HGLQDW\SLFDOWKUHH
tiered e-business environment, including physi-
cal access, network communication, operating
system, and application layer.

Physical Access Layer
The security control for physical access is an
extremely important part of keeping all sensi-
tive devices and data secure in an e-business
environment. In the typical e-business environ-
ment discussed previously, all components of the
business logic layer and data layer are considered
as critical devices from a security perspective, as
illustrated in the Table 1. It is necessary to put all
critical devices into a separate space (data center,
computer room, and even server racks) and main-
tain very strict control over who can enter it, then
use card key or keypad systems, log books, and
human security to limit unauthorized access.
Figure 3. Security blueprint overview
2135
A Security Blueprint for E-Business Applications
Network Communication Layer
The corporate network and the Internet are the
major components that fall into this layer, as il-
lustrated in Table 1. These components perform
VSHFL¿FUROHVLQDQHEXVLQHVVHQYLURQPHQWDQG
WKXVWKH\KDYHVSHFL¿FVHFXULW\UHTXLUHPHQWV
1HWZRUN DWWDFNV DUH DPRQJ WKH PRVW GLI¿FXOW
attacks to deal with because they typically take
advantage of an intrinsic characteristic of the
way the corporate network operates. Hence, most
security technologies are applied at this layer to
DQDO\]HWKHQHWZRUNWUDI¿FDQGHOLPLQDWHPDOL-
cious threats, including router access control,

VZLWFKDFFHVVFRQWURO¿UHZDOOLQWUXVLRQGHWHFWLRQ
system, virus detection system, virtual private
network, and secure sockets layer.
Operating System Layer
As the most likely target during an attack, the
operating system layer presents some of the most
G LI ¿FX OWFKDOOHQJHVL Q D QHEX VLQH V VHQY L URQPH QW
from a security perspective. In a typical e-busi-
ness environment, the major components, such as
the Web browser, Web server, application server,
database server, and AAA/directory service, are
all running on top of various operating systems
like Unix, Linux, Windows, and the like, as il-
lustrated in the Table 1.
Meanwhile, for various reasons, these operat-
ing systems provide strong functionality to support
different application services while numerous
system holes or bugs remain. Because of this
vulnerability, operating systems are the most
frequently attacked components in an e-business
environment.
To secure these operating systems, careful
attention must be paid to each of the components
in the e-business environment. Here are two im-
portant guidelines to reinforce operating system
layer: (1) keep any operating system up-to-date
ZLWKWKHODWHVWSDWFKHV¿[HVDQGVRIRUWKDQG
(2) lock down any operating system by disabling
unwanted service.
Application Layer

Most components of a typical e-business envi-
ronment, such as a Web browser, Web server,
application server, database server, and AAA/di-
rectory service, fall into this layer, as illustrated
in the Table 1.
Table 1. Major components in security control layers
Components
Layers
Web
Browser
Web
Server
Application
Server
Database
Server
AAA/
Directory
Service
Corporate
Network
Internet
Physical Access
Layer
99 9 9 9
Network
Communication
Layer
99
Operating System

Layer
99 9 9 9
Application Layer
99 9 9 9
2136
A Security Blueprint for E-Business Applications
As we know, applications are coded by hu-
man beings (mostly) and, as such, are subject to
numerous errors. These errors can be benign (e.g.,
an error that causes a document to print incor-
rectly) or malignant (e.g., an error that makes the
credit card numbers on a database server avail-
able via an anonymous FTP). It is the malignant
problems, as well as other more general security
v u l n e r a b i l i t i e s , t h a t n e e d c a r e f u l a t t e n t i o n . Si m i l a r
to the operating system layer, care needs to be
taken to ensure that all applications within an
e-business environment are up-to-date with the
ODWHVWVHFXULW\¿[HV
Management Process Stages
To maintain a secure e-business environment,
numerous security management processes of the
daily operations of e-businesses are involved. As
part of the security blueprint for an e-business en-
vironment, the management processes have been
organized into four stages, planning, deployment,
administration, and auditing.
Planning Stage
The most important stage of security management
is planning. It is not possible to plan for security,

unless a full risk assessment has been performed.
Security planning involves three processes: asset
LGHQWL¿FDWLRQ, risk assessment, and action plan-
ning, as illustrated in Figure 4.
$VVHWLGHQWL¿FDWLRQLVXVHGWRLGHQWLI\DOOWKH
targets of the actual e-business environment. Risk
assessment is used to analyze the risks for each
asset and determine the category of the cause of
the risk (natural disaster risk, intentional risk,
or unintentional risk). Action planning is used
to describe the security guidelines and present a
security architecture using the enabling security
technologies.
Deployment Stage
The deployment stage is relatively simpler than
the planning stage. At this stage, the action plan
developed at planning stage will be implemented
accordingly. This stage includes three key pro-
cesses: installation, FRQ¿JXUDWLRQ, and testing, as
illustrated in Figure 5.
Administration Stage
$IWHUWKHGHSOR\PHQWVWDJHD³VHFXUH´HEXVLQHVV
environment has been built. However, it is not
really secure without a proper security admin-
istration. This is true because most assets need
to be maintained daily to ensure that they have
no proven vulnerabilities. In addition, security
V\VWHPVVXFKDV¿UHZDOO,'6DQWLYLUXVNHHS
generating alerts, events, and logs that require
adminito strators take necessary actions.

The administration layer consists of four ma-
jor processes, including daily monitoring, online
blocking, log analysis, and periodic reporting, as
illustrated in Figure 6. These processes are not
only applied to security systems, but also to other
assets in the actual e-business environment.
Auditing Stage
The auditing stage provides the formal exami-
nation and review of the established e-business
environment. This layer contains two major
processes, periodic auditing and audit reporting,
as illustrated in Figure 7. These processes can
be carried on by either internal staff or external
parties. In an e-business environment, an annual
security audit conducted by external party is
recommended.
CASE STUDY
Company XYZ, with its operational headquarters
LQ6LQJDSRUHDQGEUDQFKRI¿FHVLQWKH86-D-
2137
A Security Blueprint for E-Business Applications
pan, India, Thailand, Malaysia, and Hong Kong,
is a telecommunications service provider that
provides end-to-end networking and managed
services to multinational corporations (MNC)
and small and medium enterprises (SME) across
Asia.
The company has points-of-presence (POP)
located in 17 cities across 14 countries. Technical
support is available 24 hours a day and 7 days a

week. The company has built an Internet data
center (iDC) in Singapore to provide e-business
hosting services as part of its managed services.
Of course, its own e-business applications, such
as customer portal system, billing system, and
trouble ticketing system, are running on this
iDC as well.
This section will discuss the applicability of the
developed security blueprint using the Singapore-
based MNC company as a case study.
Figure 4. Processes at the planning stage Figure 5. Processes at the deployment stage
Figure 6. Processes at the administration stage Figure 7. Processes at the auditing stage
2138
A Security Blueprint for E-Business Applications
Established E-Business
Environment
$Q,QWHUQHW GDWDFHQWHULVGH¿QHGDVDVHUYLFH
provider offering server outsourcing, hosting, and
collocation services, as well as IP and broadband
connectivity, virtual private networks (VPNs), and
other network and transport services. It needs to
be physically secure against physical intrusions
DQGHTXLSSHGZLWK¿UHVXSSUHVVLRQXQLQWHUUXSWHG
power supply, and disaster recovery systems.
As a telcom provider and managed services
provider, the company’s iDC has a complex
architecture and multiple functions. However,
the authors just intend to discuss the environ-
ment related to e-business hosting service in this
FKDSWHU7KHVLPSOL¿HGHEXVLQHVVHQYLURQPHQW

is shown in Figure 8. This established e-business
environment is mainly made up of core routers
(two Cisco 7513 routers), distribution switches
WZR &LVFR &DWDO\VW  VZLWFKHV ¿UHZDOOV
access switches, and other necessary devices. All
WKRVH FULWLFDO GHYLFHV DUH FRQ¿JXUHG DV GXSOH[
to provide redundancy to ensure the continuous
operations of e-business applications.
Figure 8. A case study for security blueprint
2139
A Security Blueprint for E-Business Applications
The corporate LAN of this company is con-
nected into distribution switches, thus allowing
internal staff to access the company’s e-business
applications such as the customer portal, billing
system, and trouble ticketing system for daily jobs.
Putting these e-business applications into iDC
will take advantage of the established e-business
environment while saving money on the security
protection for the corporate network.
Security Control Analysis
Applying security control to the e-business envi-
ronment is critical for building a trust relationship
between e-business owners and the company.
Physical Access Layer
In order to prevent unauthorized people from
getting into the company’s iDC, which keeps
all the network devices, application servers and
important data, the company has implemented
very strict physical access control systems, in-

cluding biometrics HandKey II system, access
card control system, lifetime CCTV recorder
system, multi-level password restriction, central-
ized UPS system, and standby power generator.
Besides these systems, the iDC is also monitored
by on-shift engineers all the time. In addition, all
equipment (network devices and hosts) are put into
server racks and locked, while all network cables
DUHSXWXQGHUWKHÀRDWLQJÀRRURUZLWKLQVHUYHU
racks. Authorized personnel must sign in and out
at memo books to obtain the rack keys.
Additionally, to protect the data backup against
¿UHWKHIWDQGRWKHUQDWXUDOULVNVWKHFRPSDQ\
has an agreement with another managed service
provider for off-site backup, which allows both
companies to store data backup media for each
other. The data backup media will be duplicated
monthly.
Network Communication Layer
As most attacks come from the Internet and
corporate network, the company has employed
industry-standard security systems in place to
eliminate risks at the network communication
OD\HU 7KHVH LQFOXGH ¿UHZDOO FOXVWHU JDWHZD\
antivirus cluster, intrusion detection system (IDS),
AAA system, reverse Telnet access, and VPN
access. In addition to the security systems, all
network devices including routers and switches
are locked down, and access control list (ACL)
is applied for better security control.

All network devices and hosts are also con-
¿JXUHG WR VHQG simple network management
protocol (SNMP) traps and logs to HP OpenView
and NetCool systems for monitoring purpose. HP
OpenView shows a graphic diagram of the health
status of the e-business environment, while Net-
Cool collects all logs and SNMP traps from net-
work devices and hosts. On-shift engineers keep
monitoring this information to ensure the network
health and security protection is in place.
Operating System Layer
The company uses various operating systems to
implement its services, such as SUN Solaris, HP-
UX, and Windows NT/2000. As required by the
corporate security policy, all operating systems
must be hardened and kept updated with the latest
security patches from their manufacturers.
Application Layer
The security control for this layer is mainly to
keep security patches and service packs for com-
mercial applications up-to-date (for example,
CheckPoint Firewall-1 service pack 6, Radiator
RADIUS patches, virus pattern for TrendMicro
InterScan Viruswall, attack signature for RealSe-
cure IDS, etc.).
2140
A Security Blueprint for E-Business Applications
For customized e-business applications, such
as a customer portal system, billing system, and
trouble ticketing system, the software develop-

ment team is responsible to review program
logics and coding to avoid any system holes and
backdoors.
Management Processes Analysis
I n a d d i t i o n t o t h e fo u r l a y e r s of s e c u r it y c o n t r ol i m -
plemented at iDC, the company has also installed
security management processes to continuously
maintain a secure e-business environment. A secu-
rity team has been formed by the engineers from
different departments (IT, network operations,
network planning, and software development) and
is led by a security specialist who reports directly
to the FKLHIWHFKQRORJ\RI¿FHU (CTO).
This section discusses the related security
management processes in the established e-busi-
ness environment using a real e-business appli-
cation — a Web-based trouble ticketing system
(TTS).
The TTS enables customers to report fault
and check status online, and allows engineers
to enter the troubleshooting progress and sales
to understand the troubleshooting procedure.
It couples with the customer portal and billing
system to provide a single-point solution to cor-
porate customers. The TTS consists of one Web
server, one application server, and one database
server. Both the Web server and the application
server are running at one physical server box,
while the database server is running at another
server box.

Planning Stage
Three processes are executed at this stage, in-
FOXGLQJDVVHWLGHQWL¿FDWLRQULVNDVVHVVPHQWDQG
action planning.
:KHQUXQQLQJWKHDVVHWLGHQWL¿FDWLRQSURFHVV
WKH PDMRU DVVHWV IRU 776 ZLOO EH LGHQWL¿HG DV
follows: Web and application server, database
server, and TTS data.
Following the risk assessment process, the
PDMRUULVNVWRWKRVHLGHQWL¿HGDVVHWVDUHOLVWHGDV
follows: physical attack to the server boxes and
network devices; network attack to the operating
systems, Web server, application server, database
server, and TTS application; and attack or damage
to the TTS data either physical or remotely.
Once the above asset and risks have been
LGHQWL¿HGWKHIROORZLQJDFWLRQVDUHGHYHORSHGWR
eliminate those risks to the assets: (1) physically
locate those server boxes and network devices into
iDC and lock them to server racks; (2) deploy the
Web and application server boxes according to the
GDWDEDVHVHJPHQWXWLOL]HWKH¿UHZDOOFOXVWHU
WREORFNPRVWUHPRWHDWWDFNVZLWKFHUWDLQ¿UHZDOO
policies; (4) utilize each IDS sensor located at
distribution switches to monitor potential attacks
and intruders; (5) utilize the gateway antivirus
cluster to scan and clean viruses contained in
+773W UDI ¿FOR FNGRZQW KHRSHUDWLQJV\VW HP
for Web and application server boxes and allow
only Web and application services to run; (7) lock

down the operating system for the database server
boxes and allow only database services to run; (8)
examine the TTS program code to prevent any
system holes and back doors.
Deployment Stage
Following the action planning, the installation
process will be carried out to setup physically
all server boxes and access switches if any, and
install the operation system and software such
as Web server, application server, oracle server,
DQG776DSSOLFDWLRQ7KHFRQ¿JXUDWLRQSURFHVV
will go through the lock-down procedures for
operation system and application software, and
tunes up parameters for better performance.
6RPHWLPHV VLQFH PLVFRQ¿JXUDWLRQ PD\ FDXVH
more risks and even bring the server down and
crash application services, the testing process will
2141
A Security Blueprint for E-Business Applications
ensure that deployment is in compliance with the
action plan.
Administration Stage
The security team coupled with the on-shift opera-
WLRQWHDPFDUULHVRXWDOOSURFHVVHVGH¿QHGDWWKLV
stage at any time. Daily monitoring includes the
following tasks: network diagram view from HP
2SHQ9LHZ6103WUDSVIURP1HW&RRO¿UHZDOO
console, IDS console, antivirus console, and
syslog window.
Online blocking will be carried out once a re-

PRWHDWWDFNKDVEHHQLGHQWL¿HG7KHVHFXULW\WHDP
will do the log analysis every day and generate
security reports every week and every month.
Auditing Stage
The security team will carry out an internal audit
every half year to determine the effectiveness
of existing security controls, watch for system
misuse or abuse by users, verify compliance
with corporate security policies, validate that
documented procedures are followed, and so
on. An audit report will be generated after the
auditing and given to management for review
and further action.
&RVW%HQH¿W$QDO\VLV
The cost of building a secure e-business environ-
ment involves not only the one-time hardware/
software/project expenses but also the recurring
cost for users, operations, and ongoing changes.
For the company’s established e-business environ-
ment, the cost analysis can be done via four areas,
including iDC features, security systems, network
and communications, and maintenance staff.
7 KHSK\VLF DOF R Q VW U X F W LR Q  L Q FOXG L QJD ÀRD W L Q J 
ÀRRU&&79FDPHUDV\VWHPELRPHWULFVKDQGNH\
system, server racks, UPS, and power generator,
together form the iDC features.
6HFXULW\V\VWHPVFRQVLVWRIWKH¿UHZDOOFOXV-
ter, gateway antivirus cluster, IDS console and
sensors, Cisco VPN concentrator, and various
monitoring and logging systems.

Network and communication cost refers
to the expense of the Cisco router 7513, Cisco
switch 6509, network cabling, Internet bandwidth
subscription, and access switches for individual
QHWZRUNVHJPHQWVEHKLQGWKH¿UHZDOOFOXVWHU
Maintenance staff means internal skilled
manpower needed to maintain this established
HEXVLQHVVHQYLURQPHQWIRUIXO¿OOLQJRSHUDWLRQ
and security requirements. This mainly refers to
Cost
(SG$)
Acquisition &
implementation
Operation
Ongoing
Changes &
Growth
Total % of Total
IDC Features 280K 12K 0 292K 18%
Security Systems 350K 36K 15K 401K 25%
Network &
Communication
420K 168K 27K 615K 39%
Maintenance Staff 0 240K 50K 290K 18%
Total 1050K 456K 92K 1598K -
% of Total 65% 29% 6% - 100%
Table 2. Cost analysis for e-business environment
2142
A Security Blueprint for E-Business Applications
the company’s security team and on-shift opera-

tion engineer team.
In this study, the acquisition and implementa-
tion cost is a one-time charge and takes a very
huge percentage (65%), while expenses for opera-
tion costs and ongoing changes and growth are
estimated on an annual basis, assuming there
are no big changes required on the e-business
environment. Table 2 shows the summarized
implementation cost and other estimated costs.
Although the cost may be high to SMEs, it is
indeed cost-effective for large organizations and
HEXVLQHVV SURYLGHUV GXH WR WKH JUHDW EHQH¿WV
obtained from the secure e-business environment.
7KHVHEHQH¿WVLQFOXGHVKDUHGEDQGZLGWKVKDUHG
security protection, scalability, reliability, and
total ownership cost saving.
CONCLUSION
Building a secure e-business environment is very
critical to e-business applications. The chapter
develops a security blueprint for an e-business
environment based on the analysis of a three-tiered
architecture and provides general best practices
for companies to secure their e-business environ-
ments. Also discussed is the applicability of this
security blueprint based on the case study of a
Singapore-based MNC. This case study shows
that the security blueprint for e-business environ-
ment is suitable and cost-effective in particular
for large companies like multi-national corpora-
tions (MNC).

REFERENCES
Agre, P. E., & Rotenberg, M. (1997). Technology
and privacy: The new landscape. Cambridge,
MA: MIT Press.
Bingi, P., Mir, A., & Khamalah, J. (2000). The
challenges facing global e-commerce. Information
Systems Management, 17(4), 26-34.
Clarke, R. (1999). (OHFWURQLFFRPPHUFHGH¿QLWLRQ.
Retrieved July 30, 2004, from .
au/people/Roger.Clarke/EC/ECDefns.html
Gartner Group (2002). Retrieved May 20, 2003,
from />default.asp
Lichtenstein, S., & Swatman, P. M. C. (2001,
June 25-26). Effective management and policy
in e-business security. In B. O’Keefe, C. Loeb-
becke, J. Gricar, A. Pucihar, & G. Lenart (Eds.),
Proceedings of Fourteenth International Bled
Electronic Commerce Conference, Bled, Slovenia.
Kranj: Moderna organizacija.
Siau, K., & Davis, S. (2000). Electronic business
curriculum-evolution and revolution @ the speed
of innovation. Journal of Informatics Education
& Research, 2(1), 21-28.
This work was previously published in Enterprise Information Systems Assurance and Systems Security: Managerial and
Technical Issues, edited by M. Warkentin, pp. 80-94, copyright 2006 by IGI Publishing (an imprint of IGI Global).
2143
Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Chapter 7.12
A Model of Information Security
Governance for E-Business

Dieter Fink
Edith Cowan University, Australia
Tobias Huegle
Edith Cowan University, Australia
Martin Dortschy
Institute of Electronic Business—University of Arts, Germany
ABSTRACT
7KLVFKDSWHULGHQWL¿HVYDULRXVOHYHOVRIJRYHU-
nance followed by a focus on the role of informa-
tion technology (IT) governance with reference
to information security for today’s electronic
business (e-business) environment. It outlines
levels of enterprise, corporate, and business
governance in relation to IT governance before
integrating the latter with e-business security
management. E-business has made organisations
even more reliant on the application of IT while
exploiting its capabilities for generating business
advantages. The emergence of and dependence on
new technologies, like the Internet, have increased
exposure of businesses to technology-originated
threats and have created new requirements for
security management and governance. Previous IT
governance frameworks, such as those provided by
the IT Governance Institute, Standards Australia,
and The National Cyber Security Partnership, have
not given the connection between IT governance
DQGHEXVLQHVVVHFXULW\VXI¿FLHQWDWWHQWLRQ7KH
proposed model achieves the necessary integration
through risk management in which the tensions

between threat reduction and value generation
activities have to be balanced.
INTRODUCTION
Governance has gained increasing attention in
recent years, primarily due to the failures of
well-known corporations such as Enron
®
. The
expectations for improved corporate governance
have become very noticeable, especially in the