1. Electronic Commerce and the Concept of Trust. Definition of Trust. A Summary of the Basics of Trust. Trust as a Foundation for EC. The Trusted System. Complexity. Interdependency. The Trust Economy. Telecommunications Networks. Addressing New Risks. Summary. Action Items for IT Managers. Understand the Business Environment. Categorize and Respond to Specific Areas of Concern. Monitor the Relationship. 2. The Dark Side of the Force: The Risks of Electronic Commerce. Risks Common to all Distributed Networks. Limitations of Traditional Risk Management. New Awareness. Technology-Induced Risks: What's New. Process-Oriented Technical Risks. Public Communications Paths. Automation Amplification. Risk-Reduction Measures to Consider. Uneven Quality of Black Box Processes. What Control Professionals and Auditors Say. Get the Big Picture. Put Risk in the Right Context. The Role of the IT Manager in Risk Management. Beyond Technology Risk. 3. Gaining Control of Electronic Commerce. Control is More than Security. Benefits and Importance of Control. Control Objectives of a Trusted Commercial System. Criteria of Control. EC Controls: The Macro View. Control Is an Evolutionary Process. Steps to Create a Safe EC Environment. Identification of Crown Jewels. Management Controls: People and Process. Technology Dependent Controls (Tools). Role of the IT Manager: Point-Counterpoint. 4. Maintaining the Trust Bond: Certainty, Confidentiality, and Privacy. Introduction. Definitions and Implications for EC. Protection. EC Information Flow. Corporate Data Flow and Interactions. Data Flows Between Trading Partners. Data-in-Transit. Data with ISP. Data at Client Sites, Server Site, and Outsourced Vendors. Trans-Border Information Flow. The Auditor's Perspective. Confidentiality/Privacy Regulations: An International Sample. Total Quality in the EC Transaction Factory. 5. Security: What Are You Protecting and Why? Look After the Information First: Linking Security with Data Protection. Value and Approach for Public Key Versus Private Key. Framework for Building Confidence. Understanding the Risks of Distributed Systems. Cost of Risk Protection. Risk Management. Layers of Risk Protection. Perimeter. User Authentication. Public Key Infrastructure (PKI). Other Authentication Techniques. Access Control and Authorization. Information Transformation Layers and Associated Security Schemes. Social Aspects of Security. Social Engineering. Removable Data. Legal Aspects. Retaining Expertise. 6. Looking After Business: The Core Components of Electronic Commerce. EC as a Catalyst for Change. EC Defined. Person to Person. Person to Computer. Computer to Computer. EDI as the Primary Business-to-Business EC Component. The EC Value Proposition. Sales. Customer Service. Procurement. Procurement Cards. Information Management and Dissemination to Internal Resources. Business Issues. Technical Issues. Communications. Data Storage and Retrieval. Message Conversion. Application Interface. EC in the Payments Business. Future Direction and Implications for IT Managers. Extended Reach. Micropayments. Digital Cash. Smart Cards. Mondex. Encrypted Credit Cards. Electronic Checks. Electronic Bill Presentment. Implications of New EC Delivery Channels. Key EC Issues for the IT Manager. Factors for the IT Manager to Consider. Steps for EC Success. 7. Business First and Safety First: Protecting Electronic Commerce Relationships. From Systems Defense to Business Enhancement. Putting Both Safety and Service First. Key Players in EC Development. Business Policy as Big Rules. The Link Between Big Rules and Standards. Determining Compelling Reasons for the Big Rules. Questions for the Big Rule. Choosing the Big Rules. Relationship Design. Reputation and Performance in an Online Relationship. The Perfect EC Relationship. Front-Ending. Business Enhancement. 8. Auditing for a New Age, New Purpose, and New Commerce. The Changing Role of the Internal Auditor. Internal Control: Trends and Recent Developments. Internal Control: Integrated Framework, 1994. Guidance on Assessing Control, 1999. Guidance on Control, 1995. Control Objectives for Information and Related Technology, 1998 (CobiT). An Integrated Control Framework for EC. The EC Control Environment. The Payoff Idea. 9. External Audit Requirements and Regulatory Compliance. Overview. The External Auditor's Role. What External Auditors Look For. The Question of Corporate Governance: The Regulator's Role. FDIC Electronic Banking: Safety and Soundness Examination Procedures, 1998 (U.S.). Independent Report on Electronic Commerce and Canada's Tax Administration, 1998. CDIC Standards of Sound Business and Financial Practices: Internal Control 1994 (Canada). Financial Aspects of Corporate Governance, 1992 (U.K.). External Requirements Harmonization. The Common Ground. Action Items for Control Designers. Apply Safety Tools. Add New Control Self-Assessment Topics. Promote Quality Documentation. Action Items for EC Professionals. 10. Trends to Follow and Opportunities to Take. How to Plan When You Can't Predict. The Near Term. Transforming the Nature of Security with Agents. ANSI and Internet/Extranet Growth. The Medium Term. Safe Payments. The Unknown Time Frame. Digital Cash. Changes in Payment Mechanisms. The Death of Copyright. Recommendations to Managers. Appendix Electronic Commerce in Action: The Case of Secure Electronic Transaction (SET). 11. What Is SET? 12. Why SET at All? 13. Risk Profile with Implementing a SET Payment System. SET Payment Cardholders. SET Merchants. SET Payment Gateways. 14. The Trust Dimension: The Public Key Infrastructure. 15. SET Implementation Issues. Vendor Products May Not Be Fully Certified at Time of Implementation or Self-Audit. Merchant Sign-Up Process Change. Certificate Management. Performance. Backup of SET-Sensitive Files. Managing Vendors and Outsourcing Partners. Self-Audits and Independent Audits. 16. What SET Does Not Cover. Index.
