字體:小 中 大 | |
|
|
2014/02/14 16:37:07瀏覽530|回應0|推薦2 | |
14.1.2 Securing application services on public networks
Control
Information involved in application services passing over public networks should be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
Implementation guidance
Information security considerations for application services passing over public networks should include the following:
a) the level of confidence each party requires in each other’s claimed identity, e.g. through authentication;
b) authorization processes associated with who may approve contents of, issue or sign key transactional documents;
c) ensuring that communicating partners are fully informed of their authorizations for provision or use of the service;
d) determining and meeting requirements for confidentiality, integrity, proof of dispatch and receipt of key documents and the non-repudiation of contracts, e.g. associated with tendering and contract processes;
e) the level of trust required in the integrity of key documents;
f) the protection requirements of any confidential information;
g) the confidentiality and integrity of any order transactions, payment information, delivery address details and confirmation of receipts;
h) the degree of verification appropriate to verify payment information supplied by a customer;
i) selecting the most appropriate settlement form of payment to guard against fraud;
j) the level of protection required to maintain the confidentiality and integrity of order information;
k) avoidance of loss or duplication of transaction information;
l) liability associated with any fraudulent transactions;
m) insurance requirements.
Many of the above considerations can be addressed by the application of cryptographic controls (see Clause 10), taking into account compliance with legal requirements (see Clause 18, especially see 18.1.5 for cryptography legislation).
Application service arrangements between partners should be supported by a documented agreement which commits both parties to the agreed terms of services, including details of authorization (see b) above).
Resilience requirements against attacks should be considered, which can include requirements for protecting the involved application servers or ensuring the availability of network interconnections required to deliver the service.
Other information
Applications accessible via public networks are subject to a range of network related threats, such as fraudulent activities, contract disputes or disclosure of information to the public. Therefore, detailed risk assessments and proper selection of controls are indispensable. Controls required often include cryptographic methods for authentication and securing data transfer.
Application services can make use of secure authentication methods, e.g. using public key cryptography and digital signatures (see Clause 10) to reduce the risks. Also, trusted third parties can be used, wheresuch services are needed.
|
|
( 知識學習|商業管理 ) |