Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract ISACA recently unveiled the results of its 2010 survey Shopping on the Job: Online Holiday Shopping and Workplace Internet Safety. The results demonstrate trends in employees utilizing enterprise resources to complete e-commerce transactions during business hours, resulting in lost productivity and increased risk to enterprise information assets. This white paper discusses many of the risks associated with such actions and provides recommendations for enterprises dealing with such challenges.
E-commerce and Consumer Retailing: Risks and Benefits CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout the world.
2
2010 ISACA. A
l l r I g h t S r e S e r v e d
2010 ISACA. A
l l
r I g h t S
r e S e r v e d
My organization does the following when it comes to mobile devices (e.g., smart phones, laptops, tablets, netbooks) (please check all that apply):
A security policy is in place that covers mobile devices. ......69% Employees are allowed to use work mobile devices for personal use, including for online shopping. ..................42% Employees are allowed to use personal mobile devices for work use. ...........................................................41% Employees are regularly educated about securing their work-related and/or personal mobile devices for enterprise use. .....................................................................50% Results from ISACAs 2010 Shopping on the Job Survey: Online Holiday Shopping and Workplace Internet Safety
1 2
http://www.isaca.org/online-shopping-risks http://www.cnbc.com/id/16870794/Superbowl_Fun_Productivity_Schmoductivity_and_More cites outplacement firm, Challenger, Gray & Christmas. 2010 ISACA. A
l l r I g h t S r e S e r v e d
2010 ISACA. A
l l
r I g h t S
r e S e r v e d
Because most enterprises have connectivity to the Internet, many of these risks exist whether or not employees shop online. However, the likelihood of risk realization increases when employees engage in activities such as shopping online without verifying that proper controls are in place. Proper controls include such things as ensuring that security patches are up-to-date, web sites are legitimate, mobile devices have adequate levels of security applied to use browsers, and that applications permit convenient Internet usage.
2010 ISACA. A
l l
r I g h t S
r e S e r v e d
In addition to an AUP, the enterprise should consider revisiting its mobile device management plan and policy. Often, mobile devices may not be subject to the same level of security controls that is applied to devices that do not leave the office. For many workers, the distinction between their personal and professional lives is diminishing because they have been given mobile devices by their employers and are available for business regardless of time or location. While these devices may affect productivity in a positive manner, employees use these devices for many things. For example, 47 percent of surveyed participants in ISACAs Shopping on the Job survey report that they will shop from enterprise-owned mobile devices. It is critical that enterprises take the time to properly control and manage these devices. In developing policies, the enterprise should consider and assess the impact on network utilization, network threats and productivity. The enterprise must define acceptable use. Holiday shopping can be treated differently than other activities such as social media use, Super Bowl gambling or participation in fantasy sport leagues.
2010 ISACA. A
l l
r I g h t S
r e S e r v e d
E-commErcE and consumEr rEtailing: risks and BEnEfits Assurance Considerations for E-commerce
Once the enterprise develops an appropriate strategy and controls to manage and monitor employee usage of the Internet, it is the role of the assurance professional within the enterprise to assess compliance with the associated policy and to ensure that the monitoring controls are effective and that compliance with the policy is established and measurable. The elements identified in ISACAs Business Model for Information Security (BMIS) present a good foundation for assurance professionals:
Has personal e-commerce been addressed in the enterprise risk assessment? Is there an established policy (and supporting standards) that addresses personal e-commerce utilizing enterprise assets? Do the policies address personal e-commerce use in the workplace?
2. People
Has effective training been conducted for all users, and do users receive regular awareness communications regarding policies and risks? It is imperative that all users understand what is (and is not) appropriate and how to protect themselves and the enterprise while using enterprise resources for personal purposes.
3. Processes
Have business processes been assessed to determine whether the personal e-commerce policy requires modifications or additions to existing processes?
4. Technology
Does IT have a strategy and the supporting capabilities to manage technical risks presented by personal e-commerce? The technical risks related to personal e-commerce are also found in the use of malicious e-mail and standard web sites. IT should have controls in place, both network-based and host-based, to mitigate the risks presented by malware. Suitable controls can include download restrictions, browser settings, data leak prevention products, content monitoring and filtering, and antivirus and antimalware applications. Appropriate incident response plans should be in place. Lastly, some of the key assurance issues that will need to be addressed are: Privacy Compliance Confidentiality Appropriate use of enterprise resources Malware
Conclusions
Productivity and information risk are two key areas to be watched as more employees utilize enterprise resources for personal Internet use. While ISACAs Shopping on the Job survey indicates that fewer workers will be shopping online using work-issued devices, the results show that those employees who do so will engage in riskier behaviors this year than during previous years. While risks originating from personal Internet usage on enterprise-owned devices have not dramatically changed, the holiday season can be an optimal time to revisit acceptable use and mobile device policies to ensure that controls are in place to protect information assets.
8
2010 ISACA. A
l l r I g h t S r e S e r v e d
2010 ISACA. A
l l
r I g h t S
r e S e r v e d