Tuesday, 29 January 2008

Security Report plan

Security Report Plan

E-commerce is a website which involves the use of transactions, in other words Transactional Websites. They involve the display and purchases of online goods and services such as clothes shops or insurance companies.
E-commerce is more susceptible to threats than normal commerce because to make a transaction online your have to give more personal details online. If you go into a shop to buy something, you don’t have to give your name or address, where as online you do. With e – commerce you also have to give credit card details, and they can be stolen and retrieved by spy ware leaving the customer susceptible to online fraud. However, with the right protection from the transactional website, the customer will not have to suffer these consequences.

There are many threats faced by data security with e – commerce as at times it can be very vulnerable without the right security. First of all there are Viruses – these are computer programs that are designed to copy themselves. They can attach themselves to other programs or they may be stand-alone – this is called a worm. They cause a lot of harm to a computer system, and identity theft is a common result of them in E-commerce situations. Anti – virus measures can be taken, there are many anti – virus software’s you can purchase to upload onto your computer to stop your computer from retrieving viruses. An example of anti – virus software is ‘Norton Antivirus’. Creating viruses is a serious offence, and if found the creators are often jailed. There was a BBC news article of an event similar to this. The opening paragraph reads; ‘A man who admitted infecting thousands of computers across the world with fast-spreading viruses has been jailed for two years.’ These computers included systems that were owned by many businesses which in effect temporarily destroyed them.
Secondly there are Hackers, these hack into computer systems and databases so they can access all information and data that is held in them. If these are not prevented then identity theft is a very common result along with online banking fraud. To prevent hackers from achieving this there are Firewalls. Firewalls are used to control access to networks and it enforces an access control policy. They stop hackers from getting into your computer system as it recognizes they shouldn’t have access to it. There is an article on the yahoo news website about ‘Hackers go after excel’. Excel is a programme which can contain much data. For example in a business, they may use Microsoft excel to keep a record of their finances and bank situations. If a hacker gets into these files, then much data can be stolen about the company.
Next there is Spy ware to consider. This can monitor almost anything a user does. It can monitor websites visited, files used, collect keystrokes and therefore find out passwords and credit card details, scan hard disks, view private chats, change default pages, hijack search engines. So basically it causes a lot of damage to the computer system it has invaded, and the owner of the computer can be a victim of fraud and identity theft. To prevent this you can get software like anti-virus, but specifically for spy ware.
All of the threats mentioned above are threats involved with other computer systems, however there are some physical threats involved also. Hardware failure can occur where the system fails and simply doesn’t work, you would not suffer from this if you were in the shops. Furthermore there can be human error, it is possible for people to make mistakes, therefore anything could potentially go wrong if too many are made, however most of the time these mistakes can be prevented by Training; training employee’s means that they know how to use the system properly so they are less likely to make mistakes, and this helps to prevent human error. Dishonest employees who are up to no good, can steel information from their company’s database and use it inappropriately, this can be a series offence and threat. To prevent this companies can monitor the actions of each employee, and if any are to act inappropriately they can be sacked. There is always the threat of Natural Disasters, where systems are simply destroyed through unexpected disasters such as hurricanes or tsunamis, these can both completely destroy computers altogether. You don’t always know when they are going to happen, and tend to rely on the warnings of others such as environmental groups. Another physical threat is theft; computers can be stolen if not protected securely. To prevent this Physical Security can be put into place. By having physical security it stops computers or other systems from being stolen, for example security guards or security cameras. If you are part of an organisation which involves you travelling, it is a good idea to get a device which protects others peeping over your shoulder to spy on what you are doing. Private information can leak out this way; to stop this from occurring the ‘3M Privacy screen filters’ have been invented. About 40% of Business Travellers admit to snooping on their unsuspecting seatmates. £250 billion of corporate secrets are stolen each year, due to indiscreet business practices. 10% of Laptop theft is for the purpose of obtaining information stored on the laptop. So the purpose of the filter is to stop unauthorised people overlooking on information they shouldn’t be. The filter only allows the person who is viewing the screen face on to see the screen. People from other angles will not be able to view the screen, to the right hand side there is a photo of the filter. Physical security can also help to prevent terrorism; bombs can also destroy computers completely so they need to be protected, also people can get into computer systems and destroy them or steal the companies money. Furthermore, flood and fire can both destroy computers.

There are still many other prevention methods for these threats to be considered, take Risk Analysis for example; these are a good idea for companies to take out as they help to identify potential risks faced by the companies systems. Their systems are assessed for how well they work and the problems are identified. Another method is the use of passwords they are a safe way of protecting personal databases and information, with e – commerce, you have a password to protect your online account and personal details, only you can access them as only you should know the password for that particular account. Also access levels are used to stop people of lower authority in businesses accessing areas they shouldn’t. For example the finance department would only be able to access the finance of the business and nothing else. To help prevent natural disasters from destroying all data back up can be used. By backing up files and data, if natural disasters or things you cannot prevent occur, you will have a copy of all the data and information you have lost, for example a hard disk. An external hard disk drive can hold up to 120 GB of data; this is the most reliable way to store massive documents. It can hold videos and music at the same time as many documents. It works like a memory stick but holds a lot more, and is more suitable for holding a whole computer system. Backing up data can stop businesses from being destroyed by many threats they are faced by.

All transactional websites need to have a secure network so the customer’s personal information isn’t stolen by those who should not be able to retrieve it. To prevent this from happening secure electronic transactions (SET) – this is a standard protocol for securing credit card transactions over insecure networks, for example the internet. It enables users to employ the existing credit card payment on an open network in a secure way. Furthermore, Encryption is used to keep certain information secret and protected from those who should not see it. Only those authorized to view the information can view it so it remains safe.

Legislation pays a big part towards the safety of a business. The laws are put in place to protect the customer as they give their personal information to the company.
Firstly there is the Data Protection Act, this act was devised in 1998, to protect individuals from their personal data being used incorrectly or passed around too freely. The right to privacy is a right we all expect. We do not expect personal details, such as our age, medical records, personal family details and political and religious beliefs to be freely available to everybody. To protect people and their personal information, the Data Protection Act was formed.
The first Data protection Act was made law in 1984 but was replaced by a new act in 1998 to include the European Union Law. There are 8 principle of the data protection act and these are listed below:
Be processed fairly and lawfully.
Be obtained for specified and lawful purposes.
Be adequate, relevant and not excessive for the purpose.
Be accurate and up-to- date
Not be kept longer than necessary.
Be processed within the rights of data subjects.
Be kept secure against lost, damage and unauthorised and unlawful processing.
Not be transferred to countries outside the European Economic Area.
If an organisation, business or company holds personal information about people, they must register with the data Protection office. As well as paying a fee when they register, they must state what kind of information they hold, and how they intend to use it. If you have a database on your computer at home containing personal details for family affairs, this is exempt from the act and you do not have to register.
The data protection act is very effective as all companies have to agree to it. Furthermore it provides strong underlying principles which must be followed or the company can be destroyed. People who go against the data protection act are prosecuted if they can give no valid reason. Marks and Spencer has previously breached the data protection act by not encrypting employee data, of which was held on a laptop. The computer system contained pension details for 26,000 employees and was stolen from the home of a contractor. There is an article on this case on computerweekly.com and the action taken was stated: ‘The ICO has issued Marks and Spencer with an enforcement notice ordering the company to ensure all laptop hard drives is fully encrypted by April. Failure to comply is a criminal offence and can result in further action against the company’.
Secondly there is the Computer Misuse Act, this is legislation against hacking, and it was passed in 1990 in the UK. The computer misuse act acts against hacking and many changes have occurred over the world and hacker’s technology is improving quickly, so they need to catch up with it quickly. This act works in a sense that it keeps employees in order and makes them do their job accurately and efficiently. There are three computer misuse offences and these are:
Unauthorised access to computer material
Unauthorised access with intent to commit or facilitate commission of further offences
Unauthorised modification of computer material.
Thirdly there is the office of fair trading (OFT), The OFT has three main operational areas: Competition Enforcement, Consumer Regulation Enforcement and Markets and Policies Initiatives. It enforces both consumer protection and competition law. Its goal is to make different markets work well for consumers, and to ensure that unfair practices such as rogue trading, scams and cartels are prohibited.

Another form of legislation is ‘The Freedom of Information Act’; it deals with access to official information. Furthermore, there are also regulations which provide access to environmental information. This act applies to most public authorities and to companies which are wholly owned by public authorities. It is quite the opposite of the others mentioned as it is allowing the public to view information; however the information that has been made accessible has been approved by the original source of the data. For example, with a transactional website, the customer has to right to track their previous orders; therefore they need to receive information from the company as long as they are authorized to.



The website I am analysing: Topshop.com makes the customer aware that their data is secure through the terms and conditions page. Shown in the print screen below:

They have a privacy policy statement which explains what data they take from you and what they do with it. They state that: ‘Your data will enable us, and our processors, to fulfil your order and to notify you about important functionality changes.’ They then go on to explain how they make sure the data is secure. Most importantly they state that: ‘We comply with the standards, procedures and requirements laid down in the UK Data Protection Act to ensure that the personal information you give us is kept secure and processed fairly and lawfully.’ When it comes to security, topshop.com provides the customer with the opportunity to find out exactly what is happening to their personal information. For example they explain in the terms and conditions that they have a fraud prevention screen as shown in the print screen below:


As you can see it reinforces the point that ‘At all times where we disclose your information it will remain secure’ this suggests that they have an SET in place. As previously explained, this is a standard protocol for securing credit card transactions over insecure networks, i.e. the internet.

Tuesday, 8 January 2008

Back office processes

Explain what Back Office Processes are and why your organisation needs them -Topshop needs back office processes to ensure that all ordering, payment and reporting of the transactions on the website run smoothly. Accounting, record keeping of clients' orders, stock control and the management of the website are all functions of the back office.

What processes are involved in Stock Control? What is at the centre of this type of system? Stock control is a process of the back office which keeps track of items that are for sale. Its main motif is to make sure that there is always enough stock available to meet the demand from the customers. Stock control ensures that no single items are sold twice to two different customers. The stock is kept on a database so that when a customers wants to buy an item, the back office can refer to the database (which is at the centre of the system) to see whether it’s in stock or not.

Explain what ASPs, and how it can update a database.
- ASP stands for Active Server pages. It is a code that allows the customer to read and update the database. They can so this by logging onto the database by using the website. The ASP is run every time someone uses a search engine, the code then reads the database and looks up the item price and details.

How do organisations maintain the virtual shopping basket for a customer, what processes are involved? - Whilst a customer is browsing through the website and ordering goods, it is necessary to hold the details of the items to be purchased. In topshops case, they have an online shopping bag which is shown on the computer screen. At the end of the customer's shop and they are happy with what is in their shopping bag they can then purchase the items by clicking check out. To maintain this, Topshop calculates the total of items each time they are added to the bag. The added items are then reserved for the customer so that they are not sold twice. The customer has the option to remove items from the bag at any point and they are made aware of delivery costs that have been added to the total.

Draw an example flowchart for your organisation to illustrate these processes. - On sheet

P143, Explain briefly the difference between, HTTP authentication, and cookie identification. -
HTTP authentication produces the familiar login/password browser sequence where as cookies are placed onto a persons computer without them knowing at the time

What advantage do cookies have over HTTP authentication? - There are some cookies which enable you to save your username to that computer so when you go back to the website, you only have to type in your password, this saves time where as HTTP doesn’t offer this. Cookies are an automated way of knowing who is looking at your website where as HTTP it isn’t as instant.

What is a cookie? Why does a transactional website need them? See page 153 for more info + wikipedia has some good starting points here. - Cookies are small text files that are sorted on a computer's hard disk when the user visits a website. They are kept in chronological order and recognise the preferences of the user. This is useful for transactional websites, as they can use the cookies to see what items the customer are most commonly interested in, so the next time they visit the web site they get a better experience and would be impressed with the advanced knowledge.

P144, why is it useful to get a customer to log in the website? Do the activity. - It is useful to get a customer to log into the web site as they can be anonymously tracked with a personal ID number. This random number is sent to a cookie, once the customer has logged in they can be tracked for everything they do in more detail, and can be rewarded for things such as consistency and loyalty to the company’s website. They can also see if the customer is misusing the website.
A list of the tables that might be involved in tracking customers' actions:
• Affilates & Transfers
• Bundles
• cartRows options
• Categories and products
• Country codes
• credit cards
• currency static
• customer types
• dbSession cart
• discounts per quantity
• emails
• options and groups
• orders
• payments
• rentals
• reviews
• stock & stock movements
• tax
• visits
• wish list
At what point is HTTPS encryption used? Why? - It is used when they want to encrypt credit card data so that all the detail remains secure so others cannot access or even read the data. Credit card data is very important, for if someone should find out the details they could use them to pay for things with other peoples money. If the details are encrypted then unauthorised people that may access the database cannot read the card details.

Why is this method safe even if some one intercepts the data travelling the website? - It is safe because the intercepting person will not be able to read the data unless they have authorisation to do so.

P145, Explain why a stolen card is unlikely to be used for online shopping. - A stolen card is unlikely to be used for online shopping as the details of the card can only be used if the billing addresses match with the delivery address. If the card has been used by the rightful owner on the internet then it can be tracked for unusual use of the credit card.

What is stock control? How are stock reorders managed by computer? - Stock control refers to all the processes involved in ordering, storing and selling goods; it makes sure that the same product isn’t sold twice as it is in real-time. It's run on a computer system for a website. It makes sure there is always enough stock for demand and too much out on the shelves as this can waste money. The reorders are managed by a computer through links to other suppliers. This way the reorder can be ordered automatically.

P146, List the processes involved in Despatch and Delivery of goods. -
• Address labels to be printed with dispatch notes and invoices
• Package goods
• collect goods by courier
• Tracking will be handed over by the organisation
• Customer is informed via email or logging into the website that their purchase has been dispatched and the customer can then track the progress of consignment.

Draw your own version of the diagrams on pages 146-7 for your own organisation. - On sheet

Monday, 7 January 2008

Back office processes

Explain what Back Office Processes are and why your organisation needs them -Topshop needs back office processes to ensure that all ordering, payment and reporting of the transactions on the website run smoothly. Accounting, record keeping of clients' orders, stock control and the management of the website are all funtions of the back office.

What processes are involved in Stock Control? What is at the centre of this type of system? Stock control is a process of the back office which keeps track of items that are for sale. Its main motif is to make sure that there is always enough stock available to meet the demand from the customers. Stock control ensures that no single items are sold twice to two different customers. The stock is kept on a database so that when a customers wants to buy an item, the back office can refer to the database (which is at the centre of the system) to see whether its in stock or not.

Explain what ASPs, and how it can update a database. - ASP stands for Active Server pages. It is a code that allows the customer to read and update the database. They can so this by logging onto the database by using the website. The ASP is run everytime someone uses a search engine, the code then reads the database and looks up the item price and details.

How do organisations maintain the virtual shopping basket for a customer, what processes are involved? - Whilst a customer is browsing through the website and ordering goods, it is necessary to hold the details of the items to be purchased. In topshops case, they have an online shopping bag which is shown on the computer screen. At the end of the customer's shop, and they are happy with what is in their shopping bag they can then purchase the items by clicking check out. To maintain this, topshop calculates the total of items each time they are added to the bag. The added items are then reserved for the customer so that they are not sold twice . The customer has the option to remove items from the bag at any point and they are made aware of delivery costs that have been added to the total.

Draw an example flowchart for your organisation to illustrate these processes. - on sheet

P143, Explain briefly the difference between, HTTP authentication, and cookie identification. - HTTP authentication produces the familiar login/password browser sequence where as cookies are placed onto a persons computer without them knowing at the time

What advantage do cookies have over HTTP authentication? - There are some cookies which enable you to save your username to that computer so when you go back to the website, you only have to type in your password, this saves time where as HTTP doesnt offer this. Cookies are an automated way of knowing who is looking at your website where as HTTP it isnt as instant.

What is a cookie? Why does a transactional website need them? See page 153 for more info + wikipedia has some good starting points here. - Cookies are small text files that are sorted on a computer's hard disk when the user visits a website. They are kept in chronological order and recognise the preferences of the user. This is useful for transactional websites, as they can use the cookies to see what items the customer are most commonly interested in, so the next time they visit the web site they get a better experience and would be impressed with the advanced knowledge.

P144, why is it useful to get a customer to log in the the website? Do the activity. - It is useful to get a customer to log into the web site as they can be anonymously tracked with a personal ID number. This random number is sent to a cookie, once the customer has logged in they can be tracked for everything they do in more detail, and can be rewarded for things such as consistency and loyalty to the companies website. They can also see if the customer is misusing the website.
A list of the tables that might be involved in tracking customers' actions:

  • Affilates & Transfers
  • Bundles
  • cartRows options
  • Categories and products
  • Country codes
  • credit cards
  • currency static
  • customer types
  • dbSession cart
  • discounts per quantity
  • emails
  • options and groups
  • orders
  • payments
  • rentals
  • reviews
  • stock & stock movements
  • tax
  • visits
  • wishlist

At what point is HTTPS encryption used? Why? - It is used when they want to encrypt credit card data so that all the detail remain secure so others cannot access or even read the data. Credit card data is very important, for if someone should find out the details they could use them to pay for things with other peoples money. If the details are encrypted then unauthorised people that may access the database cannot read the card details.


Why is this method safe even if some one intercepts the data travelling the the website? - It is safe because tje intercepting person will not be able to read the data unless they have authorisation to do so.


P145, Explain why a stolen card is unlikely to be used for online shopping. - A stolen card is unlikely to be used for online shopping as the details of the card can only be used if the billing addresses match with the delivery address. If the card has been usd by the rightful owner on the internet then it can be tracked for unusual use of the credit card.


What is stock control? How are stock reorders managed by computer? - Stock control refers to all the processes involved in ordering, storing and selling goods, it makes sure that the same product isnt sold twice as it is in real-time. It's run on a computer system for a website. It makes sure there is always enough stock for demand and too too much out on the shelves as this can waste money. The reorders are managed by a computer through links to other suppliers. This way the reorder can be ordered automatically.


P146, List the processes involved in Despatch and Delivery of goods. -

  • Address labels to be printed with dispatch notes and invoices
  • Package goods
  • collect goods by courier
  • Tracking will be handed over by the organisation
  • Customer is informed via email or logging into the website that their purchase has been dispatched and the customer can then track the progress of consignment.


Draw your own version of the diagrams on pages 146-7 for your own organisation. - on sheet

Friday, 4 January 2008

Conditions of purchase

Terms and conditions are available on all website and it is particularly important for transactional website to show a clear link for a customer to view them. The terms and conditions should be easy for the customer to understand so they are not ignored or overlooked. Topshop.com gives the customer the opportunity to look at the terms and conditions at sny point of browsing the website.

The link is available at the end of every page. They are easy to read as they are all underneath separate headings which are kept simple. The headings are hyperlinked at the top of the terms and conditions page so if necessary the customer can view the section of choice easily. The heading are shown in the screeen show below:

The 'Customer experience' offered

It is important for a transactional website to make the entire online shopping experience pleasant, easy and trustworthy. From the moment a customer visits the website to the point of after delivery of a puchase, the customer should be comfortable and at ease with the stages they have gone through. For most transactional websites there is a lot of background work to allow their system to run smoothly. This integrated system supports the customers from browsing to delivery. It is clear that with topshop.com there are many areas of customer care some examples are:

  1. The ability to contact them
  2. Advice on how to look after your purchases eg wash care
  3. The size guide service
  4. Good accessibilty and well thought out solutions for disabled users.
  5. A 'HELP' section that uses a whole page of the website.

Here is a lower toolbar shown at the foot of the page:




By clicking on 'Contact us' the customer is taken to a page where they can send an email to the company. They are asked for personal details so topshop can contact them back:




This is also a way of leaving feedback for topshop to consider if there could be any improvements to be made suggested by the customers. One downside of contacing topshop is that there is not a contact number. Some customers may find this frustrating if they want an immeadiate respose to their query.

The help section is available through a link that is shown on every page throughout the website on the very top toolbar:



The customer is then taken to a page with help and advice for these five topics:
  1. Your delivery
  2. Delivery guide and costs
  3. Payment
  4. Returns
  5. Refunds.

The customer experienced is enhanced by the fact there is easy navigation throughout the website.