CSSA targets security issues for ecommerce

Ecommerce companies will be told by their trade associations to take a more targeted approach to security.

The Computing Services and Software Association (CSSA) is working with the Alliance for Electronic Business to spearhead a programme that will allow companies to report security incidents anonymously for analysis by security experts.

The partnership, called the Ebusiness Trust and Confidence Initiative, held its first meeting last month.

Adverse publicity hinders investigation of security breaches, and the sharing of vital information can protect other users, said Tim Conway, director of industry affairs at the CSSA.

Graham Satchwell, a former Microsoft senior investigator and now director of corporate security at security consultant Dick Tracy, said security and analysis centres, where the breaches can be investigated, are central to the plan.

"You can have terrific secrets that need to be kept safe, but someone needs to access those secrets otherwise there is no point in keeping them. The area of sharing information and best practices is very much a core factor of the initiative," said Satchwell.

Users will have access to tailored guidelines for their industry sector based around the principles of the BS7799 security standard. The standard makes recommendations about internet connections, firewalls and encryption strength.

"It is the whole breadth of industry concerned with ecommerce that will benefit from this work, and it is an attempt to look at the BS7799 standard again for the benefit of those businesses concerned with ecommerce," said Satchwell.

"We'll be doing this by practical guidelines that will help businesses to cope sensibly with their own needs in relation to security," he added.

The proposals were discussed by representatives from the Department of Trade and Industry, the Confederation of British Industry, CMG Admiral, Microsoft, Unisys, Baltimore Technologies and the Post Office.

The group will meet again in January 2001, to comment on current proposals, before going out to vendors and users with particular concerns. From that point, Satchwell claims that the rollout of the initiative will begin.

First published in Computing