Security Think Tank: Web-based app security needs data-centric, risk-based approach


Security Think Tank: Web-based app security needs data-centric, risk-based approach

These web-based applications provide IT with a new approach to supporting the business, especially in small to medium-sized enterprises (SMEs). For large organisations with IT and information security departments, adopting these applications is best handled as an outsourcing or major procurement programme. However, for an SME, there may not be the experience – or the people – to do this.

When deciding how to benefit from these applications, there are several issues that must be addressed:

  • Access to the applications for your organisation, its suppliers and its customers. If you can’t connect, how can you benefit?
  • Logical and physical access to the application and the information associated with it. Who sees what and when?
  • Ownership. Once you start using the applications, and storing your information on the provider’s infrastructure, who actually owns the information?
  • Secure exit, termination and the secure transfer of information. When the contract ends – for whatever reason – can you get your information back or can it be transferred to another provider?

From an ISF perspective, we advise that any organisation thinking about using these applications should adopt an information-centric, risk-based, approach – such as that described in the ISF Supply Chain Information Risk Assurance Process.

The key here is to understand what information is going to be used and stored in these web applications. Once your organisation knows what is being used and stored, the information security arrangements required to protect that information can be drawn up, as can the expected terms and conditions.

Recent research shows that the position on contracts is changing, as both buyers and providers have become more sophisticated and the services and applications provided more differentiation. The key is to follow the information and information risk to set information security arrangements to be agreed between the organisation and the supplier.

Adrian Davis is principal research analyst at the Information Security Forum (ISF)

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

This was first published in February 2013


COMMENTS powered by Disqus  //  Commenting policy