Guidelines for Confidence and Security in e-Business

Guidelines for the management of Trusted Third Party services used to facilitate secure e-business communications are contained in a new ISO technical report, ISO/TR 14516, Information Technology – Security Techniques – Guidelines for the Use and Management of Trusted Third Party Services. The document will enable businesses to identify the type and level of protection required from TTPs and how to use those services to gain customer confidence and increase e-business security.

“Concerns about the security of e-business expressed by those both in the business-to-consumer, as well as, business-to-business markets have seen a growth in security technologies,” said Ted Humphreys, convenor of the ISO working group that developed the report. “Emerging standards and technical reports, such as, ISO/TR 14516 are aimed at helping to build a secure e-business environment that businesses can trust and rely on.”

A TTP is a body that provides one or more security services within IT systems such as time-stamping, key management, certificate management, electronic notary public and non-repudiation. These security services are supplied to organizations wishing to enhance trust and business confidence in e-business and to facilitate secure communications between trading partners.

ISO/TR 14516 provides guidance on the management, use, and deployment of TTP services and the establishment of a TTP security policy. It is designed to help users identify the type and level of protection required according to the type of service they provide and the context within which the business application is operating.

For example, the level of protection required for the authentication of administrative transactions may be different from that required for financial transactions, which may be different from that required in some healthcare applications.

The new technical report provides businesses with a security framework designed to establish assurance that transactions and messages are being delivered to the intended recipient, at the correct location, that messages are received in a timely and accurate way. It also provides, in case of any dispute that may arise, with appropriate methods for the creation and delivery of the required evidence for proof of what happened.

According to Ted Humphreys, achieving adequate levels of business confidence in the use of e-business is paramount to ensure long-term success and trust in e-business. “Ensuring the right level of security is in place helps build this trust and protects from a range of risk that businesses are likely to face. Building confidence in e-business technologies and services will help businesses feel that e-business can be relied upon to maintain customer and trading partner commitments and contractual obligations.”

“Securing the e-business environment requires businesses to implement the right combination of technical controls and management guidance found in ISO/TR 14516 and in other security standards such as:

  • ISO/TR 13335, Information Technology – Guidelines for the Management of IT Security
  • ISO 17799, Information Technology – Code of Practice for Information Security Management.

Their implementation can bring us that much closer to establishing the right management infrastructure for trust in e-business.”