1. Using B2C Service
  2. How You Develop a Security Plan

How You Develop a Security Plan

When configuring your B2C Service site, your goal is to obtain the maximum effectiveness for your staff and your customers, while ensuring that your site is safe from threats.

Although B2C Service is designed and implemented with the highest levels of security, we recognize that our customers’ needs vary. Therefore, we offer configuration options that let you accept various levels of risk. Your sensitivity to those risks should dictate the configuration and management options you use in your site.

Note: Never assume that your security system is foolproof. New attacks are designed every day, so you should expect that any weakness will eventually be exploited. Ongoing vigilance and process improvement are required to minimize risk.

Common Security Threats

Risks to using a web-facing software product like B2C Service to collect and store data include but are not limited to:

  • Data leaks to unauthorized persons.
  • Attacks to subvert security measures.
  • Vandalism of the host site.
  • Attacks against site users.

Security Considerations

To start developing your security plan, we’ve compiled a list of questions and considerations that relate to the use of B2C Service. Your answers should help determine the content of your security plan. Here are some things to consider:

  • What type of data will you collect and store?
    • Is personal information such as name, address, telephone number, and email address collected?
    • Is medical or financial information collected and stored?
    • Are there required data security standards or certifications, such as HIPAA or PCI?
  • What methods will be used to obtain the data?
    • Does information come over the Internet or a private intranet?
    • Does information come from a voice-based system?
  • What is the access method for the data?
    • Are users required to provide credentials, such as a user name and password, or is data openly available?
  • What are the risks associated with compromised data?
    • What is the monetary cost?
    • What is the non-monetary cost, such as loss of reputation?
    • Are there legal ramifications?
  • Who are your user groups?
  • What authentication methods are available and which should be used for each type of user?
  • For each type of data, which types of users should have access and how should the authorization be accomplished?
  • What communication methods will be used and what efforts should be made to protect communication from being compromised?

While there are many resources available that can help you develop security policies and procedures, keep in mind that you should rely only on those resources that you find reliable and trustworthy. If you want to read more about security, here are some suggestions:

  • "Writing Information Security Policies," by Scott Barman
  • "Information Security Policies and Procedures," by Thomas Peltier
  • Security Policy Templates—for information about security training and security certification
  • OWASP Foundation—A nonprofit organization focused on improving software security