When an organization is concerned about protecting its e-commerce assets, they should have a security policy in place.

A security policy is a written statement describing which assets to protect and why they are being protected, who is responsible for that protection, and which behaviors are acceptable and which are not. The policy must address physical security, network security, access authorizations, virus protection, and disaster recovery. Both defense and commercial security guidelines state that organizations must protect assets from unauthorized disclosure, modification, or destruction.The first step an organization must take in creating a security policy is to determine which assets to protect from which threats; a company that stores its customers’ credit card numbers might decide that those numbers are an asset that must be protected from eavesdroppers; then the organization must determine who should have access to various parts of the system; next, the organization determines what resources are available to protect the assets identified.Using the information it has acquired, the organization develops a written security policy.

Finally, the organization commits to resources to building software, hardware, and physical barriers that implement the security policy. A comprehensive plan for security should protect a system’s privacy, integrity, and availability, and authenticate users. * Secrecy-Prevent unauthorized persons from reading messages and business plans, obtaining credit card numbers, or deriving other confidential information. Integrity-Enclose info in a digital envelope so that the computer can automatically detect messages that have been altered in transit.* Availability-Provide delivery assurance for each message segment so that messages or message segments cannot be lost undetectably.

* Key management-Provide secure distribution and management of keys needed to provide secure communications. * Nonrepudiation-Provide undeniable, end-to-end proof of each message’s origin and recipient. * Authentication-Securely identify clients and servers with digital signatures and certifications.