Ans 01: a)

Management information system

A management information system (MIS) is a system that provides information needed to manage organizations efficiently and effectively. Management information systems involve three primary resources: technology, information, and people. It's important to recognize that while all three resources are key components when studying management information systems, the most important resource is people. Management information systems are regarded as a subset of the overall internal controls procedures in a business, which cover the application of people, documents, technologies, and procedures used by management accountants to solve business problems such as costing a product, service or a business-wide strategy. Management information systems are distinct from regular information systems in that they are used to analyze other information systems applied in operational activities in the organization. Academically, the term is commonly used to refer to the group of information management methods tied to the automation or support of human decision making, e.g. decision support systems, expert systems, and executive information systems

== Types of information management systems ==

There are many types of information management systems in the market that provide a wide range of benefits for companies. * ''Transaction processing systems (TPS)'' collect and record the routine transactions of an organization. Examples of such systems are sales order entry, hotel reservations, payroll, employee record keeping, and shipping. * ''Management information systems (MIS)'' produce fixed, regularly scheduled reports based on data extracted and summarized from the firms underlying transaction processing systems (TPS) to middle and operational level managers to provide answers to structured and semi-structured decision problems. * ''Decision-support systems (DSS)'' are computer program applications used by middle management to compile information from a wide range of sources to solve problems and make decisions. * ''Executive support systems (ESS)'' is a reporting tool that provides quick access to summarized reports coming from all company levels and departments such as accounting, human resources and operations.

A comparison of different kinds of Information Systems

Using the four level pyramid models above, we can now compare how the information systems in our model differ from each other.

1. Transaction Processing Systems

What is a Transaction Processing System? Transaction Processing System is operational-level systems at the bottom of the pyramid. They are usually operated directly by shop floor workers or front line staff, which provide the key data required to support the management of operations. This data is usually obtained through the automated or semi-automated tracking of low-level activities and basic transactions. Functions of a TPS TPS are ultimately little more than simple data processing systems. Functions of a TPS in terms of data processing requirements Inputs Processing Outputs Transactions Events Validation Sorting Listing Merging Updating Calculation Lists Detail reports Action reports Summary reports?

Some examples of TPS Payroll systems Order processing systems Reservation systems Stock control systems Systems for payments and funds transfers

The role of TPS Produce information for other systems Cross boundaries (internal and external) Used by operational personnel + supervisory levels Efficiency oriented

2. Management Information Systems

What is a Management Information System? For historical reasons, many of the different types of Information Systems found in commercial organizations are referred to as "Management Information Systems". However, within our pyramid model, Management Information Systems are management-level systems that are used by middle managers to help ensure the smooth running of the organization in the short to medium term. The highly structured information provided by these systems allows managers to evaluate an organization's performance by comparing current with previous outputs. Functions of a MIS

MIS are built on the data provided by the TPS Functions of a MIS in terms of data processing requirements Inputs Processing Outputs Internal Transactions Sorting Summary reports Internal Files Merging Action reports Structured data Summarizing Detailed reports Some examples of MIS Sales management systems Inventory control systems Budgeting systems Management Reporting Systems (MRS) Personnel (HRM) systems Based on internal information flows Support relatively structured decisions Inflexible and have little analytical capacity Used by lower and middle managerial levels Deals with the past and present rather than the future Efficiency oriented?

The role of MIS

3. Decision Support Systems

What is a Decision Support System? A Decision Support System can be seen as knowledge based system, used by senior managers, which facilitates the creation of knowledge and allow its integration into the organization. These systems are often used to analyze existing structured information and allow managers to project the potential effects of their decisions into the future. Such systems are usually interactive and are used to solve ill structured problems. They offer access to databases, analytical tools, allow "what if" simulations, and may support the exchange of information within the organization. Functions of a DSS DSS manipulate and build upon the information from a MIS and/or TPS to generate insights and new information. Functions of a DSS in terms of data processing requirements Inputs Internal Transactions Internal Files External Information? Processing Modeling Simulation Analysis Summarizing Outputs Summary reports Forecasts Graphs / Plots

Some examples of DSS Group Decision Support Systems (GDSS) Computer Supported Co-operative work (CSCW) Logistics systems Financial Planning systems Spreadsheet Models? Support ill- structured or semi-structured decisions Have analytical and/or modeling capacity Used by more senior managerial levels Are concerned with predicting the future Is effectiveness oriented?

The role of DSS

4. Executive Information Systems

What is an EIS? Executive Information Systems are strategic-level information systems that are found at the top of the Pyramid. They help executives and senior managers analyze the environment in which the organization operates, to identify long-term trends, and to plan appropriate courses of action. The information in such systems is often weakly structured and comes from both internal and external sources. Executive Information System are designed to be operated directly by executives without the need for intermediaries and easily tailored to the preferences of the individual using them. Functions of an EIS EIS organizes and presents data and information from both external data sources and internal MIS or TPS in order to support and extend the inherent capabilities of senior executives. Functions of a EIS in terms of data processing requirements Inputs External Data Internal Files Pre-defined models Some examples of EIS Executive Information Systems tend to be highly individualized and are often custom made for a particular client group; however, a number of off-the-shelf EIS packages do exist and many enterprise level systems offer a customizable EIS module. Processing Summarizing Simulation "Drilling Down" Outputs Summary reports Forecasts Graphs / Plots

The role of EIS Are concerned with ease of use Are concerned with predicting the future Is effectiveness oriented? Are highly flexible Support unstructured decisions Use internal and external data sources Used only at the most senior management levels

Ans 01:
b)
The International Dimension:
International dimensions have become a vital part of managing a business enterprise in the internetworked global economies and markets of today. Properly designed and managed information systems using appropriate information technologies are a key ingredient in international business, providing vital information resources needed to support business activities in global markets.

Managing Global IT

Global IT Management The major dimensions of the job of managing global information technology include: E-Business/IT strategies E-Business application portfolios Internet-based technology platforms Data resource management Systems development

Stress to the students that all global IT activities must be adjusted to take into account the cultural, political, and geo-economics challenges that exists in the international business community. Developing appropriate e-business and IT strategies for the global marketplace should be the first step in global e-business technology management. Once that is done, end user and IS managers can move on to developing: The portfolio of applications needed to support e-business/IT strategies; The hardware, software, and Internet-based technology platforms to support those applications The data resource management methods to provide necessary databases The systems development projects that will produce the global information systems required.

 Cultural, Political, and Geo-economics Challenges: Global IT management does not exist in a vacuum. Global IT management must focus on developing global business IT strategies and managing global e-business application portfolios, Internet technologies, and platforms, databases, and systems development projects. Managers must also take into account the cultural, political, and geographic differences that exist when doing business internationally. Political Challenge: - Political challenges facing global business and IT managers include: 1. Many countries have rules regulating or prohibiting transfer of data across their national boundaries (transformer data flows), especially information such as personnel records. 2. Restrict, tax, or prohibit imports of hardware and software. 3. Local content laws that specify the portion of the value of a product that must be added in that country if it is to be sold there. 4. Reciprocal trade agreements that require a business to spend part of the revenue they earn in the country in that nations economy. Geo-economics Challenges: Geo-economics challenges in global business and IT refer to the effects of geography on the economic realities of international business activities. These challenges include: 1. Physical distances involved are still a major problem 2. Worlds 24 time zones contribute to communications problems 3. Lack of telecommunications capabilities in some countries 4. Lack of specialized job skills in some countries, or enticing specialists from other countries to live and work there 5. Cost of living and labor costs in various countries. Cultural Challenges: - Cultural challenges facing global business and IT managers include: 1. Differences in languages, cultural interests, religions, customs, social attitudes, and political philosophies. 2. Differences in work styles and business relationships.

Global Business/IT Strategies

Many firms are moving toward transnational strategies in which they integrate their global ebusiness activities through close cooperation and interdependence between their international subsidiaries and their corporate headquarters. Businesses are moving away from: Multinational strategies where foreign subsidiaries operate autonomously. International strategies in which foreign subsidiaries are autonomous but are dependent on headquarters for new processes, products, and ideas.

Global strategies, where a companys worldwide operations are closely managed by corporate headquarters.

In a transnational approach, a business depends heavily on its information systems and appropriate information technologies to help it integrate its global business activities. A transnational business tries to develop an integrated and cooperative worldwide hardware, software, and telecommunications architecture for its IT platform.

Global Business/IT Applications:

The applications of information technology developed by global companies depend on their ebusiness and IT strategies and their expertise and experience in IT. However, their IT applications also depend on a variety of global business drivers, that is, business requirements (business drivers) caused by the nature of the industry and its competitive or environmental forces. Examples include airlines and hotel chains with global customers, that is, customers who travel widely or have global operations. Such companies will need global e-business capabilities for online transaction processing so they can provide fast, convenient service to their customers or face losing them to their competitors. The economies of scale provided by global e-business operations are another business driver that requires the support of global IT applications.

Global IT Platforms:
The management of technology platforms (also called the technology infrastructure) is another major dimension of global IT management. Technology platforms required to support a global business operation must consider: Hardware Software Data resources Internet, intranet, extranet sites

Computing facilities that support global e-business operations

The Internet as a Global IT Platform: By connecting their businesses to this online global infrastructure, companies can: Expand their markets Reduce communications and distribution costs Improve their profit margins without massive cost outlays for new telecommunication facilities.

The Internet, along with its related intranet and extranet technologies, provides a low-cost interactive channel for communications and data exchange with: Employees Customers Suppliers Distributors Manufacturers Product developers Financial backers Information providers and so on.

Global Systems Development: Reaching agreement on systems requirements is always difficult, but becomes many times more difficult when the users and developers are in different countries. Some of these issues involve: Conflicts over local versus global system requirements, and difficulties in agreeing on common features such as multilingual user interfaces and flexible design standards. Agreements on global systems must take place in an environment that promotes involvement and ownership of a system by local end users. Disturbances can arise from systems implementation and maintenance activities. Trade-offs must be made between developing one system that can run on multiple computer and operating platforms, by letting each local site customize the software for its own platform.

Ans 02: The Systems Development Cycle

The Systems Development Life Cycle (SDLC) is a conceptual model used in project management that describes the stages involved in an information system development project from an initial feasibility study through maintenance of the completed application. Various SDLC methodologies have been developed to guide the processes involved including the waterfall model (the original SDLC method), rapid application development (RAD), joint application development (JAD), the fountain model and the spiral model. Mostly, several models are combined into some sort of hybrid methodology. Documentation is crucial regardless of the type of model chosen or devised for any application, and is usually done in parallel with the development process. Some methods work better for specific types of projects, but in the final analysis, the most important factor for the success of a project may be how closely particular plan was followed. The image below is the classic Waterfall model methodology, which is the first SDLC method and it describes the various phases involved in development.

Briefly on different Phases: Feasibility The feasibility study is used to determine if the project should get the go-ahead. If the project is to proceed, the feasibility study will produce a project plan and budget estimates for the future stages of development. Requirement Analysis and Design Analysis gathers the requirements for the system. This stage includes a detailed study of the business needs of the organization. Options for changing the business process may be considered. Design focuses on high level design like, what programs are needed and how are

they going to interact, low-level design (how the individual programs are going to work), interface design (what are the interfaces going to look like) and data design (what data will be required). During these phases, the software's overall structure is defined. Analysis and Design are very crucial in the whole development cycle. Any glitch in the design phase could be very expensive to solve in the later stage of the software development. Much care is taken during this phase. The logical system of the product is developed in this phase.

Implementation
In this phase the designs are translated into code. Computer programs are written using a conventional programming language or an application generator. Programming tools like Compilers, Interpreters, and Debuggers are used to generate the code. Different high level programming languages like C, C++, Pascal, and Java are used for coding. With respect to the type of application, the right programming language is chosen.

Testing
In this phase the system is tested. Normally programs are written as a series of individual modules, this subject to separate and detailed test. The system is then tested as a whole. The separate modules are brought together and tested as a complete system. The system is tested to ensure that interfaces between modules work (integration testing), the system works on the intended platform and with the expected volume of data (volume testing) and that the system does what the user requires (acceptance/beta testing).

Maintenance
Inevitably the system will need maintenance. Software will definitely undergo change once it is delivered to the customer. There are many reasons for the change. Change could happen because of some unexpected input values into the system. In addition, the changes in the system could directly affect the software operations. The software should be developed to accommodate changes that could happen during the post implementation period.

Case Study

Chrysalis Solutions, Inc

Chrysalis Solutions, Inc. is an Information Technology Services company dedicated to deliver effective Business Solutions to our clients. We provide a variety of Business Solutions and IT Services, specialized in Database Administration, Data Architecture, Data Modeling, Database Design and Development, Application Development, Web Design and Development, Maintenance and Support, Project Management, Systems Development Life Cycle, and Business/Systems Analysis. We collaborate with our clients to solve their technical challenges and meet their resource needs in a flexible manner. Our services focus on our clients' needs and requirements, and are driven by our clients' Business Goals, through Strategic Planning, efficient Development and Integration, and responsible and responsive Maintenance and Support.

Systems Development Life Cycle - Waterfall Model

We deliver our products and services and our clients' systems using Waterfall model of Systems Development Life Cycle (SDLC). Typically the full cycle of Waterfall involves the following phases: Initiation and Planning, Requirements Gathering and Systems Analysis, Systems Design, Implementation, Integration and Testing, Acceptance and Deployment, and Maintenance. Initiation and Planning: Establishes a highlevel view of the intended project and determines its goals. Requirements Gathering and Systems Analysis: Defines project goals into defined functions and operation of the intended application. Analyzes end-user information needs. Systems Design: Describes desired features and operations in detail, including screen layouts, business rules, process diagrams, pseudo code and other documentation. Implementation: The real code is written here. Integration and Testing: Brings all the pieces together into a special testing environment, then checks for errors, bugs and interoperability. Acceptance and Deployment: The final stage of initial development, where the system is put into production and runs actual business. Maintenance: What happens during the rest of the system's life: changes, correction, additions, and moves to a different computing platform and more? This goes on seemingly forever.

Systems Development Life Cycle - Agile Model

An Agile model of SDLC often works best in the fast paced and frequent changing and improving environment. The core focus is focus on being iterative and collaborative. The highlevel agile life cycle is as follows: Iteration -1: Select the project (pre-project planning). Iteration 0 (Warm Up): Initiate the project. Construction Iterations: During the Construction Iterations, we deliver high-quality working system which meets the changing needs of our clients.

Release Iterations (End Game): During the Release Iterations, also known as the "end game", we transition the system into production. Production: The goal of the Production Phase is to keep systems useful and productive after they have been deployed. Retirement: The goal of the Retirement Phase is the removal of a system release from production, and occasionally even the complete system itself, an activity also known as system decommissioning or system sun setting.

Rapid Application Development

When our clients require faster development and delivery of the systems, we also have the experience with Rapid Application Development (RAD) methodology. Instead of full cycle of SDLC, RAD focuses on building applications in a very short amount of time; traditionally with compromises in usability, features and/or execution speed. The full lifecycle stages of RAD we typically use include Requirements Planning, User Design, Construction and Implementation. Also described are typical Pre- and Post- Project Activities. Pre-Project Activities: As with any project it is vital to identify the details of the project in some form of document such as a Project Management Plan (PMP). Some details are determined and approved by our clients at this stage, such as strategies, development schedule, deliverables, standards, tools and technologies to be used, desired end result, and financial considerations including budget and cost of tools. Requirements Planning: Also known as the Concept Definition Stage, this stage defines the business functions and data subject areas that the system will support and determines the system's scope. User Design: Also known as the Functional Design Stage, this stage models the system's data and processes and to build a working prototype of critical system components.

Construction: Also known as the Development Stage, this stage completes the construction of the physical application system, builds the conversion system, and develops user aids and implementation work plans. Implementation: Also known as the Deployment Stage, this stage includes final user testing and training, data conversion, and the implementation of the application system. Post-Project Activities: Final deliverables are handed over to our clients and such activities are performed that will benefit future projects. Specifically it is our best practice to review and document project metrics, organize and store project assets such as reusable code components, Project Management Plan, User Design Specs and User Manual.

Strength and Weaknesses of SDLC Strengths Control. Monitor Large projects. Detailed steps. Evaluate costs and completion targets. Documentation. Well defined user input. Ease of maintenance. Development and design standards. Tolerates changes in MIS staffing.

Weaknesses Increased development time Increased development cost. Systems must be defined up front. Rigidity. Hard to estimate costs, project overruns User input is sometimes limited.

Ans 03(a): STORAGE DEVICES

The storage devices are broadly classified into Secondary storage and primary storage. The secondary storage is known as peripheral storage, and is used to stores information of the computer that is not in current use. The secondary storage is typically slower and is of higher capacity than primary storage. The secondary storage is almost non-volatile. The secondary storage is slow due to serial access.

PRIMARY STORAGE:
The Primary storage is used to refer for local random access disk storage and is properly called secondary storage. If this type of storage is called primary storage, then the term secondary storage would refer to offline. This usually occurs in the slower, larger forms of storage which is used to develop the vendors to provide secure device management services, authentication services, as well as encryption for data. There is software and application based solutions; however software-based encryption solutions can impact performance during the storage process. Vendors provide hardware based solutions, which are appliances that provide authentication to protect the data. These devices are taken into account for the different requirements of securing data on primary or secondary storage. The primary storage performance and access specifications for the tape environment and requires the encrypting to tape would require integration with backup schemas for primary storage scenarios.

Types of Primary Storage:

Primary storage or the commonly referred Random Access Memory is the memory which is directly accessible to the CPU. The CPU constantly reads instructions from this memory. The capacity of RAM in terms of data storage is less, but it offers a very fast access rate, thus making it pretty expensive. Primary storage also consists of processor registers and processor cache.

Processor Registers: Processor registers, located within the CPU are used to load instructions for execution by the CPU. Registers hold data word of size 32 or 64 bits. They are the fastest means of data storage. But they are capable of storing data of a very small size. Processor Cache: Processor cache is the part of RAM and is used for speeding up the executions. It copies the most frequently used data from the main memory and stores it. When the CPU needs the particular data item, it can simply access the cache memory which is closely located, instead of accessing the much slower main memory.

Though, primary storage allows faster access, it is highly volatile in nature that means, it clears up during the booting. To prevent this, a small bootstrap program (BIOS) is implemented. BIOS load the booting instructions from the non-volatile main memory and execute them to boot RAM. The problem of volatility can be avoided using Read Only Memory (ROM). Though ROM retains the program instructions it does not allow to add or change them.

SECONDARY STORAGE:
The secondary storage helps in securing the data on media types and storage categories, as data is vulnerable to network attacks, administrative access and media theft. There are many organizations who are working with third parties and disaster recovery efforts. Often data goes offsite and is in the hands of employees that are not authorized to see critical company data. And storage consolidation opens the door to greater administrative access. All of these trends drive the need to ensure the data at rest is secure.

Types of Secondary Storage:

Secondary storage is commonly referred to as hard disk. It is a non-volatile storage and is capable of storing large amounts of data. The term 'secondary' refers to the inability of the CPU to access it directly. The data in the secondary storage is accessed by the CPU through intermediary devices like the processor cache. The computer uses its secondary storage via the various input/ output channels. As secondary storage is non-volatile, it is used for safe or offline storage of data. The data in secondary memory is

organized into files, directories and drives. The drives are periodically formatted to provide the abstraction as required by the File System. The commonly used secondary storage devices include flash drives, USB sticks, punch cards, floppy disks, CDs, magnetic tapes etc. Though, secondary storage provides very slow access, it is much cheaper than the primary storage and is capable of storing much larger volumes of data. Modern computer operating systems implement virtual memory to efficiently use the available space on the primary memory. As for secondary memory, it is still an important medium of storing data and recovering it in times of crisis. However, the nature of the data located on primary storage certain specifications for encryption appliances. First, lets look at data located on primary storage arrays. Primary data is critical to the operation of the organization on a daily basis. Primary storage often contains current financial, customer, design, process or transactional information. The data must be highly available and access should be immediate, with minimal latency, particularly in transactional database environments. Many applications do not work effectively if there is excessive latency in the data path. An encryption appliance for primary storage would need to address all of these issues. Performance would be critical; the appliance cannot introduce any latency into the data path. The appliance itself would also need to be extremely secure and transparent to the network, providing levels of authentication for access to the device itself. Unauthorized users should not be able to access the encryption keys or change the configuration of the device, including policies and administration permissions. Thus, both the primary and secondary storage plays the vital part in maintaining the system storage.

DIFFRENCE BETWEEN PRIMARY AND SECONDARY STORAGE DEVICE: PRIMARY STORAGE

1. Two classifications of primary storage with which you should become familiar are read-only memory (ROM) and random-access memory (RAM). 2. READ-ONLY MEMORY (ROM).-In computers, it is useful to have instructions that are used often, permanently stored inside the computer. ROM enables us to do this without loosing the programs and data when the computer is powered down. Only the computer manufacturer can provide these programs in ROM; once done, you cannot change it. Consequently, you cannot put any of your own data or programs in ROM. Many complex functions, such as translators for high-level languages, and operating systems are placed in ROM memory. 3. Since these instructions are hardwired, they can be performed quickly and accurately. Another advantage of ROM is that your imaging facility can order programs tailored for its specific needs and have them installed permanently in ROM. Such programs are called micro programs or firmware. 4. RANDOM-ACCESS MEMORY (RAM).-RAM is another type of memory found inside computers. It may be compared to a chalkboard on which you can scribble down notes, read them, and erase them when finished. In the computer, RAM is the working memory. Data can be read (retrieved) or written (stored) in RAM by providing the computer with an address location where the data is stored or where you want it to be stored. When the data is no longer requited, you may simply write over it. Thus you can use the storage location again for something else.

SECONDARY STORAGE

1. Secondary storage, or auxiliary storage, is memory external to the main body of the computer (CPU) where programs and data can be stored for future use. When the computer is ready to use these programs, the data is read into primary storage. Secondary storage media extends the storage capabilities of the computer system. Secondary storage is required for two reasons. First, the working memory of the CPU is limited in size and cannot always hold the amount of data required. Second, data and programs in secondary programs do not disappear when the power is turned off. Secondary storage is nonvolatile memory. This information is lost only when you erase it. Magnetic disks are the most common type of secondary storage. They may be either floppy disks or hard disks (hard drives).

PERIPHERAL DEVICES

1. Peripheral devices include all the input and output devices used with a computer system. When these devices are under control of the CPU, they are said to be on line. When they perform their function independently, not under direct control of the CPU, they are said to be off line. The following peripheral devices are used commonly for input and output. Those that perform only input are marked (I), those that perform only output are marked (O), and those that perform both input and output are marked (I/O).

OPTICAL CHARACTER READER (I)

1. An optical character reader reads printed data (characters) and translates it to machine code. Keyboard (I) The keyboard is used by a computer operator to communicate with a computer system

Ans 03(b):

Office Automation
The term office automation refers to all tools and methods that are applied to office activities which make it possible to process written, visual, and sound data in a computeraided manner. Office automation is intended to provide elements which make it possible to simplify, improve, and automate the organization of the activities of a company or a group of people (management of administrative data, synchronization of meetings, etc.). Considering that company organizations require increased communication, today, office automation is no longer limited to simply capturing handwritten notes. In particular, it also includes the following activities: exchange of information management of administrative documents handling of numerical data

meeting planning and management of work schedules

Office suite tools:

The term "office suite" refers to all software programs which make it possible to meet office needs. In particular, an office suite therefore includes the following software programs: word processing a spreadsheet a presentation tool a database a scheduler The main office suites are:

AppleWorks Corel WordPerfect IBM/Lotus SmartSuite Microsoft Office Sun Star Office Open Office (freeware)

1. Word Processing Software: Writer is fully functional word processing program and desktop publishing software that is suitable for business use. It has all the features that you would expect to see in a professional word processor. For example, formatting, application of styles, spell checking, auto completion, and many more. It is easy enough to use for a beginner to write a quick memo and powerful enough for an author to write a complete book. Replacement for: Microsoft Word 2. Spreadsheet Software: Calc is a spreadsheet program that is intuitive and easy to learn but yet has a full set of numerical data analysis tools. This spreadsheet package is powerful enough to allow you to complete your numerical tasks quickly and efficiently Replacement for: Microsoft Excel 3. Presentation Software: Impress is an outstanding presentation software package that allows you to create presentations that will deliver your message in a clear and exciting way to your audience. The tools that Impress provides will help you create simple presentations in a minimal amount of time. And yet it is sophisticated enough to create the most complex and stunning presentations that you can imagine. Replacement for: Microsoft Power Point 4. Database Software: Base provides you with all the power of a fully functional database program. You can define tables, forms, queries and reports to match the special data processing needs and your business. To help you create your database programs most efficiently, Base provides easy to use wizards to speed the development process.

Replacement for: Microsoft Access 5. Graphics and Design Software: Draw allows you to draw anything from a quick sketch to a complicated set of plans, to layouts and even organizational charts. You can then manipulate the objects on the screen to create realistic images and graphics to represent your ideas in a clear and concise way.

Ans 04(a): Importance of Computer Networking

Employees in a business come into the company already capable of interacting with each other to share information and create new projects. They are connected in a network of speech. In nearly every business those same employees are using computers. Each of those computers is used to perform the employees job, so wouldnt it make sense that they too communicate like their users? Many businesses are starting to agree, by networking all company computers in local area networks or LANs. In this arrangement each computer can connect to the other, increasing the interaction capability of the entire business. The basic need of for most computers to interact in a business is to share files. Its true this can be done with email, but there is always the issue of a file being saved on someones computer who is absent. With a network, any employee can retrieve the same files when needed. And when networked, large projects are much easier to transfer than through email alone. It is also a better medium for collaboration as employees can pass files back and forth, as well as brainstorm, much more efficiently in an open setting in which additional workers can make suggestions. Additionally, computer networks can be outfitted with remote access so employees can grab and share files from outside of the office like on their home computers or Smartphones. It is an ideal system for businesses with employees that need to travel and still access information when needed. Employing a network can in some cases save money for a business in equipment costs as well. For example, printers. Instead of purchasing multiple printers for various groups, a single high-end printer can be linked to the computer network and used by all. A successful business is an organized business, and with a networking system each employee can stay organized by staying on the same page. Employees can share project schedules directly across the network and make changes appropriately. A network is two or more computers connected together to share information and files between them. Businesses aren't the only ones that can benefit from creating a network. Home users can enjoy sharing music, movies and printers from any computer.

File Sharing

Computers connected to a network can share files and documents with each other. Personal computers connected to a business network can choose which files and folders are available to share on the network.

Printers

Computers can print pages to another computer with a printer on the network. Additionally, printers can be connected using a print server, which allows direct printing from all computers.

Sharing Media

Sharing media between computers is easy when connected to a network. Like file sharing, computers can stream musing, videos and movies from one computer to the next.

Media Center Server

A media center server can store your entire entertainment library on a centralized hub to give quick access to your media from every computer on your network.

Local Area Network (LAN)

A LAN system allows employees in the same company to connect with each others computers. A LAN also allows effective communication with others within your corporation or business. In addition, you can share information, data and perform transactions within the same business location. Benefits of an Intranet are: centralization of data, effective dispersion of data, greater communication and response, efficient sharing of computer applications, greater analytical capabilities of data, and reduction of cost in operations.

Wide Area Network (WAN)

A communications network that covers a wide geographic area, such as a state or county. WANs are increasingly being used to expand the capabilities of corporate LAN systems. The Internet is essentially a worldwide WAN where computers are connected locally to other computers but also connected to other computers beyond the immediate area.

Internet
what is the Internet and why is it important to my business? "The" Internet is made up of more than 65 million computers in more than 100 countries covering commercial, academic and government endeavors. Originally developed for the U.S. military, the Internet became widely used for academic and commercial research. Users had access to unpublished data and journals on a huge variety of subjects. Today, the Internet has become commercialized into a worldwide information highway, providing information on every subject known to humankind. Start-up costs range from virtually free to millions of dollars. It costs virtually nothing to develop a web page promoting your products and place it online if you have the requisite skills and access to an inexpensive host. According to Internet.com, a major source of e-commerce news and information, medium to large size corporations spend an average of one million dollars to develop and implement their corporate e-commerce sites. Somewhere between these two numbers is where you will find yourself. That is why business planning for electronic commerce is so important.

Ans 04(b): Internet:

A worldwide network of networks. It is also the network of networks that connects millions computers (called hosts). The Internet is the virtual space in which users send and receive email, login to remote

computers (telnet), browse databases of information (gopher, World Wide Web, WAIS), and send and receive programs (ftp) contained on these computers.

Tim Berners-Lee
Tim Berners-Lee was the man leading the development of the World Wide Web (with help of course), the defining of HTML (hypertext markup language) used to create web pages, HTTP (HyperText Transfer Protocol) and URLs (Universal Resource Locators). All of those developments took place between 1989 and 1991. Tim Berners-Lee was born in London, England and graduated in Physics from Oxford University in 1976. He is currently the Director of the World Wide Web Consortium, the group that sets technical standards for the Web. Besides Tim Berners-Lee, Vinton Cerf is also named as an internet daddy. Ten years out of high school, Vinton Cerf begun co-designing and co-developing the protocols and structure of what became the Internet. HTML (hypertext markup language) Vannevar Bush first proposed the basics of hypertext in 1945. Tim Berners-Lee invented the World Wide Web, HTML (hypertext markup language), HTTP (Hypertext Transfer Protocol) and URLs (Universal Resource Locators) in 1990. Tim Berners-Lee was the primary author of html, assisted by his colleagues at CERN, an international scientific organization based in Geneva, Switzerland.

Advantages of the Internet

The Internet provides opportunities galore, and can be used for a variety of things. Some of the things that you can do via the Internet are:

E-mail: E-mail is an online correspondence system. With e-mail you can send and receive an instant electronic message, which works like writing letters. Your messages are delivered instantly to people anywhere in the world, unlike traditional mail that takes a lot of time. Access Information: The Internet is a virtual treasure trove of information. Any kind of information on any topic under the sun is available on the Internet. The search engines on the Internet can help you to find data on any subject that you need. Shopping: Along with getting information on the Internet, you can also shop online. There are many online stores and sites that can be used to look for products as well as buy them using your credit card. You do not need to leave your house and can do all your shopping from the convenience of your home. Online Chat: There are many chat rooms on the web that can be accessed to meet new people, make new friends, as well as to stay in touch with old friends. Downloading Software: This is one of the most happening and fun things to do via the Internet. You can download innumerable, games, music, videos, movies, and a host of other entertainment software from the Internet, most of which are free.

Disadvantages of the Internet

There are certain cons and dangers relating to the use of Internet that can be summarized as:

Personal Information: If you use the Internet, your personal information such as your name, address, etc. can be accessed by other people. If you use a credit card to shop online, then your credit card information can also be stolen which could be akin to giving someone a blank check. Pornography: This is a very serious issue concerning the Internet, especially when it comes to young children. There are thousands of pornographic sites on the Internet that can be easily found and can be a detriment to letting children use the Internet. Spamming: This refers to sending unsolicited e-mails in bulk, which serve no purpose and unnecessarily clog up the entire system.

Uses of Internet
The internet is computer based global information system. It is composed of many interconnected computer networks. Each network may link thousands of computers enabling them to share information. The internet has brought a transformation in many aspects of life. It is one of the biggest contributors in making the world into a global village. Use of internet has grown tremendously since it was introduced. It is mostly because of its flexibility. Nowadays one can access the internet easily. Most people have computers in their homes but even the ones who dont they can always go to cyber cafes where this service is provided. The internet developed from software called the ARPANET which the U.S military had developed. It was only restrict to military personnel and the people who developed it. Only after it was privatized was it allowed to be used commercially. The internet has developed to give many benefits to mankind. The access to information being one of the most important. Student can now have access to libraries around the world. Some charge a fee but most provide free services. Before students had to spend hours and hours in the libraries but now at the touch of a button students have a huge database in front of them

Internet Structure:
The internet is a world-wide network of computers linked together by telephone wires, satellite links and other means. For simplicity's sake we will say that all computers on the internet can be divided into two categories: servers and browsers.

Servers are where most of the information on the internet "lives". These are specialized computers
which store information, share information with other servers, and make this information available to the general public.

Browsers are what people use to access the World Wide Web from any standard computer. Chances
are, the browser you're using to view this page is either Netscape Navigator/Communicator or Microsoft Internet Explorer. These are by far the most popular browsers, but there are also a number of others in common use. When you connect your computer to the internet, you are connecting to a special type of server which is provided and operated by your Internet Service Provider (ISP). The job of this "ISP Server" is to provide the link between your browser and the rest of the internet. A single ISP server handles the internet

connections of many individual browsers - there may be thousands of other people connected to the same server that you are connected to right now. The following picture shows a small "slice" of the internet with several home computers connected to a server: ISP servers receive requests from browsers to view WebPages, check email, etc. Of course each server can't hold all the information from the entire internet, so in order to provide browsers with the pages and files they ask for, ISP servers must connect to other internet servers. This brings us to the next common type of server: the "Host Server". Host servers are where websites "live". Every website in the world is located on a host server somewhere (for example, MediaCollege.Com is hosted on a server in Parsippany, New Jersey USA). The host server's job is to store information and make it available to other servers. The picture below show a slightly larger slice of the internet: To view a web page from your browser, the following sequence happens: 1. You either type an address (URL) into your "Address Bar" or click on a hyperlink. 2. Your browser sends a request to your ISP server asking for the page. 3. Your ISP server looks in a huge database of internet addresses and finds the exact host server which houses the in question, then sends that host server a request for the 4. The host server sends the requested page to your ISP server. Your ISP sends the page to your browser and you see it displayed on your screen website page.

Ans 05(a): Database Play Significant Role in E Business

A database can help you find pertinent information quite quickly. If you are a virtual company like ours, you may be asked by clients to hire for their brick and mortar offices. Having a database of qualified applicants can be of great assistance in the hiring process. You can run queries to find information regarding your clients, products, services, etc. from a expertly created database. It's basically a must have for a small business, especially as you begin to grow, as you can aggregate data very quickly and help your customers and clients utilize said data as well.

E-Business being at an early stage as evidenced by the research, not more than thirty percent of customer has or will be re-evaluating their database when developing web-enabled applications for the purpose to run their electronic business. The fact that most of the American has started to implement their electronic business strategy in practical life. This 30% figure represents the forward thinking people of America that have recognized the threat and the opportunity of the e-business program and are making certain that their infrastructures, including the customer database are up to the unavoidable task. Indeed, if we look at individual countries within the research that show signs of being more advanced in terms of e-business, we see not higher proportions who re-evaluate their user database within this context. Consequently we predict that as companies move up the e-business curved, and then they will be looking at the primary database technology to confirm that it meets the need to global user. Those who are actively evaluating their primary database programs, and have determined their next action, more than forty percent have made a decision to change their database programs due to incompatibilities with electronic commerce. On the other hand besides electronic commerce people in modern era are changing attitude to achieve lot many new feature included within the new version of database. These kinds many new trends compel are strongly suggesting that companies have found traditional database solutions to be less than satisfactory in the 'e' world. The main reasons for database programs revolutionize are that a advanced level of combination is demanded, applications need to be developed more rapidly, and those applications need to work faster in the field of e-business and to be able to work in the e-business environment. Many organization wishing to offer an E-DBMS, then these factors are the ones to emphasize. When asked if their current database supplier was using technology that was optimized for web applications, almost majority of people has no exact knowledge which is the significant useful database for e-business. So many organization or company keeps faith on their database vendor that is not the ultimate solution to get exact compatible of database with modern e-business world.

Ans 05(a): E-Commerce

E-Commerce refers to the exchange of goods and services over the Internet. All major retail brands have an online presence, and many brands have no associated bricks and mortar presence. However, eCommerce also applies to business to business transactions, for example, between manufacturers and suppliers or distributors. In the online retail space, there are a number of models that retailers can adopt. Traditionally, the Web presence has been kept distinct from the bricks and mortar presence, so transactions were limited to buying online and delivering the goods or services. The online presence is also important for researching a product that a customer can purchase later in the store. Recently, there has been a trend towards multichannel retail, allowing new models such as purchasing online and picking up in store. E-Commerce systems are also relevant for the services industry. For example, online banking and brokerage services allow customers to retrieve bank statements online, transfer funds, pay credit card bills, apply for and receive approval for a new mortgage, buy and sell securities, and get financial guidance and information.

Security overview
In the software industry, security has two different perspectives. In the software development community, it describes the security features of a system. Common security features are ensuring passwords that are at least six characters long and encryption of sensitive data. For software consumers, it is protection against attacks rather than specific features of the system. Your house may have the latest alarm system and

windows with bars, but if you leave your doors unlocked, despite the number of security features your system has, it is still insecure. Hence, security is not a number of features, but a system process. The weakest link in the chain determines the security of the system. In this article, we focus on possible attack scenarios in an e-Commerce system and provide preventive strategies, including security features, that you can implement. Security has three main concepts: confidentiality, integrity, and availability. Confidentiality allows only authorized parties to read protected information. For example, if the postman reads your mail, this is a breach of your privacy. Integrity ensures data remains as is from the sender to the receiver. If someone added an extra bill to the envelope, which contained your credit card bill, he has violated the integrity of the mail. Availability ensures you have access and are authorized to resources. If the post office destroys your mail or the postman takes one year to deliver your mail, he has impacted the availability of your mail

Security features
While security features do not guarantee a secure system, they are necessary to build a secure system. Security features have four categories:

Authentication: Verifies who you say you are. It enforces that you are the only one allowed to logon to
your Internet banking account.

Authorization: Allows only you to manipulate your resources in specific ways. This prevents you from
increasing the balance of your account or deleting a bill.

Encryption: Deals with information hiding. It ensures you cannot spy on others during Internet banking
transactions.

Auditing: Keeps a record of operations. Merchants use auditing to prove that you bought a specific
merchandise

The criminal incentive

Attacks against e-Commerce Web sites are so alarming; they follow right after violent crimes in the news. Practically every month, there is an announcement of an attack on a major Web site where sensitive information is obtained. Why is e-Commerce vulnerable? Is e-Commerce software more insecure compared to other software? Did the number of criminals in the world increase? The developers producing e-Commerce software are pulled from the same pool of developers as those who work on other software. In fact, this relatively new field is an attraction for top talent. Therefore, the quality of software being produced is relatively the same compared to other products. The criminal population did not undergo a sudden explosion, but the incentives of an e-Commerce exploit are a bargain compared to other illegal opportunities. Compared to robbing a bank, the tools necessary to perform an attack on the Internet is fairly cheap. The criminal only needs access to a computer and an Internet connection. On the other hand, a bank robbery may require firearms, a getaway car, and tools to crack a safe, but these may still not be enough. Hence, the low cost of entry to an e-Commerce site attracts the broader criminal population. While the local bank robber is restricted to the several branches in his region, his online counterpart can choose from the thousands of banks with an online operation. The online bank robber can rob a bank in another country, taking advantage of non-existent extradition rules between the country where the attack originated, and the country where the attack is destined. An attack on a bank branch requires careful planning and precautions to ensure that the criminal does not leave a trail. He ensures the getaway car is not easily identifiable after the robbery. He cannot leave fingerprints nor have his face captured on the surveillance cameras. If he performs his actions on the Internet, he can easily make himself anonymous and the source of the attack untraceable.

The local bank robber obtains detailed building maps and city maps of his target. His online counterpart easily and freely finds information on hacking and cracking. He uses different sets of tools and techniques everyday to target an online bank.

Attacks
This section describes potential security attack methods from an attacker or hacker.

Tricking the shopper

Some of the easiest and most profitable attacks are based on tricking the shopper, also known as social engineering techniques. These attacks involve surveillance of the shopper's behavior, gathering information to use against the shopper. For example, a mother's maiden name is a common challenge question used by numerous sites. If one of these sites is tricked into giving away a password once the challenge question is provided, then not only has this site been compromised, but it is also likely that the shopper used the same logon ID and password on other sites. A common scenario is that the attacker calls the shopper, pretending to be a representative from a site visited, and extracts information. The attacker then calls a customer service representative at the site, posing as the shopper and providing personal information. The attacker then asks for the password to be reset to a specific value. Another common form of social engineering attacks are phishing schemes. Typo pirates play on the names of famous sites to collect authentication and registration information. For example, http://www.ibm.com/shop is registered by the attacker as www.ibn.com/shop. A shopper mistypes and enters the illegitimate site and provides confidential information. Alternatively, the attacker sends emails spoofed to look like they came from legitimate sites. The link inside the email maps to a rogue site that collects the information.

Snooping the shopper's computer

Millions of computers are added to the Internet every month. Most users' knowledge of security vulnerabilities of their systems is vague at best. Additionally, software and hardware vendors, in their quest to ensure that their products are easy to install, will ship products with security features disabled. In most cases, enabling security features requires a non-technical user to read manuals written for the technologist. The confused user does not attempt to enable the security features. This creates a treasure trove for attackers. A popular technique for gaining entry into the shopper's system is to use a tool, such as SATAN, to perform port scans on a computer that detect entry points into the machine. Based on the opened ports found, the attacker can use various techniques to gain entry into the user's system. Upon entry, they scan your file system for personal information, such as passwords. While software and hardware security solutions available protect the public's systems, they are not silver bullets. A user that purchases firewall software to protect his computer may find there are conflicts with other software on his system. To resolve the conflict, the user disables enough capabilities to render the firewall software useless.

Sniffing the network

In this scheme, the attacker monitors the data between the shopper's computer and the server. He collects data about the shopper or steals personal information, such as credit card numbers. There are points in the network where this attack is more practical than others. If the attacker sits in the middle of the network, then within the scope of the Internet, this attack becomes impractical. A request from the client to the server computer is broken up into small pieces known as packets as it leaves the client's computer and is reconstructed at the server. The packets of a request is sent through different

routes. The attacker cannot access all the packets of a request and cannot decipher what message was sent. Take the example of a shopper in Toronto purchasing goods from a store in Los Angeles. Some packets for a request are routed through New York, where others are routed through Chicago. A more practical location for this attack is near the shopper's computer or the server. Wireless hubs make attacks on the shopper's computer network the better choice because most wireless hubs are shipped with security features disabled. This allows an attacker to easily scan unencrypted traffic from the user's computer.

Guessing passwords

Another common attack is to guess a user's password. This style of attack is manual or automated. Manual attacks are laborious, and only successful if the attacker knows something about the shopper. For example, if the shopper uses their child's name as the password. Automated attacks have a higher likelihood of success, because the probability of guessing a user ID/password becomes more significant as the number of tries increases. Tools exist that use all the words in the dictionary to test user ID/password combinations, or that attack popular user ID/password combinations. The attacker can automate to go against multiple sites at one time.

Using denial of service attacks

The denial of service attack is one of the best examples of impacting site availability. It involves getting the server to perform a large number of mundane tasks, exceeding the capacity of the server to cope with any other task. For example, if everyone in a large meeting asks you your name all at once, and every time you answer, they ask you again. You have experienced a personal denial of service attack. To ask a computer its name, you use ping. You can use ping to build an effective DoS attack. The smart hacker gets the server to use more computational resources in processing the request than the adversary does in generating the request. Distributed Does is a type of attack used on popular sites, such as Yahoo!. In this type of attack, the hacker infects computers on the Internet via a virus or other means. The infected computer becomes slaves to the hacker. The hacker controls them at a predetermined time to bombard the target server with useless, but intensive resource consuming requests. This attack not only causes the target site to experience problems, but also the entire Internet as the number of packets is routed via many different paths to the target.

Using known server bugs

The attacker analyzes the site to find what types of software are used on the site. He then proceeds to find what patches were issued for the software. Additionally, he searches on how to exploit a system without the patch. He proceeds to try each of the exploits. The sophisticated attacker finds a weakness in a similar type of software, and tries to use that to exploit the system. This is a simple, but effective attack. With millions of servers online, what is the probability that a system administrator forgot to apply a patch?

Using server root exploits

Root exploits refer to techniques that gain super user access to the server. This is the most coveted type of exploit because the possibilities are limitless. When you attack a shopper or his computer, you can only affect one individual. With a root exploit, you gain control of the merchants and all the shoppers' information on the site. There are two main types of root exploits: buffer overflow attacks and executing scripts against a server.

In a buffer overflow attack, the hacker takes advantage of specific type of computer program bug that involves the allocation of storage during program execution. The technique involves tricking the server into execute code written by the attacker. The other technique uses knowledge of scripts that are executed by the server. This is easily and freely found in the programming guides for the server. The attacker tries to construct scripts in the URL of his browser to retrieve information from his server. This technique is frequently used when the attacker is trying to retrieve data from the server's database

Defenses
Despite the existence of hackers and crackers, e-Commerce remains a safe and secure activity. The resources available to large companies involved in e-Commerce are enormous. These companies will pursue every legal route to protect their customers. At the end of the day, your system is only as secure as the people who use it. Education is the best way to ensure that your customers take appropriate precautions Install personal firewalls for the client machines. Store confidential information in encrypted form. Encrypt the stream using the Secure Socket Layer (SSL) protocol to protect information flowing between the client and the e-Commerce Web site. Use appropriate password policies, firewalls, and routine external security audits. Use threat model analysis, strict development policies, and external security audits to protect ISV software running the Web site.

Education
Your system is only as secure as the people who use it. If a shopper chooses a weak password, or does not keep their password confidential, then an attacker can pose as that user. This is significant if the compromised password belongs to an administrator of the system. In this case, there is likely physical security involved because the administrator client may not be exposed outside the firewall. Users need to use good judgment when giving out information, and be educated about possible phishing schemes and other social engineering attacks.

Personal firewalls
When connecting your computer to a network, it becomes vulnerable to attack. A personal firewall helps protect your computer by limiting the types of traffic initiated by and directed to your computer. The intruder can also scan the hard drive to detect any stored passwords.

Secure Socket Layer (SSL)

Secure Socket Layer (SSL) is a protocol that encrypts data between the shopper's computer and the site's server. When an SSL-protected page is requested, the browser identifies the server as a trusted entity and initiates a handshake to pass encryption key information back and forth. Now, on subsequent requests to the server, the information flowing back and forth is encrypted so that a hacker sniffing the network cannot read the contents. The SSL certificate is issued to the server by a certificate authority authorized by the government. When a request is made from the shopper's browser to the site's server using https://..., the shopper's browser checks if this site has a certificate it can recognize. If the site is not recognized by a trusted certificate authority, then the browser issues a warning

Server Firewalls
A firewall is like the moat surrounding a castle. It ensures that requests can only enter the system from specified ports, and in some cases, ensures that all accesses are only from certain physical machines. A common technique is to setup a demilitarized zone (DMZ) using two firewalls. The outer firewall has ports open that allow ingoing and outgoing HTTP requests. This allows the client browser to communicate with the server. A second firewall sits behind the e-Commerce servers. This firewall is heavily fortified, and only requests from trusted servers on specific ports are allowed through. Both firewalls use intrusion detection software to detect any unauthorized access attempts. Another common technique used in conjunction with a DMZ is a honey pot server. A honey pot is a resource (for example, a fake payment server) placed in the DMZ to fool the hacker into thinking he has penetrated the inner wall. These servers are closely monitored, and any access by an attacker is detected

Password Policies
Ensure that password policies are enforced for shoppers and internal users. A sample password policy, defined as part of the Federal Information Processing Standard (FIPS), is shown in the table below. Policy
Account lockout threshold Consecutive unsuccessful login delay Matching user ID and password Maximum occurrence of consecutive characters Maximum instances of any character Maximum lifetime of passwords Minimum number of alphabetic characters Minimum number of numeric characters Minimum length of password Reuse user's previous password

Value
6 attempts 10 seconds N (no, they cannot match) 3 characters 4 instances 180 days 1 alphabetic character 1 numeric character 6 characters N (no, cannot be reused)

You may choose to have different policies for shoppers versus your internal users. For example, you may choose to lockout an administrator after 3 failed login attempts instead of 6. These password policies protect against attacks that attempt to guess the user's password. They ensure that passwords are sufficiently strong enough so that they cannot be easily guessed. The account lockout capability ensures that an automated scheme cannot make more than a few guesses before the account is locked.

Intrusion Detection and Audits of Security Logs

One of the cornerstones of an effective security strategy is to prevent attacks and to detect potential attackers. This helps understand the nature of the system's traffic, or as a starting point for litigation against the attackers. Suppose that you have implemented a password policy, such as the FIPS policy described in the section above. If a shopper makes 6 failed logon attempts, then his account is locked out. In this scenario, the company sends an email to the customer, informing them that his account is locked. This event should also be logged in the system, either by sending an email to the administrator, writing the event to a security log, or both. You should also log any attempted unauthorized access to the system. If a user logs on, and attempts to access resources that he is not entitled to see, or performs actions that he is not entitled to perform, then

this indicates the account has been co-opted and should be locked out. Analysis of the security logs can detect patterns of suspicious behavior, allowing the administrator to take action. In addition to security logs, use business auditing to monitor activities such as payment processing. You can monitor and review these logs to detect patterns of inappropriate interaction at the business process level. The infrastructure for business auditing and security logging is complex, and most likely will come as part of any middleware platform selected to host your site. Web Sphere Commerce, for example, has extensive capabilities in this area.

Site development best practices

This section describes best practices you can implement to help secure your site.

Security policies and standards

There are many established policies and standards for avoiding security issues. However, they are not required by law. Some basic rules include: Never store a user's password in plain text or encrypted text on the system. Instead, use a one-way hashing algorithm to prevent password extraction. Employ external security consultants (ethical hackers) to analyze your system. Standards, such as the Federal Information Processing Standard (FIPS), describe guidelines for implementing features. For example, FIPS makes recommendations on password policies. Ensure that a sufficiently robust encryption algorithm, such as triple DES or AES, is used to encrypt all confidential information stored on the system. When developing third-party software for e-Commerce applications, use external auditors to verify that appropriate processes and techniques are being followed.

Recently, there has been an effort to consolidate these best practices as the Common Criteria for IT Security Evaluation (CC). CC seems to be gaining attraction. It is directly applicable to the development of specific e-Commerce sites and to the development of third party software used as an infrastructure in eCommerce sites. Security best practices remain largely an art rather than a science, but there are some good guidelines and standards that all developers of e-Commerce software should follow.

Using cookies
One of the issues faced by Web site designers is maintaining a secure session with a client over subsequent requests. Because HTTP is stateless, unless some kind of session token is passed back and forth on every request, the server has no way to link together requests made by the same person. Cookies are a popular mechanism for this. An identifier for the user or session is stored in a cookie and read on every request. You can use cookies to store user preference information, such as language and currency. This simplifies Web page development because you do not have to be concerned about passing this information back to the server. The primary use of cookies is to store authentication and session information, your information, and your preferences. A secondary and controversial usage of cookies is to track the activities of users.

Different types of cookies are:

Temporary cookies: These cookies are valid only for the lifetime of your current session, and are deleted when you close your browser. These are usually the good type. They are mostly used to keep your session information.

Permanent cookies: These are for a time period, specified by the site, on the shopper's computer. They
recall your previous session information.

Server-only cookies: These cookies are usually harmless, and are only used by the server that issued
them.

Third-party cookies: These are usually used for tracking purposes by a site other than the one you are
visiting. Your browser or a P3P policy can filter these cookies. If you do not want to store cookies, here are other alternatives: Send user ID/password on every request: This was popular 5-10 years ago, but now recognized as an insecure technique. The user ID/password flowing under non-SSL is susceptible to attacks. This alternative is not practical for a high volume site. Pages that run under SSL would slow down site performance. SSL client side authentication: This is the most secure, but it is cumbersome for shoppers to install on their browsers. You have to pay for a company to verify who you are and to issue a certificate. The popularity of this technique for client-side authentication has decreased in recent years. It remains very popular on server sites. URL rewriting: This is a popular alternative to cookies. Each HTTP link on the page is specially encoded, but it is expensive for the site to implement. It interferes with the performance of the site because the pages cannot be cached and reused for different users. This alternative is susceptible to attack if it is not used under SSL. Cookies marked as secure (storing encrypted data and passing to the user only under SSL) remain the most popular method of providing a secure online experience.

Using threat models to prevent exploits

When architecting and developing a system, it is important to use threat models to identify all possible security threats on the server. Think of the server like your house. It has doors and windows to allow for entry and exit. These are the points that a burglar will attack. A threat model seeks to identify these points in the server and to develop possible attacks. Threat models are particularly important when relying on a third party vendor for all or part of the site's infrastructure. This ensures that the suite of threat models is complete and up-to-date.

Responding to security issues

An effective overall security strategy is to be prepared when vulnerabilities are detected. This also means ensuring that software vendors selected for all or part of the site's infrastructure have proactive and reactive policies for handling security issues. In the case of Web Sphere Commerce, we can quickly form a SWAT team with key developers, testers, and support personnel. This becomes the highest priority for all involved parties. An assessment is made immediately, usually within the first few hours, to determine the vulnerability of the merchant's sites. A workaround or permanent solution is developed for the affected sites within a day. Then a "flash" issued to all customers to notify them of the problem, the solution, and how to check if they have been exploited. For critical issues, no one leaves until there is a solution.

Using an online security checklist

Use this security checklist to protect yourself as a shopper: Whenever you logon, register, or enter private information, such as credit card data, ensure your browser is communicating with the server using SSL. Do not shop at a site when the browser does not recognize the server's SSL certificate. This check is done by your browser the first time your URL becomes HTTPS for the site. If the certificate is not recognized, then your browser presents a pop-up message to inform you. Use a password of at least 6 characters, and ensure that it contains some numeric and special characters (for example, c0113g3). Avoid reusing the same user ID and password at multiple Web sites. If you are authenticated (logged on) to a site, always logoff after you finish. Use a credit card for online purchases. Most credit card companies will help you with nonexistent or damaged products.