NCC Members have free access to this Guideline on the Principia website.

The demands on even the most technically competent IT Managers are increasing at an alarming rate with the advent of e-business. These demands, to deliver ever more technically innovative solutions to meet the changing business models, require an understanding of both the traditional IT infrastructures and advanced data communications. These solutions need to be future proofed to enable any new advances to be embraced and are frequently created in a business environment that does not always recognise the level of expenditure and time necessary to deliver a 'quality service'.

Many e-business solutions are implemented using iterative development techniques. Using these techniques it is often difficult to see the full functionality of the final solution. This can make the incorporation of security into the architecture very difficult. It is also often the case that these solutions start off as pilots, move into being low profile non-business-critical functions and then migrate to being high profile, high criticality systems. Effective security must be applied at all stages of this migration. If technical measures are not applied at the early stages it may be difficult to introduce them later and poor development and working practices will have to be undone if a high profile e-business function is to be securely operated.

This development work is no longer conducted in a closed environment where the idiosyncrasies of the interface, together with the operational and performance issues of the systems, remain the knowledge of only those within the organisation. This work is now conducted within the full glare of trading partners and often the general public. The view of a company's professionalism is now often measured on its outward technical profile.

It is with this backdrop that the IT Manager is required to deliver solutions that are within agreed time and budget constraints and fully meet the business requirements, both now and in the future. In addition they must also be fault tolerant, and able to stand up to technical attacks on the confidentiality and integrity of the data externally and, more often, internally within the organisation.

To deliver this type of service the IT Manager must be able to draw on technically competent security specialists. The IT Manager must have confidence in the technical ability and integrity of these staff through effective recruitment vetting, technical skills testing and on-going training. Once the staff have been recruited the IT Manager must be confident that they have quantified the risks to which e-business solutions will be exposed, identified potential threats and have taken steps to ensure that vulnerabilities in the technical infrastructure have been identified and addressed. This is not a one-time task, it must form part of an ongoing programme of work placed within a suitable information security management framework.