| 11:08 pm on Apr 21, 2008 (gmt 0)|
| 12:17 am on Apr 22, 2008 (gmt 0)|
Definitely, site clarification is necessary. Let's use the site example of a small, private school that publishes updates on school happenings and provides a means of alumni keeping in touch. No student records on site, but there is a way to make online donations, make comments, and request information. Primary concerns would be not catastrophic, but potentially embarrassing: A hacker puts up an obscene photo of the principal, for example, or someone obtains alumni contact information. Worst case would be somehow tapping into the donation function and stealing funds or credit card numbers.
For such a site, what would need to be in line to have a reasonably secure online presence?
| 12:10 pm on Apr 22, 2008 (gmt 0)|
In the example I wouldn't expect the site to be handling the "risky" stuff in house at all.
Donations - third party processor
Comments - third party processor with option for screening posts
Request information - email form
| 5:23 pm on Apr 22, 2008 (gmt 0)|
Bottom line - the more things that are controlled server side, the more secure it is going to be. But remember, nothing is 100%.
| 5:32 pm on Apr 22, 2008 (gmt 0)|
don't store more information about your members than is needed
don't store anything you aren't supposed to, like CC nums
if this is strictly for alumni then you might find it necessary to confirm their identity, especially on a request for information
you have to look at the business processes involved, decide what risks there are and then decide what lengths you need to go to in order to protect against them
as Marshall said, nothing is perfect so you need to revisit these decisions/processes on a regular basis
| 5:45 pm on Apr 22, 2008 (gmt 0)|
except all of us here ;)
|as Marshall said, nothing is perfect |
| 12:49 am on Apr 23, 2008 (gmt 0)|
Marshall said, "Bottom line - the more things that are controlled server side, the more secure it is going to be."
Question: But isn't the entire site really located on a server--thus, everything is "server side"? What am I missing here?
| 1:17 am on Apr 23, 2008 (gmt 0)|
| 8:56 am on Apr 23, 2008 (gmt 0)|
Thank you, Marshall. I have a bunch to learn.