Framework to identify and manage risks in Web 2.0 applications

Abstract

Web 2.0 applications are continuously moving into the corporate mainstream. Each new development brings its own threats or new ways to deliver old attacks. In order to mitigate these security risks, internal controls should be implemented at different levels. In order to identify the risks, a proper control framework of generally accepted control techniques and practices are needed as a benchmark. Because, implementing these control techniques on their own is merely ad hoc, if not linked to a proper control framework or model. The objective of this study is to develop a framework that can be used to identify the security issues an organisation is exposed to through Web 2.0 applications, with specific focus on unauthorised access. An extensive literature review was performed to obtain an understanding of the technologies driving Web 2.0 applications. Thereafter, the technologies were mapped against control objectives for information and related technology (CobiT) and trust service principles and criteria and associated control objectives relating to security risks. These objectives were used to develop a framework that can be used to identify risks and formulate appropriate internal control measures in any organisation using Web 2.0 applications. Every organisation, technology and application is unique and the safeguards depend on the nature of the organisation, information at stake, degree of vulnerability and risks. A comprehensive security program should include a multi-layer approach comprising of a control framework, combined with a control model considering the control processes in order to identify the appropriate control techniques. Key words: Web 2.0, social networking, security risks, computer risks, control framework, control objectives for information and related technology (CobiT), trust service principles and criteria.