It can be hard to justify business spending when web sites are often viewed as low-value assets. The fact that so much Internet content and services are free, and you can buy a web site for less than the cost of a colour TV licence in the UK reinforces this idea in many small and medium enterprises (SMEs).

Much of my work is related to dealing with security incidents, such as web sites which have been hacked, or where an organisation is having security requirements imposed by their own customers and clients. Often these activities are undertaken late in the project and are therefore less effective, and more costly, than they might need to be.

I adhere to the principle "prevention is better than cure", and encourage the early consideration of security and privacy matters—just like any other business process requirement. It was encouraging to read the useful guidance and pointers on Business Cases For Software Security Initiatives but for many organisations, the issues are too complex and they don't have any supporting data. For those I recommend, as a starting point, concentrating on four types of issue:

1. mandatory compliance issues (e.g. legislative and contractual)
2. problems which can assist theft or fraud
3. security events which would be severely disruptive and possibly put the organisation out of business
4. issues for customer trust and ongoing reputation

It's always organisation specific though. As organisations mature, they can be encouraged to look at wider security issues—but, let's get the basics right first.

Old, backup, "secret" and test pages, scripts and other files shouldn't be left on live web sites. The Visit Britain web site should be a showcase for Britain, but I was trying to find a particular page and looked at their 97-page long full sitemap.

Oops, the 4th, 6th, 7th and 8th links were all test or old pages. I couldn't believe this prominent web site didn't have procedures in place to manage draft and test content, or even that they were making such pages live on their web site. The result test-script worried me most but fortunately all four of these returned were not found when clicked.

I wonder what the page "Delete" does though?

People use search engines such as Google to find hidden information on website (aka Google Hacking), but it's uncommon for web sites to clearly list it on their own site map. Rather than ploughing my way through the impenetrable site map, I switched to Google to see what it had found using the search query "site:www.visitbritain.co.uk test". Skipping the results about cricket test matches and testing your handicap, revealed more links to more test pages:

My favourite must be the page with the parent page labelled "Food & Drink - to be deleted EVENTUALLY" in the breadcrumb trail:

These types of practices don't instill any confidence in the management of the web site. Old, backup and test files may contain sensitive data, allow access to the application or functions otherwise restricted, or contain faults that have been fixed in the current version. And, if you actually list them, it looks terrible! Web sites and web applications, don't just look after themselves—you need clear policies, a well-designed specification, a robust development contract, good management, skilled staff, verification processes and be willing to learn from good practices elsewhere.

Today's message: read Testing for Old, Backup and Unreferenced Files.

The new British Standard 10012:2009, Data Protection - Specification for a Personal Information Management System, has been published.

British Standard 10012:2009 was the subject of an earlier draft for public comment (DPC) and I worked with the OWASP Industry Committee on a response.

BS 10012 is not an alternative to the excellent guidance for organisations now produced by the UK's Information Commissioner's Office, but instead is a specification for a personal information management system (PIMS). A PIMS is a governance process for all types of personal information within a company but could also be used for other types of sensitive data. BSI's slant on this is that a PIMS, and therefore BS 10012, could help maintain and improve compliance with the Data Protection Act (DPA) 1998.

A good start and one to watch.

In my post Safety Hazards and Security Threats I discussed how safety hazards and security threats have many similarities. A new safety presentation designed to raise awareness of safety issues, concerning the sinking of the MV Herald of Free Enterprise in 1987, provides a further analogy.

The MV Herald of Free Enterprise roll-on/roll-off (ro-ro) ferry was built in 1980 to operate on the short Dover (England) to Calais (France) route, but was moved to the much longer Dover to Zeebrugge (Belgium) Channel crossing. It capsized killing 193 passengers and crew following water entering the bow doors which had not been closed prior to departure.

The safety training material outlines lessons to be learned:

• lack of procedures
• lack of steady team structures and responsibility
• reduced staff resources
• inability to identify changed hazards
• poor change management practices
• reliance on a single layer of protection
• creeping changes moved beyond design specification
• insufficient monitoring
• poorly designed controls
• failure to implement controls
• insufficient time to react to incident.

These points could equally have been written about a catastrophic network breach. Clearly most web servers don't have a direct impact of human life, unlike in public transport where safety risk analysis considers human lives to be valued at millions of pounds each. However, an organisation may not survive a significant data breach and we can all learn lessons from other events such as this.

There can be a tendency to treat security as a "technical" issue, and specifically as an "IT issue". Most of the above lessons to be learned are not of the technical type. Focus on what will make a difference.

Further reading is available in "The MV Herald of Free Enterprise: Report of Court No. 8074", Department of Transport, Her Majesty's Stationery Office, ISBN 0 11 550828 7.

I will be speaking later this morning at the IT Governance Watch event in London.

IT Governance Watch is a joint initiative of the Cyber Security Knowledge Transfer Network and The National Computing Centre. The day's programme is intended to be a combination of seminars and workshops; IT Governance Watch is proposed as a new observatory of standards and good practice in governance, security, risk, and information assurance of information systems.

Update 26th March 2009: David Lacey, an attendee at IT Governance Watch on Tuesday, has posted his views on the event in Better Standards for Standards Please.

Bad (and severe) weather can have unforeseen consequences for online businesses. The virtual businesses may still be affected by human factors.

Last year, I recall during some flooding, that although a call centre was safe from the effects of the weather, its staff couldn't get to work and therefore the disaster recovery plan had to be invoked. I wonder how many online business are feeling the effects of last night's snowfall.

This message appeared on the Current Awareness service from the Inner Temple Library providing "up-to-date" UK information on new case law, changes in legislation, and legal news:

Other web sites weren't affected by lack of staff, but by too many users. This is something that website load stress testing can help analyse. Loss of availability comes in many guises and sometimes "snow" and "customers" may not be considered at the same time as other threats during a risk assessment.

Tomorrow's forecast isn't looking so good either.

Web site managers should be checking that enquiries, feedback and other user input sent from the web site by email is working. But lesser used functions such as error reporting may also send messages by email - these should be tested regularly as well.

Many transactional web sites (also called "web applications") will use email alert messages for internal processes such as:

• System errors
• Unusual or inconsistent transactions
• Missing content (not found) requests
• Accounts locked out

They should be tested in the same way as normal business processes:

• Is the alert raised when the appropriate event occurs?
• Does the message get sent to the mail server?
• Does the intended recipient receive the message?
• Was the message recorded, analysed and resolved/escalated in a timely manner?

Remember to ensure the messages are not subject to filtering, modification or delay.

A humourous example appeared in last week's Deep Trouble, a comedy from BBC Radio 4 set in the future on board a Royal Navy nuclear stealth submarine - the crew were surprised that an incoming message had been received since it looked like spam. It turned out that the junk mail filter was turned off, the message was from the Admiral and it contained a secret NATO code phrase "PRIZE HAMPER" to authenticate the sender.

Let's hope "PRIZE HAMPER" doesn't get this blog post blacklisted.