Providing Assurance on the
World Wide Web
The WebTrust Initiative
Dsheehy@grantthornton.ca
A Little eCommerce History
1962 - Internet conceived
1969 - 4 US College campuses are linked
creating ARPANET
1971 - ARPANET grows to 23 hosts
1972 - InterNetwork (INWG)Group is born
1979 - USENET groups 1st appear
1982 - Term Internet appears
1-3
How Big is This Internet?
Difficult to predict with any certainty
Huge growth in past two years > July 13
Web now composes over 2.1 billion pages
Internet now estimated > 348m people
(148m in US and Canada)
By 2006 estimated
> 720m people
1997 Market Estimates
Projected to grow - Projections vary
The total value of goods and services
traded between companies over the
Internet will reach $8 billion this year and
$327 billion in the year 2002. The rapid
growth of intercompany commerce will
cause businesses to adopt dynamic
trading processes.
Forrester July 1997
How Big is This Market?
Still in infancy, with growing pains
One US projection: $70b (99’) – 161
billion this year, 303 billion 2001 to
$851b (2003)
Worldwide projection: $76b to $1.442
in 2003
Let’s Compare B2C Christmas
1999 - $10.5 billion
2000 – estimate $19.5 billion
Last year - 78% of internet users used the
internet in some capacity -33% bought
online and 45% gathered information
online

Shoppers - 42% female 1999
– now 63%
In the words of “Buzz Lightyear”
To Infinity and Beyond !!!
The eCommerce Transaction
Processing Cycle
To payment
processing
User
Authentication
Commerce
Server
Firewall
To transaction
processing
Demilitarized
Zone
2-1
Processing Cycle Transaction Processing
Other
processes
Transaction
Server
Firewall
Application
Server
Business
database
2-1
Processing Cycle Payment Processing
Gateway
Firewall
Firewall
Acquiring
Bank
2-1
What are the Concerns?
Client and Public ( B2C)
Privacy concerns
 Security of sites
 Timely delivery of product
 Reliable sites – impersonations

B2B

As above + confidentiality and non-repudiation
Recent News About Privacy
Sept 18 – More.com sued for releasing private info
Sept 3 – Amazon changes Privacy Policy
Sept 14 – Two leading online privacy groups drop
out of Amazon’s affiliate program
August 18 – Judge blocks Toysmart from selling
personal information
Aug 17 – Love letter virus variant steals banking info
from Swiss bank accounts
Issue Of Security
Recent Headline
Denial of Service Attacks Disrupt
Internet
eBay down! Charles Schwab down! Amazon.com
down! CNN.com down! Entire network effected
>>>>>On Monday and Tuesday, February 7 and 8,
2000, a large number of major sites across the US
were assaulted by ``Denial of Service'' (DoS)
attacks.
Internet Threats (Examples)
Spoofing
Packet sniffing
Exploiting vulnerabilities (i.e. firewall / operating
system)
Password Cracking / Guessing
Denial of Service
Buffer Overflow
Web Spoofing
The attacker’s Web server sits between the victim and the rest of the
Web, a “man in the middle attack”.
The attack is facilitated by rewriting to all of the URLs on a baiting
Web page so that they point to the attacker’s server rather than to some
real server.
For example, http://home.netscape.com becomes
http://www.attacker.org/http://home.netscape.com.
Once captured, the attacker ‘spoofs’ the user by retrieving the ‘real
page’ and re-writing before forwarding to the user.
Web Spoofing Illustrated
www.attacker.com
1. Request spoof URL
Victim’s
Browser
4. Reveal
access codes
or change
page contents
5. Spoofed page contents
IBM Compatible
3. Real page
contents
IBM Compatible
www.server.com
2. Request
real URL
Password Cracking / Guessing
Software based Dictionary checking
(extremely fast)
Social Engineering
Brute Force (maybe some intelligence)
Objective to find the “keys to the
kingdom”
(i.e. Administrator / Root / Supervisor)
Buffer Overflow
Occurs when more data placed into a computer
space than was provided for.
Example:
Placing 800 “a”s into a space defined to hold 30.
Result: Unexpected program response:



shut down service
display source code
execute attacker code (to gain superuser rights to O/S)
Background To WebTrust
Special Committee (“Elliott”)


Assurance service recommendations
On-going process for new services
Assurance Services Executive Committee
Dual focus


Build the practice for the profession
Promulgate user-oriented measurement criteria
Joint AICPA / CICA Team Efforts
3-4
Benefits of WebTrust family
Improved business disclosure and practices
Better transaction processing and security
Enhanced trust and confidence on “the net”
Greater competition, greater array of choices for
the customer
Helps “level the playing field”
Independent Verification
Independent verification can allay the majority of
these fears as does financial statement audit



Public accounting is quality controlled the world over
Also serves as valuable eCommerce consulting tool
in understanding best practices
Follows standardized process from Web site to Web
site giving comfort to oversight authorities
The WebTrust “Process”
Management makes representations about
eCommerce practices and disclosures
CA collects evidence to support
management’s assertions
CA examines representations
CA issues seal
3-4
History Of WebTrust
Conceived December 1996
December 1997 – Version 1.0
June 1998 – Version 1.1
November 1999- Version 2.0
Fall 2000 – Version 3.0 introduction
Also WebTrust for Certification Authorities
(next week) and ISPs
WebTrust now
Still the only comprehensive seal of assurance, but
now the pitch is eCommerce business solution
Focus on all aspects of eCommerce & flexible to
specific needs of eCommerce entity (Ver 3.0)
Based on WebTrust Principles and Criteria
Accountant licensed by Institute after training
Accountant’s report posted on new secure server
Site is re-evaluated every 180 days versus 90 days
Each firm and each engagement still subject to
independent QC reviews
e-Commerce Assurance –
WebTrust Version 3
Will allow reports on 1 or multiple
principles

Privacy

Availability

Confidentiality

Security

Transaction Integrity

Non-repudiation
More Details
Security - The enterprise discloses key security policies, complies with such
security policies, and maintains effective controls to provide reasonable
assurance that access to the electronic commerce system and data is restricted
only to authorized individuals in conformity with its disclosed security
policies.
Privacy - The enterprise discloses its privacy practices, complies with such
privacy practices, and maintains effective controls to provide reasonable
assurance that personally identifiable information obtained as a result of
electronic commerce is protected in conformity with its disclosed privacy
practices.
Transaction Integrity - The enterprise discloses its business practices for
electronic commerce, executes transactions in conformity with such practices,
and maintains effective controls to provide reasonable assurance that electronic
commerce transactions are processed completely, accurately and in conformity
with its disclosed business practices.
More Details
Confidentiality - The enterprise discloses its confidentiality practices, complies
with such confidentiality practices and maintains effective controls to provide
reasonable assurance that access to information obtained as a result of electronic
commerce and designated as confidential is restricted to authorized individuals
in conformity with its disclosed confidentiality practices.
Availability - The enterprise discloses its practices for availability, complies
with such availability disclosures, and maintains effective controls to provide
reasonable assurance that e-commerce systems and data are available as
disclosed.
Non-repudiation - The enterprise discloses its practices for non-repudiation,
complies with such practices, and maintains effective controls and appropriate
records to provide reasonable assurance that the authentication and integrity of
transactions and messages received electronically are provable to third parties in
conformity with its disclosed non-repudiation practices.
More Details
Customized Disclosures – (Must be issued in conjunction with at
least one other principle). The enterprise’s specified disclosures are
consistent with professional standards for suitable criteria and
relevant to its electronic commerce business. In addition, the
enterprise maintains effective controls over the processes
supporting such disclosures to provide reasonable assurance that
such disclosures are reliable.
Status of Modules – March 5/01
Principle
(1) Privacy
(2) Security
(3) Trans. Integrity
(4) Availability
(5) Non-repudiation
(6) Confidentiality
(7) Customized disc.
Current status
Published
Published
Published
Published
in development
Exposure soon
in development
“Value Pack” Engagements
Customer protection – transaction integrity
and privacy
Service providers not yet decided
Special seals
Must meet all to get seal
What’s Easier to Sell?
Privacy is a hot issue
Security permeates – duplication with security
module
If Version 2 – then transaction integrity and
privacy – Consumer Protection
Availability – service providers, B2B extranets
Confidentiality/non-repudiation B2B extranets
etc
Customized disclosure
Modules - Framework
Firm Name
Each Module to have a common framework
Framework consists of 4 topics under which criteria
to be grouped:
 Policies (goals and objectives)
 Procedures and technology tools
 Monitoring (performance measures)
 Disclosures
Consumer recourse to be considered for each module
WebTrust Seal
Web consumer would
see the seal on a Web
page
Would then click on it to
access additional
information
Display of firm name,
logo is optional
“Click” to see report and other
information
What User Sees by
Clicking on the Seal
VeriSign certificate information
Accountant’s (XY&Z’s) report
Management’s assertions
Business practices disclosures
Link to AICPA/CICA WebTrust Principles &
Criteria
Other relevant information
Let’s look at a few sites
HD Vest
Bell Canada
Charity.ca
E-Trade
American Red Cross
WebTrust Secure Server &
Seal Design
Firm Name
Server -Outsource
management to ISP
ISP Responsibilities




verify validity of seal
post auditor’s report
Principles and criteria
managed list of valid sites
Client site contains


WebTrust seal
Disclosures
Seal Linked to secure
server
Seal Design





WebTrust is our brand
more marketable
optional addition of
firm name
Independent
Verification
Blinking “Click”
Second click of seal:

modules tested, links to
standards, report, etc.
Providing WebTrust Services
Assurance Standards (Section 5025)

Examination level
Independence
5-1
Providing WebTrust Services
Practicing across provincial, state and
international boundaries
Client & Engagement Acceptance


Client acceptance
 Nature of business, reputation, management
Engagement acceptance
 Control environment, nature of sites
 Are they likely to meet criteria?
Expertise Required



Code of Professional Ethics
Section 5025
Minimum Competencies
5-2
Providing WebTrust Services
Engagement Letters

Dates
Period covered by accountant’s report
 Period between updates

Control on seal
 Requirements of WebTrust license

5-7
Scoping the Work
Business locations, Web hosting locations, ISPs
Products / services included & excluded
Complexity - the exponential effect
Time requirements - first examination



Low-end simple sites, probably 2 or 4 weeks minimum
High-end complex sites, probably 8 to 15 weeks
Less for clients where we’ve performed work on EComm systems (audit or consulting)
Time requirements - update examinations

Changes, change management controls, etc
Estimation template
6-2
Skill Sets Needed
Professional Standards
Systems Concepts
Business & Transactions Initiation
Hardware
Software
Networks/Internet
Outside experts
6-5
Engagement Management
Documentation


Working papers
Engagement summaries
Management Representation Letter
Accountant’s Report
Dealing with Changes to the Web Site
Self Assessment Document
System of Quality Control
6-8
Implementation Planning
Skills & Competencies – TRM and Assurance
Targeting Your Clients – hot buttons
Related Services – consulting,
Sales Process- often many calls
Marketing – new materials under development
Seal Management & Administration – new process
Internal Firm Guidance
System of Quality Control –
Key Sites
www.cica.ca
www.aicpa.org
www.truste.org