Electronic Commerce (EC) is the use of documents in electronic form, rather than paper, for carrying out functions of business or government that require interchange of information, obligations, or monetary value between organizations.  ELectronic data interchange (EDI) is the computer -to-computer transmission of strictly formatted messages that represent documents; EDI is an essential component of EC.  With EC, human participation in routine transaction and decisions are made more rapidly, leaving much less time to detect and correct errors.  This report presents security procedures that and techniques (which encompass internal controls and checks) and operation of EC systems.  Principles of risk management and definition of parameters for quantitative risk assessments are provided.  The content of the trading partner agreement is discussed, and the components of EC, including the network (s) connecting the partners, are described.  Some security techniques considered include audit trails, contingency planning, use of acknowledgements, electronic document management, activities of supporting networks, user access controls to systems and networks, and cryptographic techniques for authentication and confidentiality.

In a cooperative effort with the government and industry, the National Institute of Standards and Technology (NIST) conducted a study to assess the current and future information technology (IT) security needs of the commercial, civil, and military sectors. The primary objectives of the study were to: * determine a basic set of information protection policies and control objectives that pertain to the secure processing needs of organizations within all sectors; and * identitfy protection requirements and technical approaches that are used, desired or sought so they can be concidered for future federal standards and guidelines. The findings of this study address the basic security needs of IT product users, including system developers, end users, administrators, and evaluators.  Security needs have been identified based on actual existing and well-understood security organizational practices.

The Minimum Security Requirements for Multi-User Operating Systems (MSR) document provides basic commercial computer system security requirements applicable to both government and commercial organizations.  These requirements include technical measures that can be incorporated into multi-user, remote -access, resource-sharing, and information-sharing computer systems.  The MSR document was written form the prospective of protecting the confidentiality and integrity of an organization\‘s resources and promoting the continual availabiliy of these resources.  The MSR presented in this document from the basis for the commercially oriented protection profiles in Volume II of the draft Federal Criteria for Information technology Security document (known as the federal Criteria).  The Federal Criteia is currently a draft and supersedes this document. The MSR document has been developed by the MSR Working Group Working Group of the Federal Criteria Project under National Institute of Standards and Technology (NIST) leadership with a high level of private sector participation.  Its contents are based on the Trusted Computer System Evaluation Criteria (TCSEC) C2 critetria class, with additions from current computer industry practice and commercial security requirements specifications.

I

This document provides an overview of the Internet and security-related problems.  It then provides an overview of firewall components and the general reasoning behind firewall usage.  Several types of network access policies are described, as well as technical implementations of those policies.  Lastly, the document contains pointers and references fo rmore detailed information. The document is designed to assist users in understanding the nature of Internet-related security problems and what types of firewalls will solve or alleviate specific problems.  Users can then use this document to assist in purchasing or planning a firewall.