Framework to identify and manage risks in Web 2.0 applications
Keywords:
Web 2.0, social networking, security risks, computer risks, control framework, control objectives for information and related technology (CobiT), trust service principles and criteriaAbstract
Web 2.0 applications are continuously moving into the corporate mainstream. Each new development brings
its own threats or new ways to deliver old attacks. In order to mitigate these security risks, internal controls
should be implemented at different levels. In order to identify the risks, a proper control framework of
generally accepted control techniques and practices are needed as a benchmark. Because, implementing
these control techniques on their own is merely ad hoc, if not linked to a proper control framework or model.
The objective of this study is to develop a framework that can be used to identify the security issues an
organisation is exposed to through Web 2.0 applications, with specific focus on unauthorised access. An
extensive literature review was performed to obtain an understanding of the technologies driving Web 2.0
applications. Thereafter, the technologies were mapped against control objectives for information and
related technology (CobiT) and trust service principles and criteria and associated control objectives
relating to security risks. These objectives were used to develop a framework that can be used to identify
risks and formulate appropriate internal control measures in any organisation using Web 2.0 applications.
Every organisation, technology and application is unique and the safeguards depend on the nature of the
organisation, information at stake, degree of vulnerability and risks. A comprehensive security program
should include a multi-layer approach comprising of a control framework, combined with a control model
considering the control processes in order to identify the appropriate control techniques.