W A T S O N H A L L
S2-2009-1.1
1
Watson Hall Ltd
London 020 7183 3710
Edinburgh 0131 510 2001
info@watsonhall.com
www.watsonhall.com
Retail security due diligence case study
website and web application security
Most companies have an online presence and often this is also
transactional, fulfilling some business processes. For some organisations,
the web site application may be the only channel through which some
processes are undertaken.
To assess an investment opportunity, a due diligence review will usually
be undertaken that will include information systems in its scope, and
security review will form part of this. But the unique characteristics of
websites and web applications mean that specialist knowledge is required
for investigation and analysis.
Background
Venture capital (VC) companies work on behalf of their own third-party
investors to provide investment to enterprises that are considered too
risky for the standard capital markets or bank loans. A relatively new
online retail organisation was looking to fund growth into a novel product
area and approached a London-based VC company for an investment as
cash in exchange for shares.
The VC company specialised in this retail area and had begun a broad due
diligence investigation including information systems. This had raised
some issues that the website seemed to be underperforming in its online
marketing through MSN, Yahoo, Google and DoubleClick. There were also
concerns about compliance with the United Kingdom’s Data Protection
Act1, the accuracy of existing website statistics, conversion ratios and
customer loyalty. Since the website was such a major element in the
proposed project and there seemed to be a lack of good business practice
in its operation, the VC company decided to ask for specialist assistance
to review the website, and in particular its security risks in more detail.
Approach
The information received during the initial due diligence review was re-
examined and a schedule of areas fo