Website Transaction Risk

In the course of communicating and transacting business over the Internet, citizens expect their transactions to be processed completely, accurately and timely. The courts are responsible for ensuring that risks have been considered, and appropriate controls are in place to ensure that transactions are processed completely, accurately, and in a timely manner.  Also, the courts must ensure that users are authenticated prior to granting access to protected data and transactions. 

Web-based Transactions Standards

 

Limited Web-based Transaction Processing

For the Limited Web-based Transaction Processing Website, security is not as critical because the transaction risk is minimal.  If the Website is compromised, the attackers could deface the Website but could not initiate unauthorized transactions or obtain access to protected information.  

1.      The court Website will provide information via static Web pages or dynamic content, but users do not have the capability to logon to the site or initiate transactions.  If Web-enabled applications are provided, they only include information query and presentation capabilities.  Information provided by the Website is not protected by state or federal law.

Advanced Web-based Transaction Processing

For the Advanced Web-based Transaction Processing Website, security is critical because transaction risk increases as the Website provides more transactions.  If the Website is compromised, the attackers could deface the Website and/or initiate unauthorized transactions to obtain monetary gain, corrupt data, or view protected information.

1.      The court will consider the risks of providing Web-based transactions in the application-planning phase.  The process which the court employs to evaluate the internal control requirements for electronic transactions and information, shall include the following:

(a) Examine the current business process that is being converted to employ electronic transactions, identifying the existing risks associated with fraud, error or misuse, as well as customer needs and demands.

(b) Consider what risks may arise from the use of electronic transactions or documents. This evaluation must take into account the relationships of the parties, the value of the transactions and future access requirements (e.g., audit), and what are the benefits that accrue from the use of electronic transactions.

(c) Consult with counsel about any specific legal implications of using electronic transactions in the particular application.

(d) Evaluate how each electronic signature alternative may minimize risk compared to the costs incurred in adopting an alternative. The term "signature" has long been understood as including "any symbol executed or adopted by a party with present intention to authenticate a writing" (Uniform Commercial Code, 1-201(39)(1970)). These flexible definitions permit the use of different electronic signature technologies, such as digital signatures, digitized signatures or biometrics. State of Texas laws are technology neutral; however, the technology for digitized signatures or biometrics are for the most part vendor specific and may not scale to meet local, state and federal application requirements. The primary focus at this time is on using digital signatures as part of a public key infrastructure (PKI) initiative.

2.      If authentication is required for a Web-based transaction, at a minimum username and passwords will be required and the user login session must be encrypted using Secure Socket Layers (SSL). Courts will use 128-bit encryption or provide a warning to the user if they elect to provide information using only 40-bit encryption.  Courts must follow several privacy tenets:

(a) Electronic authentication shall only be required where needed. Many transactions do not need, and shall not require, detailed information about the individual.

(b) When electronic authentication is required for a transaction, do not collect more information from the user than is required for the application.

(c) Users will be able to decide the scope of their electronic means of authentication.

3.                         If the court Website requires users to enter sensitive information then they must provide a secure environment based on the sensitivity of the information being gathered. SSL will be used to encrypt sensitive information in transit and the database management system will be used to secure sensitive data stored in the database.  

4.      If a court is going to implement Web-based transaction requiring Public Key Infrastructure (PKI) or payment processing, JCIT standards and the TexasOnline project (www.texasonline.com) will be considered as a means for providing the services. TexasOnline is open to both state and local government entities and provides the shared services that are key to successful deployment of e-commerce in the government arena. These shared services are available as a comprehensive package or the ePay services can be used as a separate service to provide transaction support for Websites hosted by state and local government entities around the state.  Some of the shared services provided by TexasOnline include:

TexasOnline Solution Center brings e-government ideas to market in as short a timeframe as 60 days. Providing design, development, and testing teams, the Solution Center is staffed with a variety of experienced Web development resources. A technology lab provides for ongoing testing of new Web tools and methods.

TexasOnline Payment Center (ePay) manages credit card and electronic check transactions through a secured, controlled gateway managed by KPMG Consulting, LLC.

TexasOnline Certificate Authority Center manages the issuance and authentication of digital certificates for registered users.