BUSINESS PROPOSAL

E-COMMERCE Online Handicrafts Selling SITE

http://www.craftsrwe.com

Presented to:

Prof. Ghulam Yaseen

Presented By:

Atta ur Rasool Kamran Khalid Tuqeer Zahid Rehan Azam Umer Khan Abdul Wahab Ali

413 425 450 453 454 459

B. Com. Honors 8thSemester Section: E / Morning

Hailey College of Commerce

15

University of the Punjab

Contents
Contents..................................................................................................................... 2 Introduction:............................................................................................................... 3 Business Concept:......................................................................................................3 Website:..................................................................................................................... 3 Executive Summary:...................................................................................................4 Vision:......................................................................................................................... 4 Mission Statement:.....................................................................................................4 Core Values:............................................................................................................... 4 Business Model:..........................................................................................................5 Online Purchasing Strategy:.......................................................................................5 Digital Communication Strategy:................................................................................5 Service Strategy:........................................................................................................ 5 Business Process Strategy..........................................................................................6 Competitive Environment:..........................................................................................6 Competitive Advantage:.............................................................................................6 Management Team:....................................................................................................7 Revenue Model:..........................................................................................................8 Vertical Market:..........................................................................................................8 Horizontal Market:...................................................................................................... 8 A SYSTEMATIC APPROACH TO E-BUSINESS SECURITY..............................................10 Common Security Threats and E-Business Security Objectives..........................11

Current Processes and Tools for Implementing E-Business Security..........14 Designing a Comprehensive and Systematic Security Policy.....................15
Proposed Framework..........................................................................................16

Challenges and Opportunities.....................................................................18

15

Introduction:

Website Name: Purpose of Business:

http://www.craftsrwe.com Online selling of handicrafts and sharing relevant and up-to-date information about different topics. Earn profits by promoting the handicraft industry of Pakistan.

Type of Business: Business model:

Partially online Business. (Click and mortar) A set of planned activities to result in profits in market.

Business Concept:
We take the idea of online selling of handicrafts. Our main focus is elite as well as middle class, geographically main focus is vertical market i.e. Pakistan but beside that our focus is also horizontal to some extent in the beginning in which we intend to sale in some other countries as well. People around the world imports handicrafts from other countries at a high cost. Thats why we are offering them variety of handicrafts online, they simply visit the website, search the information according to their requirements and get the desired product easily.

Website:
As mentioned above, for any website to commit itself to business it must be able to fulfill the requirements of an effective business model. Our website Make a Wish which portrays the Pakistani handicrafts of culture will become a forefront of our heritage will also fulfilling the purpose of it business creation. For it to become this and much more there is a need for an

15

efficient and effective business model to be created and implement

Executive Summary:
The Business will be started with a initial investment of PKR 1 million, five-year bank loan of PKR 1 million to purchase equipment and inventory as part of the financing for a start-up of a partnership The business will be owned by OTRAWK Entreprise and will be located in leased space at 18 Zafar Ali road , Wazeerabad , Pakistan. We have planned that we will set up handicraft making factory in Wazeerabad City within one and a half years and will become known throughout the province in two years with the potential of multiple locations. The decent company logo, its reputation for best quality and only the most demanded and original products. The owner, OTRAWK Entreprise, has founded three successful service businesses across the country. The owners have a strong background with the handicrafts industry and know its demand across the world. Also the labor to be adapted is also very much professional and one of the best in its kind of work.

Vision:
Promoting handicraft industry and providing people with the original stuff

Mission Statement:
To be the largest and fastest growing handicrafts producer and dealer using state of the art technology and best labor at the most competitive cost by utilizing our experience for maximizing our profit for our shareholders and providing facilities to our workers.

Core Values:

15

Highest quality of Service, Professionalism, Integrity, Team Work, Innovation & Utilization of latest technology, risk mitigation, Corporate Social Responsibility.

Business Model:
A business model describes the rationale of how an organization creates, delivers, and captures value - economic, social, or other forms of value. The process of business model design is part of business strategy. Our information technology bases e-business will leverage new technologies to gain competitive advantage. We will adopt following strategies which will help us to use technology in order to provide value to our customers.

Online Purchasing Strategy:

We will allow online selling handicrafts and information relating to them on the internet and other online services. We will make our website destination site that will be designed to entice the visitors to return over and over. For that purpose we will include extras like chats, contents and new information or any other contents that the targeted audience may desire.

Digital Communication Strategy:

We will allow the delivery of digital information, products, services or payments online.

Service Strategy:
We will allow reduced costs of services will improve quality of services and increase

15

speed of services. We will enhance the service component of business by meeting customer service needs before, during and after the sale. We will provide services like articles care guide etc.

Business Process Strategy

We will automate our business processes and streamline transactions by using extranets, intranets and supply chain management

Competitive Environment:
It refers to the other companies operating in the same market place selling similar products. From our business point of view of online handicrafts selling especially in Pakistan, we have many online competitors such as abc corp., xyz enterprise---etc--, which are providing different related services and some of them are providing unrelated services. From global point of view, we will have to face a severe competition and transaction costs, shipping costs , insurance cost and specially outlets opening cost will have to be faced. But from local point of view, we can enjoy first movers advantage and government policy of less taxation charges due to encourage the growth in the technological industry. Good market share can also be captured by delighting the customers. Currently we have no direct or indirect competitors.

Competitive Advantage:
DIFFERENTIATION: . Craftsrwe.com also extended its brand print magazine, which dramatically

increased its customer base. No other businesses are providing other resource information. It will not only increase the public awareness about organization but also will in help in building good

15

market recognition or goodwill. Our competitive advantage is focused differentiation because we will be there to serving the needs of specific market or group of peoples. We will differentiate our self with reference to providing better features, actual performance, conformance to the quality expectations specified with customers, reliability In addition we will also provide better ordering, delivery and customer services. And in order to attain our goals and objectives we will use promotion to create perceived difference it the mind of customers. We will be having symmetry because we have good capital and cooperative team than any other. We can also enjoy the first mover advantage in the market by capturing customer loyalty. We can also get leverage (a company using its competitive advantages to achieve more advantage in surrounding markets) by providing health care services for workers and cutomers and updated information. It is important to note that it is not a perfect market, so good profits can be generated through efficient management. And unfair competitive advantage cannot be got because of scare competition in that market. Management Team: It includes employees of the company who are responsible for making business model work. A strong management team gives a model instant credibility to outside investors, immediate market-specific knowledge and experiencing in implementing business plans. Our management team will consist of the following members: 1 Chairman and chief executive officer 2 President and chief operating officer 3 Senior vice president and chief information officer

15

4 Senior vice president services and stores and human resources 5 Senior vice president chief marketing officer 6 Senior vice president of supply chain and merchandising

Revenue Model:
It describes how the firm will earn revenue, profit and produce a superior return on invested capital.

Our revenue model is based on web catalogue revenue model and it will contain the catalogue of different handicrafts. Along with that our revenue model consists of digital content revenue model because we will provide different articles regarding handicrafts to our customers and will charge subscription.

Vertical Market:
Talking about geographical market opportunity our main focus vertical that is Pakistan. Our main focus of providing best quality handicrafts their services and information is the rich and middle class people of Pakistan. While operating on the national basis the total number of potential competitors can be counted on the fingers of hand. However promotional expenditures can also be avoided to spend on a larger scale because it is obvious that customers with very high need are often prepared to spend hours using internet search engines.

Horizontal Market:

15

As we are living in this global environment so cant restrict our operations only to Pakistan. We will have to go globally because of different reasons like to contact with international suppliers, expansion of business, promotion of the culture of Pakistan, etc. Thats why our geographical focus are some extent to hybrid consisting of both vertical and horizontal but still with reference to customer, main target is people of Pakistan. Also as we are living in such a competitive environment that with the passage of time we will expand our market and will attain the market opportunity that will be available other than in Pakistan.

Organizational Development
Organizational structure and supportive culture is necessary for implementing the strategy with full techniques that will enable the organization to achieve fast growth. Companies that hope to grow and thrive need to have a plan for organizational development that describes that how the company will organize the work that needs to be accomplished. For our business, first of all we will hire generalists who can perform multiple tasks. As soon as the company will grow, we will hire specialists for specific assigned duties. In the initial stage, there is a need of marketing manager and a good web developer and after their good performance and increase in sales, some other experts will be hired.

Risks & Remedies

Inconsistent income (or none for months at a time):

We can face a risk of non-consistent income through our business. (Start the business on low scale as risk will be low and then expand further if it blooms) High health insurance costs: The benefits of the employees may cost much higher than the revenue generation.

15

(Acquire limited labor at first and find the best packages with insurance firms for the workers benefits) Large tax bills (if not paid quarterly)

The area in which we are running our factory may have high tax rates and the taxes on web business may also be higher than that of the income. (Conduct a feasibility study and point out the areas which are declared tax free by the Govt. of Pakistan) Fraud clients:

There may be fraud clients who may order excess amount and then rejects them on any basis intentionally. (Improve the payment n order system. In case of on delivery payment fully verify the existence of such customer by having their CNIC number) Emotional stress:

Workers and owners may run into emotional stress in case of low income business. (Create a healthy environment across the organization by providing different recreational stuff in the factory and the operating office) Fake products: Many hackers may use our name in their web sites n provide the customers wrong or fake articles which may result in bad reputation in the market. (Get trademark and patents registered. Place a warranty seal on each article produced in our factory) Apart from the above mentioned risks alongside their remedies our business can also provide us by some very satisfying rewards which are listed below: 1. 2. 3. 4. 5. 6. 7. 8. 9. Independence Excitement Creative freedom Variety High-paying accounts Flexible schedule Tax deductions Networking Personal satisfaction

A SYSTEMATIC APPROACH TO E-BUSINESS SECURITY

15

In the new economy, information is critical both as input and output. Hence information security management is of high priority. In contrast, the Internet, which is the primary medium for conducting e-business is by design an open non-secure medium. Since the original purpose of the Internet was not for commercial purposes, it is not designed to handle secure transactions. This paper first presents an outline and analysis of the security needs of online businesses. This is followed by an evaluation of the current tools and practices for ensuring e-business security. The shortcomings of the present practices are noted. A systematic approach to e-business information security is presented. The key characteristic of this approach is that it is an insurance-based risk management process that encompasses the entire information infrastructure of an organization.

Common Security Threats and E-Business Security Objectives

There is almost an uncountable number of ways that an e-business setup could be attacked by hackers, crackers and disgruntled insiders. Common threats include hacking, cracking, masquerading, eavesdropping, spoofing, sniffing, Trojan horses, viruses, bombs, wiretaps, etc. While the list of actual manifestation is long, conceptually, they break down to a few categories. These are spoofing, unauthorized disclosure, unauthorized action, and data alteration. From a business perspective Denial of Service (DoS) attacks appear to be the most serious threat. DoS attacks consist of malicious acts that prevent access to resources that would otherwise be available. Even though data may not be lost, the financial losses that could be incurred from not being able to supply a service to customers could be of much higher value. In conducting e-business, every organization ought to be able to:

positively identify or confirm the identity of the party they are dealing with on the other end of the transaction;

determine that the activities being engaged in by an individual or machine is commensurate with the level of authorization assigned to the individual or machine;

confirm the action taken by the individual or machine and be able to prove to a third party that the entity (person or machine) did in fact perform the action;

protect information from being altered either in storage or in transit;

be certain that only authorized entities have access to information;

15

ensure that every component of the e-business infrastructure is available when needed;

be capable of generating an audit trail for verification of transactions.

Effective information security policy must have the following six objectiv: confidentiality; integrity; availability; legitimate use (identification, authentication, and authorization); auditing or traceability; and non-repudiation. If these objectives could be achieved, it would alleviate most of the information security concerns. Each information security objective is discussed below with emphasis on the specific challenges it poses to Internet mediated businesses.

Confidentiality
Confidentiality involves making information accessible to only authorized parties, or restricting information access to unauthorized parties. Confidentiality concerns did not originate with the Internet. However, conducting business over the Internet has exacerbated the situation. As an example, one context in which this issue has been addressed extensively is the area of confidentiality of electronic health data. There have always been concerns about confidentiality in health care. Online intermediation has complicated the problem and heightened the misgivings that already exist. For example, recent surveys reported by the Georgetown University Institute for Health Care Research and Policy contain some rather revealing statistics about peoples concern for confidentiality: Sixty-three percent of Internet health-seekers and sixty percent of all Internet users oppose the idea of keeping medical records online, even at a secure, password-protected site, because they fear other people will see those records. An overwhelming majority of Internet users are worried about others finding out about their online activities: eighty-nine percent of Internet users are worried that Internet companies might sell or give away information and eighty-five percent fear that insurance companies might change their coverage after finding out what online information they accessed. To maintain the confidentiality of Web users information, organizations have to find ways to keep the information from unauthorized view. From an operational point of view, that means information that is stored has to be secured in a way that it can only by accessed by authorized parties. Similarly, information in transit has to be kept from the view of unauthorized parties and that it is retrieved only by a legitimate entity.

Integrity
Transmitting information over the Internet (or any other network) is similar to sending a package by mail. The package may travel across numerous trusted and untrusted networks before reaching its final destination. It is possible for the data to be intercepted and modified while in transit. This modification could be the work of a hacker, network administrator, disgruntled

15

employee, government agents or corporate business intelligence gatherer; it could also be unintentional. The need for accuracy of information in an information-driven society cannot be over stated. Typically, information is either stored at a given location or being passed from one point to another. Either way, the primary concern for information integrity is that it remain intact so that nothing is added nor taken from it that is not intended or authorized. The extreme cases of lack of information integrity are when a whole database is lost or replaced with something else. Between these extreme cases are situations where data is corrupted either minimally or significantly such that major repairs have to be done to make it useable again.

Availability
Availability means that systems, data, and other resources are usable when needed despite subsystem outages and environmental disruptions. Lack of availability is essentially loss of use. The most commonly known cause of availability problems is Denial of Service (DoS) attacks even though there are other common causes such as outages, network issues, or host problems. The goal is to ensure that system components provide continuous service by preventing failures that could result from accidents or attacks. From a security point of view, availability is enhanced through measures to prevent malicious denials of service. Closely related to availability and very important to e-businesses are reliability and responsiveness. Reliability implies that a system performs functionally as expected. Responsiveness is a measure of how quickly service could be restored after a system failure. In other words, it is a measure of system survivability. This does not necessarily mean that the failed system is revived, just that service is restored or not lost at all despite the failure. One advantage for e-businesses is that the Internet, being a distributed system, affords a greater opportunity for building redundancy into systems so as to mitigate denial of service problems. In fact, system survivability is at the heart of the design of the Internet and appropriate use of it should result in minimal availability problems. Nevertheless, there are still real threats to availability.

Legitimate use
Legitimate use has three components: identification, authentication and authorization. Identification involves a process of a user positively identifying itself (human or machine) to the host (server) that it wishes to conduct a transaction with. The most common method for establishing identity is by means of username and password. The response to identification is authentication. Without authentication, it is possible for the system to be accessed by an impersonator. Authentication needs to work both ways: for users to authenticate the server they are contacting, and for servers to identify their clients. Authentication usually requires the entity that presents its identity to confirm it either with something the client knows (e.g. password or PIN), something the client has (e.g. a smart card, identity card) or something the client is (biometrics: finger print or retinal scan). Biometric authentication has been proven to be the most precise way of authenticating a user's identity. However, biometric processes such as scanning

15

retina or matching fingerprints to one stored in a database are often considered intrusive, and there always exists some measure of fear that this information will be misused. The approach to authentication that is gaining acceptance in the e-business world is by the use of digital certificates. A digital certificate contains unique information about the user including encryption key values. These public/private encryption key pairs can be used to create hash codes and digitally sign data. The authenticity of the digital certificate is attested to by a trusted third party known as a "Certificate Authority." The entire process constitutes Public Key Infrastructure. Once an entity is certified as uniquely identified, the next step in establishing legitimate use is to ensure that the entitys activities within the system are limited to what it has the right to do. This may include access to files, manipulation of data, changing system settings, etc. A secured system will establish very well defined authorization policy together with a means of detecting unauthorized activity.

Auditing or Traceability
From an accounting perspective, auditing is the process of officially examining accounts. Similarly, in an e-business security context, auditing is the process of examining transactions. Trust is enhanced if users can be assured that transactions can be traced from origin to completion. If there is a discrepancy or dispute, it will be possible to work back through each step in the process to determine where the problem occurred and, probably, who is responsible. Order confirmation, receipts, sales slips, etc. are examples of documents that enable traceability. In a well-secured system, it should be possible to trace and recreate transactions, including every subcomponent, after they are done. An effective auditing system should be able to produce records of users, activities, applications used, system settings that have been varied, etc., together with time stamps so that complete transactions can be reconstructed.

Non-repudiation
Non-repudiation is the ability of an originator or recipient of a transaction to prove to a third party that their counterpart did in fact take the action in question. Thus the sender of a message should be able to prove to a third party that the intended recipient got the message and the recipient should be able to prove to a third party that the originator did actually send the message. This requirement proves useful to verify claims by the parties concerned and to apportion responsibility is cases of liability. Obviously, this is a crucial requirement in any business transaction when orders are placed and both buyers and sellers need to be confident that not only are they dealing with the appropriate parties but also that they have proof to support the claims of any action taken in the process. Non-repudiation protocol is also useful in forensic computing where the goal is to collect, analyze and present data to a court of law. Current Processes and Tools for Implementing E-Business Security

15

One of the problems of the current e-business security implementation is that components of ebusiness infrastructure tend to be looked at individually and separately for security purposes. The current common security policy implemented by most e-businesses runs like this: assemble a catalogue of threats and vulnerabilities and then shop for technology tools that alleviate those concerns. Security solutions are targeted at counteracting specific groups of threats and vulnerabilities. However, what is needed are comprehensive solutions that will produce peace of mind to the business and trust and confidence in customers and partners. A typical three-tier ebusiness architecture comprises the client, web and commerce servers, and database servers. A systematic implementation of e-business security must ensure that each of these components is secure. This requires security policy and implementation at three levels: network security, system level security and transaction level security. The current common e-business security practice translates into acquiring sophisticated servers, firewall software, intrusion detection systems, and obtaining digital certificates. We refer to this as the latest gizmo driven approach. While there is nothing wrong with installing these devices, the implicit false assumption is that security risk problems can be minimized by that approach. We contend that regardless of how sophisticated the software and hardware devices might be, risk cannot be fully addressed without a systematic risk assessment and risk management process.

Designing a Comprehensive and Systematic Security Policy

All security solutions need to begin with a policy. Some basic security policy questions that must be answered are:

What components are most critical but vulnerable? What information is confidential and needs to be protected? How will confidentiality be ensured? What authentication system should be used? What intrusion detection systems should be installed? Who has authority and responsibility for installing and configuring critical e-business infrastructure? What plans need to be in place to ensure continuity or minimum disruption of service?

A viable security policy should have the following characteristics:

The policy must be clear and concise The policy must have built-in incentives to motivate compliance Compliance must be verifiable and enforceable Systems must have good control for legitimate use: access, authentication, and authorization There must be regular backup of all critical data There must be a disaster recovery and business continuity plan

15

Proposed Framework
The main thesis of this paper is that e-business security can only be effective if it is regarded as part of an overall corporate information security risk management policy. For that purpose a sixstage security management strategy is proposed: Stage Develop a corporate risk consciousness and risk management 1: orientation. Stage Perform a thorough risk assessment of the whole business. Identify 2: and rank risks based on threats, vulnerabilities, cost and countermeasures. Stage Devise a systematic risk-management based e-business security 3: policy. Stage Put risk control mechanisms in place. Implement technological best 4: practices with regard to e-business infrastructure components: clients, servers, networks, systems and applications, and transport mechanism. These best-practices security measures will be validated and certified by a security certification authority. Stage Follow systematic risk assessment and risk management procedures 5: to determine the level of risk after implementing the best practices on each component. Insure residual risk of low probability but high cost events and manage the rest. Stage Monitor and audit diffusion of risk management culture,policy 6: implementation and enforcement, and revise policy and procedures as needed.

Developing corporate risk consciousness and management focus

In order for any security policy to work, there has to be a strong organizational foundation. The goal is to create a systemic organization-wide risk consciousness and responsibility. Both topdown and bottom-up strategies need to deployed so as to generate a collective sense of mission. Both management and employees must have a keen sense of how their interests and the fortune of the organization depend very strongly on their ability to safeguard their information resources.

15

Devising a systematic risk-management based e-business security policy

The focal point for any viable e-business security strategy is a sound well-articulated security policy. Documented security policy is the first tangible evidence of a credible and operational security system. Every organization that is serious about security must have a comprehensive and coherent security policy. The policy must address each system component, internal and external threats, human and machine factors, managerial and non-managerial responsibility. The security policy has to have as its foundation, the six objectives of e-business security: confidentiality; integrity; availability; legitimate use, auditing, and non-repudiation.

Implementing Best Practices in Securing E-Business Infrastructure

This aspect of security policy is where vulnerabilities are handled. Vulnerability is often the first thing to address, since that is where the organization and the system administrator tend to have the most control. This is the area of security risk management that is principally a technology issue. Each component has to be addressed with a view to implementing a complete e-business secure infrastructure. Notable elements in that strategy will include cryptography, PKI and digital signature technology. This is where the system information security officer can go over a checklist of what is necessary and what the organization has. A typical checklist will include:

physical protection for computers network systems management email control security networks security firewalls Encryption PKI incident handling

antivirus software digital certificate strong authentication access control audit and tracing software backup and disaster recovery biometric software wireless communications security

At the moment, businesses are using various (sometimes very poor) proxies for best practices as substitute for overall security strategy. There is no systematic industry standard of best practices for organizations to model their strategies. So far the closest that one comes to best practices are the practices of so-called leading organizations. These are organizations that are significantly ahead of the rest in terms of implementing robust security systems .While those practices may be exemplary, they may not necessarily earn the title of best practices when subjected to an objective rigorous analysis. The type of best practices that is advocated here is one that is not only impressive in its design and implementation or even adopted by most organizations, but one that can be analytically proven to be optimal. A best practice will be a cost-effective security policy that is commensurate with the perceived information security risk of the organization. In order to create a common set of standards (not necessarily identical implementation), we advocate the setting up and use of a Security Certification Authority that will certify that best practices procedures have been effectively deployed.

15

Challenges and Opportunities

This proposed framework for information security immediately brings into focus some challenges together with some corresponding opportunities. The main challenge is that at this present time we do not have all the building blocks in place yet for an organization that wants to implement this framework to do so. In particular, the following issues have to be dealt with:

Devising efficient and effective technology for monitoring vulnerabilities and identifying threats in a preventive proactive manner. This could be achieved by developing component-specific or threat-specific software;

Developing software for information security risk management, similar to those developed for nuclear risk management, environmental risk management, or commodity price risk management;

Identifying and implementing best practices in information security risk management identifying the processes and corresponding metrics;

Adapting traditional risk assessment and risk management strategies to e-business information security context;

Pricing the risk of e-business information security;

Instituting a new type of Security Certification Authority to certify and rank insurability based on the parameters of the pricing model above.

The present challenge is that none of these components is currently in place. In particular, there is an urgent need for further research into issues such as the optimal investment in security mitigation technology and strategies; the appropriate pricing of information security risk for the purposes of making sound insurance management decision; and how to systematically incorporate the behavioural component into a systematic risk management strategy.

15

15