ICT Governance Acquisition Requirement Principle: Toward the Selection of the Suitable Exploitation Mode of a Secure e-Business Architecture for Small and Medium Enterprises

The importance of the Governance of IT is becoming more and more important in the enterprises especially since the accounting scandals of 2002 and more currently through the ongoing market crisis. While all political leaders say that the world economy’s is at grave risk, development are done to firstly elaborate appropriate framework to enforce and guarantee the stability of the financial sector and by extension to all sectors of the industrial economy and secondly, to enhance the governance all of these public and private companies. Sarbanes-Oxley is one of these laws that aims to provide guarantees over the company’s accountability. The ISO/EIC 38500 [14] is one standard that provides a framework for effective governance of IT. This framework provides guiding six principles: Establish responsibilities, Plan to best support the organization, Acquire validly, Ensure performance when required, Ensure conformance with rules and Ensure respect for human factors. The principle “Acquire validly“ aims at ensuring that the acquisition of IT components and of the exploitation mode is realized with the assurance that it is aligned with the business strategy A lot of SME from the industrial but also from the financial sector is still unable to correctively choose the optimal compromise for exploiting their e-business solution regarding their business needs. Effectively, choosing the best way for an IT infrastructure exploitation accordingly with the security requirement is a professional activity that can’t always be appropriately conduct by a SME staff. Although a lot of criteria influence the exploitation mode to be chosen – independency regarding an IT company, cost and profitability of the solution, technology used – security remain the major influencing factor. This document has for objective to analyse the aspects of security measures related to the e-business, according to the geographical place of the e-business architecture: in the company itself, outsourced, or an intermediate place between those two. The first part of this document defines what we understand by "exploitation mode", the second analyses the security aspects related to each component of an e-business architecture according to its exploitation mode, and finally the last part makes an analysis of the security of general architecture, always according to its exploitation mode.