For Johnson & Johnson, the healthcare giant with more than 200 separate companies operating in 54 countries, one of the biggest problems encountered in e-commerce was finding a way to quickly get business partners access to the network but enforce security.

The problem vexed the Brunswick, N.J., maker of pharmaceuticals and medical equipment because e-commerce partners, once given access, sometimes introduced worms and viruses into J&J's network. In addition, the process of reviewing business requests for network access between a J&J unit and its intended partner had become burdensome, delaying e-commerce transactions.

However, IT staff at J&J said since new security procedures put in place a year ago altered the equation, it has been much faster to process network-access requests. Through the uniform monitoring and documentation processes, security has improved, with worm and virus outbreaks emanating from business partners reduced to nil.

"The documentation is still a bit cumbersome, but now it's a repeatable process," says Thomas Bunt, director of worldwide information security at J&J, about the challenge of providing network access for business partners. "We're facing an increased demand for external connections, and it wasn't easy to do this."

When a business manager at J&J wants to have counterparts in outside firms gain access to internal applications for e-commerce, the IT department is summoned to assess risk.

First, the J&J unit and the outside firm have to fill out a detailed questionnaire about the nature of the connection request, says Denise Medd, information security senior analyst. In addition, J&J expects the intended e-commerce partner to submit to a security assessment and evaluation.

This vulnerability assessment may be done by a neutral third party, but the goal is to ensure that doing business via the network connection, which is typically opened up via J&J firewall, presents no unnecessary risks. The J&J operating company, officially known as "the sponsor," is held to the same standards, Medd emphasizes.

Occasionally, a request for network access is turned down, especially if the J&J side has servers lacking proper patch-update mechanisms or other shortcomings. "There is a final review, and we will not let an insecure connection go live," Medd says.