The explosive growth of Electronic Commerce (ecommerce) has forced many organizations into uncharted territory. As with any expedition into the unknown, firms must take on new risks, as well as cope with existing ones. These new risks include increased exposure to theft and fraud, privacy and confidentiality issues and denial of service issues. One way to manage such risk is by the adoption and enforcement of information security policies that take into consideration the dynamic nature of ecommerce. Analysis of the current deployment of information security policies in e-commerce indicates that an improved framework for managing such risk is necessary. A comprehensive policy framework for managing ecommerce security risk has been developed, incorporating existing “best practices” and research as well as addressing shortcomings in current practice. Currently utilized risk assessment, policy development and enforcement methodologies will be placed within the framework, as well as the inclusion of change management issues.