information security in banking sector.pdf
TRANSCRIPT
-
7/23/2019 Information Security in Banking Sector.pdf
1/24
ENTERPRISE INFORMATION
SYSTEMS SECURITY: ACASE STUDY IN THE
BANKING SECTOR
SEPTEMBER 20TH,2012CONFENIS - GHENT, BELGIUM
Sohail Chaudhry, Peggy Chaudhry, Kevin Clark and Darryl Jones
Villanova School of Business, Villanova, PA USA
-
7/23/2019 Information Security in Banking Sector.pdf
2/24
Agenda
Introduction
Research Approach
Conceptual Model
Phase IBanking Sector
Results
Future Research
-
7/23/2019 Information Security in Banking Sector.pdf
3/24
Current Events
-
7/23/2019 Information Security in Banking Sector.pdf
4/24
Have you had any cases of insider sabotage or
IT security fraud conducted at your workplace?
Source: Cyber-Ark Snooping Survey, April 2011, p. 3.
-
7/23/2019 Information Security in Banking Sector.pdf
5/24
Research Approach
Focus: Enterprise Information Systems
SecurityInternal threats.
Literature Review & Development of Model.
Phase 1: Model tested via personal interviews
of 4 senior information officers in a highly
regulated industrythe Banking Industry.
-
7/23/2019 Information Security in Banking Sector.pdf
6/24
Information Security OfficersInterviewed
Bank A
Public100Years
1.1 BilUSD
Assets 11
Branches
Bank B
Private,70 years
20 MilUSD inAssets
2Branches
Bank C
Private,15 years
1.8 BilUSD inassets
13Branches
Bank D
Private, 8years
550 MilUSD inassets
10Branches
-
7/23/2019 Information Security in Banking Sector.pdf
7/24
Federal Financial InstitutionsExamination Council (FFIEC)
Security Process (e.g., Governance issues)
Information Security Risk Assessment (e.g., steps in gatheringinformation)
Information Security Strategy (e.g., architecture considerations)
Security Controls Implementation (e.g., access control)
Security Monitoring (e.g., network intrusion detection systems)
Security Process Monitoring and Updating
-
7/23/2019 Information Security in Banking Sector.pdf
8/24
The Gramm-Leach-Bliley Act
Access controls on customer information systems
Access restrictions at physical locations containing customerinformation
Encryption of electronic customer informationProcedures to ensure that system modifications do not affectsecurity.
Dual control procedures, segregation of duties, and employeebackground checks
Monitoring Systems to detect actual attacks on or intrusionsinto customer information systems
Response programs that specify actions to be taken whenunauthorized access has occurred.
Protection from physical destruction or damage to customer
information
-
7/23/2019 Information Security in Banking Sector.pdf
9/24
Conceptual Framework
Enterprise InformationSystem Security
Security Policy SecurityAwareness
AccessControl
Top LevelManagement
Support
Corporate Governance
Implementation
-
7/23/2019 Information Security in Banking Sector.pdf
10/24
Pillar 1: Security Policy
Set rules for behavior
Define consequences of violations
Procedure for dealing with breach
Authorize company to monitor andinvestigate
Legal and regulatory compliance
-
7/23/2019 Information Security in Banking Sector.pdf
11/24
Information Security Policy isnot an option, its demandedfrom the top of the house ondown, its board approved,accepted by regulators, andexecuted throughout theorganization.
Excerpt from interview:
-
7/23/2019 Information Security in Banking Sector.pdf
12/24
Pillar 2: Security Awareness
Continued education
Collective and individual activities
Formal classes, emails, discussion groups
Employee compliance
-
7/23/2019 Information Security in Banking Sector.pdf
13/24
In training, we tell employeesthat we are tracking them,
when we are not. Its a
deterrent. The fact is we haveto use implied security in
addition to actual security.
Excerpt from interview:
-
7/23/2019 Information Security in Banking Sector.pdf
14/24
Pillar 3: Access Control
Limit information
Access linked to job function
Restrict information not relevant to position Management of access rule changes
-
7/23/2019 Information Security in Banking Sector.pdf
15/24
Have you ever accessed information on asystem that was not relevant to your role?
EMEA % US % C-Level %
Yes 250 44% 243 28% 21 30%
No 313 56% 616 72% 50 70%
Grand Total 563 100% 859 100% 71 100%
Source: Cyber-Ark Snooping Survey, April 2011, p. 2.
-
7/23/2019 Information Security in Banking Sector.pdf
16/24
Do you agree that majority of recent security attacks have
involved the exploitation of privileged account access?
Source: Cyber-Ark 2012 TRUST, SECURITY & PASSWORDS SURVEY, June 2012
64%12%
24%
Agree
Disagree
Not Sure
-
7/23/2019 Information Security in Banking Sector.pdf
17/24
Pillar 4: Top Level ManagementSupport (TLMS)
Transparent support for policies andprocedures
Engrain information security into companyculture
Effective Communications
-
7/23/2019 Information Security in Banking Sector.pdf
18/24
IT governance is a mysteryto key decision-makers at
most companies and thatonly about one-third of themanagers surveyedunderstood how IT isgoverned at his or hercompany.
Source: Weill, P., and Ross, J., A Matrixed Approach toDesigning IT Governance, Sloan Management Review,
46(2), 2005, p. 26.
-
7/23/2019 Information Security in Banking Sector.pdf
19/24
Phase 1 The Banking Sector
-
7/23/2019 Information Security in Banking Sector.pdf
20/24
Results
Overall, the Information Security Officers
confirmed the main issues proposed in the
conceptual model.
The four pillars, security policy, security
awareness, access control, and TLMS were
rated as extremely important for each of the
interviewees.
-
7/23/2019 Information Security in Banking Sector.pdf
21/24
Interview Content Analysis Agreement
Interview Content Analysis
-
7/23/2019 Information Security in Banking Sector.pdf
22/24
Interview Content Analysis -Dissonance
-
7/23/2019 Information Security in Banking Sector.pdf
23/24
Future Research
Phase II
Developing and administering a survey to a
larger sample. Seeking advice on potential sponsorship,
professional affiliations that may be interested
in working with us.
-
7/23/2019 Information Security in Banking Sector.pdf
24/24
Thank You!
Dankje!
Merci!Danke!