Call Us 📲8800102216📞 Call Girls In DLF City Gurgaon
Enterprise Information Systems Security: A Case Study in the Banking Sector
1. ENTERPRISE INFORMATION
SYSTEMS SECURITY: A
CASE STUDY IN THE
BANKING SECTOR
SEPTEMBER 20TH, 2012
CONFENIS - GHENT, BELGIUM
Sohail Chaudhry, Peggy Chaudhry, Kevin Clark and Darryl Jones
Villanova School of Business, Villanova, PA USA
2. Agenda
Introduction
Research Approach
Conceptual Model
Phase I – Banking Sector
Results
Future Research
4. Have you had any cases of insider sabotage or
IT security fraud conducted at your workplace?
Source: Cyber-Ark Snooping Survey, April 2011, p. 3.
5. Research Approach
Focus: Enterprise Information Systems
Security – Internal threats.
Literature Review & Development of Model.
Phase 1: Model tested via personal interviews
of 4 senior information officers in a highly
regulated industry – the Banking Industry.
6. Information Security Officers
Interviewed
Bank A Bank B Bank C Bank D
• Public • Private, • Private, • Private, 8
100 70 years 15 years years
Years • 20 Mil • 1.8 Bil • 550 Mil
• 1.1 Bil USD in USD in USD in
USD Assets assets assets
Assets •2 • 13 • 10
• 11 Branches Branches Branches
Branches
7. Federal Financial Institutions
Examination Council (FFIEC)
Security Process (e.g., Governance issues)
Information Security Risk Assessment (e.g., steps in gathering
information)
Information Security Strategy (e.g., architecture considerations)
Security Controls Implementation (e.g., access control)
Security Monitoring (e.g., network intrusion detection systems)
Security Process Monitoring and Updating
8. The Gramm-Leach-Bliley Act
Access controls on customer information systems
Access restrictions at physical locations containing customer
information
Encryption of electronic customer information
Procedures to ensure that system modifications do not affect
security.
Dual control procedures, segregation of duties, and employee
background checks
Monitoring Systems to detect actual attacks on or intrusions
into customer information systems
Response programs that specify actions to be taken when
unauthorized access has occurred.
Protection from physical destruction or damage to customer
information
9. Conceptual Framework
Enterprise Information
System Security
Implementation
Security Policy Security Access Top Level
Awareness Control Management
Support
Corporate Governance
10. Pillar 1: Security Policy
Set rules for behavior
Define consequences of violations
Procedure for dealing with breach
Authorize company to monitor and
investigate
Legal and regulatory compliance
11. Excerpt from interview:
“Information Security Policy is
not an option, it’s demanded
from the top of the house on
down, it’s board approved,
accepted by regulators, and
executed throughout the
organization. ”
12. Pillar 2: Security Awareness
Continued education
Collective and individual activities
Formal classes, emails, discussion groups
Employee compliance
13. Excerpt from interview:
“In training, we tell employees
that we are tracking them,
when we are not. It’s a
deterrent. The fact is we have
to use implied security in
addition to actual security. ”
14. Pillar 3: Access Control
Limit information
Access linked to job function
Restrict information not relevant to position
Management of access rule changes
15. Have you ever accessed information on a
system that was not relevant to your role?
EMEA % US % C-Level %
Yes 250 44% 243 28% 21 30%
No 313 56% 616 72% 50 70%
Grand Total 563 100% 859 100% 71 100%
Source: Cyber-Ark Snooping Survey, April 2011, p. 2.
16. Do you agree that majority of recent security attacks have
involved the exploitation of privileged account access?
24%
12% Agree
64% Disagree
Not Sure
Source: Cyber-Ark 2012 TRUST, SECURITY & PASSWORDS SURVEY, June 2012
17. Pillar 4: Top Level Management
Support (TLMS)
Transparent support for policies and
procedures
Engrain information security into company
culture
Effective Communications
18. “IT governance is a mystery
to key decision-makers at
most companies and that
only about one-third of the
managers’ surveyed
understood how IT is
governed at his or her
company.”
Source: Weill, P., and Ross, J., “A Matrixed Approach to
Designing IT Governance,” Sloan Management Review,
46(2), 2005, p. 26.
20. Results
Overall, the Information Security Officers
confirmed the main issues proposed in the
conceptual model.
The four pillars, security policy, security
awareness, access control, and TLMS were
rated as extremely important for each of the
interviewees.
23. Future Research
Phase II
Developing and administering a survey to a
larger sample.
Seeking advice on potential sponsorship,
professional affiliations that may be interested
in working with us.