Enterprise Information Systems Security: A Case Study in the Banking Sector

4,115 views

Published on

Peggy Chaudhry, Sohail Chaudhry, Kevin Clark, Darryl Jones, Enterprise Information Systems Security: A Case Study in the Banking Sector

Published in: Business
  • Be the first to comment

Enterprise Information Systems Security: A Case Study in the Banking Sector

  1. 1. ENTERPRISE INFORMATIONSYSTEMS SECURITY: ACASE STUDY IN THEBANKING SECTORSEPTEMBER 20TH, 2012CONFENIS - GHENT, BELGIUM Sohail Chaudhry, Peggy Chaudhry, Kevin Clark and Darryl Jones Villanova School of Business, Villanova, PA USA
  2. 2. Agenda Introduction Research Approach Conceptual Model Phase I – Banking Sector Results Future Research
  3. 3. Current Events
  4. 4. Have you had any cases of insider sabotage orIT security fraud conducted at your workplace?Source: Cyber-Ark Snooping Survey, April 2011, p. 3.
  5. 5. Research Approach Focus: Enterprise Information Systems Security – Internal threats. Literature Review & Development of Model. Phase 1: Model tested via personal interviews of 4 senior information officers in a highly regulated industry – the Banking Industry.
  6. 6. Information Security Officers Interviewed Bank A Bank B Bank C Bank D• Public • Private, • Private, • Private, 8 100 70 years 15 years years Years • 20 Mil • 1.8 Bil • 550 Mil• 1.1 Bil USD in USD in USD in USD Assets assets assets Assets •2 • 13 • 10• 11 Branches Branches Branches Branches
  7. 7. Federal Financial InstitutionsExamination Council (FFIEC) Security Process (e.g., Governance issues) Information Security Risk Assessment (e.g., steps in gathering information) Information Security Strategy (e.g., architecture considerations) Security Controls Implementation (e.g., access control) Security Monitoring (e.g., network intrusion detection systems) Security Process Monitoring and Updating
  8. 8. The Gramm-Leach-Bliley Act Access controls on customer information systems Access restrictions at physical locations containing customer information Encryption of electronic customer information Procedures to ensure that system modifications do not affect security. Dual control procedures, segregation of duties, and employee background checks Monitoring Systems to detect actual attacks on or intrusions into customer information systems Response programs that specify actions to be taken when unauthorized access has occurred. Protection from physical destruction or damage to customer information
  9. 9. Conceptual Framework Enterprise Information System Security ImplementationSecurity Policy Security Access Top Level Awareness Control Management Support Corporate Governance
  10. 10. Pillar 1: Security Policy Set rules for behavior Define consequences of violations Procedure for dealing with breach Authorize company to monitor and investigate Legal and regulatory compliance
  11. 11. Excerpt from interview:“Information Security Policy isnot an option, it’s demandedfrom the top of the house ondown, it’s board approved,accepted by regulators, andexecuted throughout theorganization. ”
  12. 12. Pillar 2: Security Awareness Continued education Collective and individual activities Formal classes, emails, discussion groups Employee compliance
  13. 13. Excerpt from interview:“In training, we tell employeesthat we are tracking them,when we are not. It’s adeterrent. The fact is we haveto use implied security inaddition to actual security. ”
  14. 14. Pillar 3: Access Control Limit information Access linked to job function Restrict information not relevant to position Management of access rule changes
  15. 15. Have you ever accessed information on asystem that was not relevant to your role? EMEA % US % C-Level %Yes 250 44% 243 28% 21 30%No 313 56% 616 72% 50 70%Grand Total 563 100% 859 100% 71 100% Source: Cyber-Ark Snooping Survey, April 2011, p. 2.
  16. 16. Do you agree that majority of recent security attacks haveinvolved the exploitation of privileged account access? 24% 12% Agree 64% Disagree Not SureSource: Cyber-Ark 2012 TRUST, SECURITY & PASSWORDS SURVEY, June 2012
  17. 17. Pillar 4: Top Level Management Support (TLMS) Transparent support for policies and procedures Engrain information security into company culture Effective Communications
  18. 18.  “IT governance is a mystery to key decision-makers at most companies and that only about one-third of the managers’ surveyed understood how IT is governed at his or her company.” Source: Weill, P., and Ross, J., “A Matrixed Approach to Designing IT Governance,” Sloan Management Review, 46(2), 2005, p. 26.
  19. 19. Phase 1 – The Banking Sector
  20. 20. Results Overall, the Information Security Officers confirmed the main issues proposed in the conceptual model. The four pillars, security policy, security awareness, access control, and TLMS were rated as extremely important for each of the interviewees.
  21. 21. Interview Content Analysis –Agreement
  22. 22. Interview Content Analysis -Dissonance
  23. 23. Future ResearchPhase II Developing and administering a survey to a larger sample. Seeking advice on potential sponsorship, professional affiliations that may be interested in working with us.
  24. 24. Thank You! Dankje! Merci! Danke!

×