Enterprise Information Systems Security: A Case Study in the Banking Sector
ENTERPRISE INFORMATIONSYSTEMS SECURITY: ACASE STUDY IN THEBANKING SECTORSEPTEMBER 20TH, 2012CONFENIS - GHENT, BELGIUM Sohail Chaudhry, Peggy Chaudhry, Kevin Clark and Darryl Jones Villanova School of Business, Villanova, PA USA
Agenda Introduction Research Approach Conceptual Model Phase I – Banking Sector Results Future Research
Have you had any cases of insider sabotage orIT security fraud conducted at your workplace?Source: Cyber-Ark Snooping Survey, April 2011, p. 3.
Research Approach Focus: Enterprise Information Systems Security – Internal threats. Literature Review & Development of Model. Phase 1: Model tested via personal interviews of 4 senior information officers in a highly regulated industry – the Banking Industry.
Information Security Officers Interviewed Bank A Bank B Bank C Bank D• Public • Private, • Private, • Private, 8 100 70 years 15 years years Years • 20 Mil • 1.8 Bil • 550 Mil• 1.1 Bil USD in USD in USD in USD Assets assets assets Assets •2 • 13 • 10• 11 Branches Branches Branches Branches
Federal Financial InstitutionsExamination Council (FFIEC) Security Process (e.g., Governance issues) Information Security Risk Assessment (e.g., steps in gathering information) Information Security Strategy (e.g., architecture considerations) Security Controls Implementation (e.g., access control) Security Monitoring (e.g., network intrusion detection systems) Security Process Monitoring and Updating
The Gramm-Leach-Bliley Act Access controls on customer information systems Access restrictions at physical locations containing customer information Encryption of electronic customer information Procedures to ensure that system modifications do not affect security. Dual control procedures, segregation of duties, and employee background checks Monitoring Systems to detect actual attacks on or intrusions into customer information systems Response programs that specify actions to be taken when unauthorized access has occurred. Protection from physical destruction or damage to customer information
Conceptual Framework Enterprise Information System Security ImplementationSecurity Policy Security Access Top Level Awareness Control Management Support Corporate Governance
Pillar 1: Security Policy Set rules for behavior Define consequences of violations Procedure for dealing with breach Authorize company to monitor and investigate Legal and regulatory compliance
Excerpt from interview:“Information Security Policy isnot an option, it’s demandedfrom the top of the house ondown, it’s board approved,accepted by regulators, andexecuted throughout theorganization. ”
Pillar 2: Security Awareness Continued education Collective and individual activities Formal classes, emails, discussion groups Employee compliance
Excerpt from interview:“In training, we tell employeesthat we are tracking them,when we are not. It’s adeterrent. The fact is we haveto use implied security inaddition to actual security. ”
Pillar 3: Access Control Limit information Access linked to job function Restrict information not relevant to position Management of access rule changes
Have you ever accessed information on asystem that was not relevant to your role? EMEA % US % C-Level %Yes 250 44% 243 28% 21 30%No 313 56% 616 72% 50 70%Grand Total 563 100% 859 100% 71 100% Source: Cyber-Ark Snooping Survey, April 2011, p. 2.
Do you agree that majority of recent security attacks haveinvolved the exploitation of privileged account access? 24% 12% Agree 64% Disagree Not SureSource: Cyber-Ark 2012 TRUST, SECURITY & PASSWORDS SURVEY, June 2012
Pillar 4: Top Level Management Support (TLMS) Transparent support for policies and procedures Engrain information security into company culture Effective Communications
“IT governance is a mystery to key decision-makers at most companies and that only about one-third of the managers’ surveyed understood how IT is governed at his or her company.” Source: Weill, P., and Ross, J., “A Matrixed Approach to Designing IT Governance,” Sloan Management Review, 46(2), 2005, p. 26.
Results Overall, the Information Security Officers confirmed the main issues proposed in the conceptual model. The four pillars, security policy, security awareness, access control, and TLMS were rated as extremely important for each of the interviewees.