![Page 1: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/1.jpg)
ENTERPRISE INFORMATION
SYSTEMS SECURITY: A
CASE STUDY IN THE
BANKING SECTOR
SEPTEMBER 20TH, 2012 CONFENIS - GHENT, BELGIUM
Sohail Chaudhry, Peggy Chaudhry, Kevin Clark and Darryl Jones
Villanova School of Business, Villanova, PA USA
![Page 2: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/2.jpg)
Agenda
Introduction
Research Approach
Conceptual Model
Phase I – Banking Sector
Results
Future Research
![Page 3: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/3.jpg)
Current Events
![Page 4: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/4.jpg)
Have you had any cases of insider sabotage or
IT security fraud conducted at your workplace?
Source: Cyber-Ark Snooping Survey, April 2011, p. 3.
![Page 5: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/5.jpg)
Research Approach
Focus: Enterprise Information Systems
Security – Internal threats.
Literature Review & Development of Model.
Phase 1: Model tested via personal interviews
of 4 senior information officers in a highly
regulated industry – the Banking Industry.
![Page 6: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/6.jpg)
Information Security Officers Interviewed
Bank A
• Public 100 Years
• 1.1 Bil USD Assets
• 11 Branches
Bank B
• Private, 70 years
• 20 Mil USD in Assets
• 2 Branches
Bank C
• Private, 15 years
• 1.8 Bil USD in assets
• 13 Branches
Bank D
• Private, 8 years
• 550 Mil USD in assets
• 10 Branches
![Page 7: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/7.jpg)
Federal Financial Institutions Examination Council (FFIEC)
Security Process (e.g., Governance issues)
Information Security Risk Assessment (e.g., steps in gathering information)
Information Security Strategy (e.g., architecture considerations)
Security Controls Implementation (e.g., access control)
Security Monitoring (e.g., network intrusion detection systems)
Security Process Monitoring and Updating
![Page 8: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/8.jpg)
The Gramm-Leach-Bliley Act
Access controls on customer information systems
Access restrictions at physical locations containing customer information
Encryption of electronic customer information
Procedures to ensure that system modifications do not affect security.
Dual control procedures, segregation of duties, and employee background checks
Monitoring Systems to detect actual attacks on or intrusions into customer information systems
Response programs that specify actions to be taken when unauthorized access has occurred.
Protection from physical destruction or damage to customer information
![Page 9: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/9.jpg)
Conceptual Framework
Enterprise Information System Security
Security Policy
Security Awareness
Access Control
Top Level Management
Support
Corporate Governance
Implementation
![Page 10: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/10.jpg)
Pillar 1: Security Policy
Set rules for behavior
Define consequences of violations
Procedure for dealing with breach
Authorize company to monitor and investigate
Legal and regulatory compliance
![Page 11: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/11.jpg)
“Information Security Policy is not an option, it’s demanded from the top of the house on down, it’s board approved, accepted by regulators, and executed throughout the organization. ”
Excerpt from interview:
![Page 12: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/12.jpg)
Pillar 2: Security Awareness
Continued education
Collective and individual activities
Formal classes, emails, discussion groups
Employee compliance
![Page 13: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/13.jpg)
“In training, we tell employees
that we are tracking them,
when we are not. It’s a
deterrent. The fact is we have
to use implied security in
addition to actual security. ”
Excerpt from interview:
![Page 14: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/14.jpg)
Pillar 3: Access Control
Limit information
Access linked to job function
Restrict information not relevant to position
Management of access rule changes
![Page 15: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/15.jpg)
Have you ever accessed information on a system that was not relevant to your role?
EMEA % US % C-Level %
Yes 250 44% 243 28% 21 30%
No 313 56% 616 72% 50 70%
Grand Total 563 100% 859 100% 71 100%
Source: Cyber-Ark Snooping Survey, April 2011, p. 2.
![Page 16: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/16.jpg)
Do you agree that majority of recent security attacks have
involved the exploitation of privileged account access?
Source: Cyber-Ark 2012 TRUST, SECURITY & PASSWORDS SURVEY, June 2012
64% 12%
24%
Agree
Disagree
Not Sure
![Page 17: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/17.jpg)
Pillar 4: Top Level Management Support (TLMS)
Transparent support for policies and procedures
Engrain information security into company culture
Effective Communications
![Page 18: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/18.jpg)
“IT governance is a mystery to key decision-makers at most companies and that only about one-third of the managers’ surveyed understood how IT is governed at his or her company.”
Source: Weill, P., and Ross, J., “A Matrixed Approach to Designing IT Governance,” Sloan Management Review, 46(2), 2005, p. 26.
![Page 19: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/19.jpg)
Phase 1 – The Banking Sector
![Page 20: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/20.jpg)
Results
Overall, the Information Security Officers
confirmed the main issues proposed in the
conceptual model.
The four pillars, security policy, security
awareness, access control, and TLMS were
rated as extremely important for each of the
interviewees.
![Page 21: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/21.jpg)
Interview Content Analysis – Agreement
![Page 22: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/22.jpg)
Interview Content Analysis - Dissonance
![Page 23: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/23.jpg)
Future Research
Phase II
Developing and administering a survey to a
larger sample.
Seeking advice on potential sponsorship,
professional affiliations that may be interested
in working with us.
![Page 24: Enterprise Information Systems Security: A Case Study in the Banking Sector](https://reader034.vdocuments.us/reader034/viewer/2022042813/548066b0b4af9f9b158b5db7/html5/thumbnails/24.jpg)
Thank You!
Dankje!
Merci!
Danke!