CONFENIS 2012, profile picture
Uploaded byCONFENIS 2012
PDF, PPTX5,093 views

Enterprise Information Systems Security: A Case Study in the Banking Sector

This document presents a case study on enterprise information systems security within the banking sector, highlighting internal threats and the development of a conceptual model. Key insights from interviews with information security officers emphasize the importance of security policy, awareness, access control, and top-level management support. Future research will involve broader surveys and potential collaborations.

Download as PDF, PPTX
ENTERPRISE INFORMATION SYSTEMS SECURITY: A CASE STUDY IN THE BANKING SECTOR SEPTEMBER 20TH, 2012 CONFENIS - GHENT, BELGIUM Sohail Chaudhry, Peggy Chaudhry, Kevin Clark and Darryl Jones Villanova School of Business, Villanova, PA USA
Agenda  Introduction  Research Approach  Conceptual Model  Phase I – Banking Sector  Results  Future Research
Current Events
Have you had any cases of insider sabotage or IT security fraud conducted at your workplace? Source: Cyber-Ark Snooping Survey, April 2011, p. 3.
Research Approach  Focus: Enterprise Information Systems Security – Internal threats.  Literature Review & Development of Model.  Phase 1: Model tested via personal interviews of 4 senior information officers in a highly regulated industry – the Banking Industry.
Information Security Officers Interviewed Bank A Bank B Bank C Bank D • Public • Private, • Private, • Private, 8 100 70 years 15 years years Years • 20 Mil • 1.8 Bil • 550 Mil • 1.1 Bil USD in USD in USD in USD Assets assets assets Assets •2 • 13 • 10 • 11 Branches Branches Branches Branches
Federal Financial Institutions Examination Council (FFIEC) Security Process (e.g., Governance issues) Information Security Risk Assessment (e.g., steps in gathering information) Information Security Strategy (e.g., architecture considerations) Security Controls Implementation (e.g., access control) Security Monitoring (e.g., network intrusion detection systems) Security Process Monitoring and Updating
The Gramm-Leach-Bliley Act Access controls on customer information systems Access restrictions at physical locations containing customer information Encryption of electronic customer information Procedures to ensure that system modifications do not affect security. Dual control procedures, segregation of duties, and employee background checks Monitoring Systems to detect actual attacks on or intrusions into customer information systems Response programs that specify actions to be taken when unauthorized access has occurred. Protection from physical destruction or damage to customer information
Conceptual Framework Enterprise Information System Security Implementation Security Policy Security Access Top Level Awareness Control Management Support Corporate Governance
Pillar 1: Security Policy  Set rules for behavior  Define consequences of violations  Procedure for dealing with breach  Authorize company to monitor and investigate  Legal and regulatory compliance
Excerpt from interview: “Information Security Policy is not an option, it’s demanded from the top of the house on down, it’s board approved, accepted by regulators, and executed throughout the organization. ”
Pillar 2: Security Awareness  Continued education  Collective and individual activities  Formal classes, emails, discussion groups  Employee compliance
Excerpt from interview: “In training, we tell employees that we are tracking them, when we are not. It’s a deterrent. The fact is we have to use implied security in addition to actual security. ”
Pillar 3: Access Control  Limit information  Access linked to job function  Restrict information not relevant to position  Management of access rule changes
Have you ever accessed information on a system that was not relevant to your role? EMEA % US % C-Level % Yes 250 44% 243 28% 21 30% No 313 56% 616 72% 50 70% Grand Total 563 100% 859 100% 71 100% Source: Cyber-Ark Snooping Survey, April 2011, p. 2.
Do you agree that majority of recent security attacks have involved the exploitation of privileged account access? 24% 12% Agree 64% Disagree Not Sure Source: Cyber-Ark 2012 TRUST, SECURITY & PASSWORDS SURVEY, June 2012
Pillar 4: Top Level Management Support (TLMS)  Transparent support for policies and procedures  Engrain information security into company culture  Effective Communications
 “IT governance is a mystery to key decision-makers at most companies and that only about one-third of the managers’ surveyed understood how IT is governed at his or her company.”  Source: Weill, P., and Ross, J., “A Matrixed Approach to Designing IT Governance,” Sloan Management Review, 46(2), 2005, p. 26.
Phase 1 – The Banking Sector
Results  Overall, the Information Security Officers confirmed the main issues proposed in the conceptual model.  The four pillars, security policy, security awareness, access control, and TLMS were rated as extremely important for each of the interviewees.
Interview Content Analysis – Agreement
Interview Content Analysis - Dissonance
Future Research Phase II  Developing and administering a survey to a larger sample.  Seeking advice on potential sponsorship, professional affiliations that may be interested in working with us.
Thank You! Dankje! Merci! Danke!

More Related Content

PDF
ISO 27001 2002 Update Webinar.pdf
byControlCase
 
PPTX
SOC 2 Compliance and Certification
byControlCase
 
PDF
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
byinfosecTrain
 
PDF
Introduction: CISSP Certification
bySam Bowne
 
PDF
Insights into cyber security and risk
byEY
 
PDF
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
PDF
NQA ISO 27001 27017 27018 27701 Mapping
byNQA
 
PPT
Lesson 2- Information Asset Valuation
byMLG College of Learning, Inc
 
ISO 27001 2002 Update Webinar.pdf
byControlCase
 
SOC 2 Compliance and Certification
byControlCase
 
SOC 2 Type 2 Checklist - Part 1 - V2_final.pdf
byinfosecTrain
 
Introduction: CISSP Certification
bySam Bowne
 
Insights into cyber security and risk
byEY
 
NIST Cybersecurity Framework 101
byErick Kish, U.S. Commercial Service
 
NQA ISO 27001 27017 27018 27701 Mapping
byNQA
 
Lesson 2- Information Asset Valuation
byMLG College of Learning, Inc
 

What's hot

PPTX
All you wanted to know about iso 27000
byRamana K V
 
PDF
SOC 2 and You
bySchellman & Company
 
PDF
NIST cybersecurity framework
byShriya Rai
 
PPTX
CMMC Certification
byControlCase
 
PDF
Soc 2 vs iso 27001 certification withh links converted-converted
byVISTA InfoSec
 
PPTX
Soc 2 attestation or ISO 27001 certification - Which is better for organization
byVISTA InfoSec
 
DOCX
ISO 27001 Training | ISMS Awareness Training
byhimalya sharma
 
PPTX
Fraud Investigation
bySalih Islam
 
PDF
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
byJustinBrown267905
 
PPTX
Auditing SOX ITGC Compliance
byseanpizzy
 
PDF
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
byJames W. De Rienzo
 
PPTX
ISO 27701
byUtkarshDhiman4
 
PDF
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
byJames W. De Rienzo
 
PDF
ISO 27001 Implementation_Documentation_Mandatory_List
bySriramITISConsultant
 
PDF
ISMS_of ISO 27001-2022-awareness training
byHananZayed4
 
PDF
ISO 27001 (v2013) Checklist
byIvan Piskunov
 
PDF
ISO 27701:2022 Data Privacy New Version Presentation
byyogaallworks
 
PDF
Accountability under the GDPR: What does it mean for Boards & Senior Management?
byIT Governance Ltd
 
PDF
ISO/IEC 27001:2013 An Overview
byAhmed Riad .
 
PPTX
Criminology
byShreeansh Vairagar
 
All you wanted to know about iso 27000
byRamana K V
 
SOC 2 and You
bySchellman & Company
 
NIST cybersecurity framework
byShriya Rai
 
CMMC Certification
byControlCase
 
Soc 2 vs iso 27001 certification withh links converted-converted
byVISTA InfoSec
 
Soc 2 attestation or ISO 27001 certification - Which is better for organization
byVISTA InfoSec
 
ISO 27001 Training | ISMS Awareness Training
byhimalya sharma
 
Fraud Investigation
bySalih Islam
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
byJustinBrown267905
 
Auditing SOX ITGC Compliance
byseanpizzy
 
Critical Security Controls v4 1 Mapped to NIST SP 800-53 Rev.4-final r6a
byJames W. De Rienzo
 
ISO 27701
byUtkarshDhiman4
 
Risk Management Framework (RMF) STEP 4- Access Security Controls - NIST SP 80...
byJames W. De Rienzo
 
ISO 27001 Implementation_Documentation_Mandatory_List
bySriramITISConsultant
 
ISMS_of ISO 27001-2022-awareness training
byHananZayed4
 
ISO 27001 (v2013) Checklist
byIvan Piskunov
 
ISO 27701:2022 Data Privacy New Version Presentation
byyogaallworks
 
Accountability under the GDPR: What does it mean for Boards & Senior Management?
byIT Governance Ltd
 
ISO/IEC 27001:2013 An Overview
byAhmed Riad .
 
Criminology
byShreeansh Vairagar
 

Viewers also liked

PDF
Information Security in the Banking Sector. A Case Study on UserLock
byIS Decisions
 
PPTX
InformationSecurity
bylearnt
 
PPTX
Information Security Lecture #1 ppt
byvasanthimuniasamy
 
PPTX
INFORMATION SECURITY
byAhmed Moussa
 
PDF
chapter 8- Management Information Systems Managing the Digital Firm
byMohamad Fathi
 
PPT
Auth shield information security solution provider for banking sector in india
byAuthShield Labs
 
PPT
Data Protection: We\'re In This Together
bymyeaton
 
PPT
Force.Com Business Case Building The Case For Force.Com Presentation
byAndre Thouin
 
PDF
Build A Business Case For IT Security - Dhananjay Rokde (Hotel_Digital_Securi...
byXEventsHospitality
 
PDF
Business case for Information Security program
byWilliam Godwin
 
PDF
CHED Information System Strategic Plan (ISSP)
byCharlie Calimlim
 
PPTX
Information security challenges in today’s banking environment
byEvan Francen
 
PDF
NORM for Banking Intro
byGeorge Colwell
 
PDF
Building cross platfrom solutions for enterprise - the mobileshow- may 2014
byKareem ElSayyed
 
PDF
Prozone Enterprise Content Management
byJasna Komatovic
 
PDF
Conichiwa Banking Solutions
byFrederik Metz
 
PDF
Tools used in climate risk management policies
byCCAFS | CGIAR Research Program on Climate Change, Agriculture and Food Security
 
PDF
Solix Corporate Overview
byKunal Grover
 
PPTX
Buildtrack Banking solutions
byBuildTrack - Smart Automation
 
PPTX
Mini project on core banking solutions
bykeerthiredddy
 
Information Security in the Banking Sector. A Case Study on UserLock
byIS Decisions
 
InformationSecurity
bylearnt
 
Information Security Lecture #1 ppt
byvasanthimuniasamy
 
INFORMATION SECURITY
byAhmed Moussa
 
chapter 8- Management Information Systems Managing the Digital Firm
byMohamad Fathi
 
Auth shield information security solution provider for banking sector in india
byAuthShield Labs
 
Data Protection: We\'re In This Together
bymyeaton
 
Force.Com Business Case Building The Case For Force.Com Presentation
byAndre Thouin
 
Build A Business Case For IT Security - Dhananjay Rokde (Hotel_Digital_Securi...
byXEventsHospitality
 
Business case for Information Security program
byWilliam Godwin
 
CHED Information System Strategic Plan (ISSP)
byCharlie Calimlim
 
Information security challenges in today’s banking environment
byEvan Francen
 
NORM for Banking Intro
byGeorge Colwell
 
Building cross platfrom solutions for enterprise - the mobileshow- may 2014
byKareem ElSayyed
 
Prozone Enterprise Content Management
byJasna Komatovic
 
Conichiwa Banking Solutions
byFrederik Metz
 
Tools used in climate risk management policies
byCCAFS | CGIAR Research Program on Climate Change, Agriculture and Food Security
 
Solix Corporate Overview
byKunal Grover
 
Buildtrack Banking solutions
byBuildTrack - Smart Automation
 
Mini project on core banking solutions
bykeerthiredddy
 

Similar to Enterprise Information Systems Security: A Case Study in the Banking Sector

PDF
1-Computer_Security_EENG-524_Lecture-01.pdf
byUmarr Alie Sesay
 
PDF
Microsoft Power Point Information Security And Risk Managementv2
byGraeme Payne
 
PPT
Information Technology Security Basics
byMohan Jadhav
 
PPTX
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
PDF
INFORMATION SECURITY: THREATS AND SOLUTIONS.
byNi
 
PPTX
Information Security
byAlok Katiyar
 
PDF
Unit 1&2.pdf
byNdheh
 
PPTX
Phi 235 social media security users guide presentation
byAlan Holyoke
 
PPTX
Ulf mattsson webinar jun 7 2012 slideshare version
byUlf Mattsson
 
PPT
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 
PPTX
People are the biggest risk
byEvan Francen
 
PDF
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byhomjpxaa9886
 
PPT
Cybercrime future perspectives
bySensePost
 
PPT
Information security
byrazendar79
 
PPTX
2013 PMA Business Security Insights
bygotopaz
 
PPTX
Management Information System Presentation
byAaDi Malik
 
PDF
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
PPTX
Security and control in mis
byGurjit
 
PPTX
crisc_wk_5.pptx
bydotco
 
PPTX
MIS: Information Security Management
byJonathan Coleman
 
1-Computer_Security_EENG-524_Lecture-01.pdf
byUmarr Alie Sesay
 
Microsoft Power Point Information Security And Risk Managementv2
byGraeme Payne
 
Information Technology Security Basics
byMohan Jadhav
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
byDataExchangeAgency
 
INFORMATION SECURITY: THREATS AND SOLUTIONS.
byNi
 
Information Security
byAlok Katiyar
 
Unit 1&2.pdf
byNdheh
 
Phi 235 social media security users guide presentation
byAlan Holyoke
 
Ulf mattsson webinar jun 7 2012 slideshare version
byUlf Mattsson
 
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 
People are the biggest risk
byEvan Francen
 
(eBook PDF) Effective Cybersecurity: A Guide to Using Best Practices and Stan...
byhomjpxaa9886
 
Cybercrime future perspectives
bySensePost
 
Information security
byrazendar79
 
2013 PMA Business Security Insights
bygotopaz
 
Management Information System Presentation
byAaDi Malik
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
bySam Bowne
 
Security and control in mis
byGurjit
 
crisc_wk_5.pptx
bydotco
 
MIS: Information Security Management
byJonathan Coleman
 

More from CONFENIS 2012

PDF
Enterprise systems in healthcare: leveraging what we know from other industr...
byCONFENIS 2012
 
PDF
[Dutch] GeOS, het informatiehart van het dienstverleningscentrum Heilig Hart
byCONFENIS 2012
 
PDF
Understanding the role of knowledge management during the ERP implementation ...
byCONFENIS 2012
 
PDF
Effect of ERP implementation on the company efficiency - A Macedonian case
byCONFENIS 2012
 
PDF
User perceptions, motivations and implications on ERP usage: An Indian Higher...
byCONFENIS 2012
 
PDF
[Dutch] ICT & Ryhove: een geslaagd huwelijk?
byCONFENIS 2012
 
PDF
[Dutch] CRM en collaboration: een verstandshuwelijk of een LAT-relatie?
byCONFENIS 2012
 
PDF
[Dutch] E-commerce en ERP
byCONFENIS 2012
 
PDF
[Dutch] Sociale media en crisiscommunicatie
byCONFENIS 2012
 
PDF
[Dutch] Zelf opstellen van bedrijfsprocessen - BPM & DMS: nieuwe manier van d...
byCONFENIS 2012
 
PDF
[Dutch] ICT-INSPIRATIEDAG - CONFENIS 2012
byCONFENIS 2012
 
PDF
[Dutch] Van Enterprise Resource Planning (ERP) voor kmo’s naar Collectief Res...
byCONFENIS 2012
 
PDF
[Dutch] JIT 2.0. - een methode voor ondersteunen van proces-automatisatie en ...
byCONFENIS 2012
 
PDF
[Dutch] Software is een middel, geen doel!
byCONFENIS 2012
 
PDF
What's beyond ERP? New normal ERP? by Ludo Van den Kerckhove
byCONFENIS 2012
 
PDF
[Dutch] Wat zijn sociale mediagebruikers, melkkoeien of onbetaalde werknemers...
byCONFENIS 2012
 
PDF
Group preference aggregation based on ELECTRE methods for ERP system selection
byCONFENIS 2012
 
PDF
A Multicriteria Model for Strategic Implementation of Business Process Manage...
byCONFENIS 2012
 
PDF
Some Considerations on Contracts ERP Buyer-Seller perspective
byCONFENIS 2012
 
PDF
A Decision Support System Based on RCM Approach to Define Maintenance Strategies
byCONFENIS 2012
 
Enterprise systems in healthcare: leveraging what we know from other industr...
byCONFENIS 2012
 
[Dutch] GeOS, het informatiehart van het dienstverleningscentrum Heilig Hart
byCONFENIS 2012
 
Understanding the role of knowledge management during the ERP implementation ...
byCONFENIS 2012
 
Effect of ERP implementation on the company efficiency - A Macedonian case
byCONFENIS 2012
 
User perceptions, motivations and implications on ERP usage: An Indian Higher...
byCONFENIS 2012
 
[Dutch] ICT & Ryhove: een geslaagd huwelijk?
byCONFENIS 2012
 
[Dutch] CRM en collaboration: een verstandshuwelijk of een LAT-relatie?
byCONFENIS 2012
 
[Dutch] E-commerce en ERP
byCONFENIS 2012
 
[Dutch] Sociale media en crisiscommunicatie
byCONFENIS 2012
 
[Dutch] Zelf opstellen van bedrijfsprocessen - BPM & DMS: nieuwe manier van d...
byCONFENIS 2012
 
[Dutch] ICT-INSPIRATIEDAG - CONFENIS 2012
byCONFENIS 2012
 
[Dutch] Van Enterprise Resource Planning (ERP) voor kmo’s naar Collectief Res...
byCONFENIS 2012
 
[Dutch] JIT 2.0. - een methode voor ondersteunen van proces-automatisatie en ...
byCONFENIS 2012
 
[Dutch] Software is een middel, geen doel!
byCONFENIS 2012
 
What's beyond ERP? New normal ERP? by Ludo Van den Kerckhove
byCONFENIS 2012
 
[Dutch] Wat zijn sociale mediagebruikers, melkkoeien of onbetaalde werknemers...
byCONFENIS 2012
 
Group preference aggregation based on ELECTRE methods for ERP system selection
byCONFENIS 2012
 
A Multicriteria Model for Strategic Implementation of Business Process Manage...
byCONFENIS 2012
 
Some Considerations on Contracts ERP Buyer-Seller perspective
byCONFENIS 2012
 
A Decision Support System Based on RCM Approach to Define Maintenance Strategies
byCONFENIS 2012
 

Recently uploaded

PDF
Jurassic Perks: The Good, the Bad and the Extinct of Benefits Realisation - N...
byWellingtone
 
PDF
The Critical Role of Change Management in PMO Success - Kering | FuturePMO 2025
byWellingtone
 
PDF
Quiz_ Fastest Way to Buy Old GitHub Accounts for Development
byselida2395
 
DOCX
5 Best Platforms to Buy Verified Cash App Accounts in Bulk ....docx
byhqpnrkbepwmr
 
PDF
oral evidence.pdf from Westiminster last month
byHenry Tapper
 
PDF
Too Much, Too Little, Just Right: Finding the Governance Sweet Spot for Agile...
byWellingtone
 
PDF
_how to Buy// Onlyfans in usa all country Accounts.pdf
bygvd2437
 
PDF
Finder Guide to Buying a Hotmail Outlook Account.pdf
byBusiness Tipe
 
PPTX
Business management and practices unit 1
byVinuthPaul
 
PDF
Binance Accounts_ A Research-Based Guide to Secure and Scalable.pdf
byAllusasmmTopBinanceAccountsSale
 
PDF
YOUCHANNELL.pdf Company Online video Llc
byYouchannell
 
PDF
20251106-collective-pensions-with-investment-choice-ppi-kcl-nuffield.pdf
byHenry Tapper
 
PDF
Lesaka Anchor research report 10.29.25 "Ctrl-Alt-Delete - Round Two"
bylesakafan
 
PDF
business-leader-letter-to-the-chancellor-06-11-2025_v2.pdf
byHenry Tapper
 
DOCX
Safest Way to Buy Old Gmail Accounts This Time .docx
byNila Nicky
 
PPTX
How to Build a Water Taxi Booking App.pptx
bygoriderzusa
 
PDF
How Can I Verify the Authenticity of Cash App Account?
bybestselleryb.com
 
PDF
The Evolving PMO: A View of the FuturePMO - Wellingtone | FuturePMO 2025
byWellingtone
 
PDF
ASEAN and Thailand in a Disruptive World
byKobsak
 
DOCX
Where Can You Buy Verified eBay Account.docx
byBusiness Tipe
 
Jurassic Perks: The Good, the Bad and the Extinct of Benefits Realisation - N...
byWellingtone
 
The Critical Role of Change Management in PMO Success - Kering | FuturePMO 2025
byWellingtone
 
Quiz_ Fastest Way to Buy Old GitHub Accounts for Development
byselida2395
 
5 Best Platforms to Buy Verified Cash App Accounts in Bulk ....docx
byhqpnrkbepwmr
 
oral evidence.pdf from Westiminster last month
byHenry Tapper
 
Too Much, Too Little, Just Right: Finding the Governance Sweet Spot for Agile...
byWellingtone
 
_how to Buy// Onlyfans in usa all country Accounts.pdf
bygvd2437
 
Finder Guide to Buying a Hotmail Outlook Account.pdf
byBusiness Tipe
 
Business management and practices unit 1
byVinuthPaul
 
Binance Accounts_ A Research-Based Guide to Secure and Scalable.pdf
byAllusasmmTopBinanceAccountsSale
 
YOUCHANNELL.pdf Company Online video Llc
byYouchannell
 
20251106-collective-pensions-with-investment-choice-ppi-kcl-nuffield.pdf
byHenry Tapper
 
Lesaka Anchor research report 10.29.25 "Ctrl-Alt-Delete - Round Two"
bylesakafan
 
business-leader-letter-to-the-chancellor-06-11-2025_v2.pdf
byHenry Tapper
 
Safest Way to Buy Old Gmail Accounts This Time .docx
byNila Nicky
 
How to Build a Water Taxi Booking App.pptx
bygoriderzusa
 
How Can I Verify the Authenticity of Cash App Account?
bybestselleryb.com
 
The Evolving PMO: A View of the FuturePMO - Wellingtone | FuturePMO 2025
byWellingtone
 
ASEAN and Thailand in a Disruptive World
byKobsak
 
Where Can You Buy Verified eBay Account.docx
byBusiness Tipe
 

Enterprise Information Systems Security: A Case Study in the Banking Sector

  • 1.
    ENTERPRISE INFORMATION SYSTEMS SECURITY:A CASE STUDY IN THE BANKING SECTOR SEPTEMBER 20TH, 2012 CONFENIS - GHENT, BELGIUM Sohail Chaudhry, Peggy Chaudhry, Kevin Clark and Darryl Jones Villanova School of Business, Villanova, PA USA
  • 2.
    Agenda  Introduction  Research Approach  Conceptual Model  Phase I – Banking Sector  Results  Future Research
  • 3.
  • 4.
    Have you hadany cases of insider sabotage or IT security fraud conducted at your workplace? Source: Cyber-Ark Snooping Survey, April 2011, p. 3.
  • 5.
    Research Approach  Focus: Enterprise Information Systems Security – Internal threats.  Literature Review & Development of Model.  Phase 1: Model tested via personal interviews of 4 senior information officers in a highly regulated industry – the Banking Industry.
  • 6.
    Information Security Officers Interviewed Bank A Bank B Bank C Bank D • Public • Private, • Private, • Private, 8 100 70 years 15 years years Years • 20 Mil • 1.8 Bil • 550 Mil • 1.1 Bil USD in USD in USD in USD Assets assets assets Assets •2 • 13 • 10 • 11 Branches Branches Branches Branches
  • 7.
    Federal Financial Institutions ExaminationCouncil (FFIEC) Security Process (e.g., Governance issues) Information Security Risk Assessment (e.g., steps in gathering information) Information Security Strategy (e.g., architecture considerations) Security Controls Implementation (e.g., access control) Security Monitoring (e.g., network intrusion detection systems) Security Process Monitoring and Updating
  • 8.
    The Gramm-Leach-Bliley Act Access controls on customer information systems Access restrictions at physical locations containing customer information Encryption of electronic customer information Procedures to ensure that system modifications do not affect security. Dual control procedures, segregation of duties, and employee background checks Monitoring Systems to detect actual attacks on or intrusions into customer information systems Response programs that specify actions to be taken when unauthorized access has occurred. Protection from physical destruction or damage to customer information
  • 9.
    Conceptual Framework Enterprise Information System Security Implementation Security Policy Security Access Top Level Awareness Control Management Support Corporate Governance
  • 10.
    Pillar 1: SecurityPolicy  Set rules for behavior  Define consequences of violations  Procedure for dealing with breach  Authorize company to monitor and investigate  Legal and regulatory compliance
  • 11.
    Excerpt from interview: “InformationSecurity Policy is not an option, it’s demanded from the top of the house on down, it’s board approved, accepted by regulators, and executed throughout the organization. ”
  • 12.
    Pillar 2: SecurityAwareness  Continued education  Collective and individual activities  Formal classes, emails, discussion groups  Employee compliance
  • 13.
    Excerpt from interview: “Intraining, we tell employees that we are tracking them, when we are not. It’s a deterrent. The fact is we have to use implied security in addition to actual security. ”
  • 14.
    Pillar 3: AccessControl  Limit information  Access linked to job function  Restrict information not relevant to position  Management of access rule changes
  • 15.
    Have you everaccessed information on a system that was not relevant to your role? EMEA % US % C-Level % Yes 250 44% 243 28% 21 30% No 313 56% 616 72% 50 70% Grand Total 563 100% 859 100% 71 100% Source: Cyber-Ark Snooping Survey, April 2011, p. 2.
  • 16.
    Do you agreethat majority of recent security attacks have involved the exploitation of privileged account access? 24% 12% Agree 64% Disagree Not Sure Source: Cyber-Ark 2012 TRUST, SECURITY & PASSWORDS SURVEY, June 2012
  • 17.
    Pillar 4: TopLevel Management Support (TLMS)  Transparent support for policies and procedures  Engrain information security into company culture  Effective Communications
  • 18.
    “IT governance is a mystery to key decision-makers at most companies and that only about one-third of the managers’ surveyed understood how IT is governed at his or her company.”  Source: Weill, P., and Ross, J., “A Matrixed Approach to Designing IT Governance,” Sloan Management Review, 46(2), 2005, p. 26.
  • 19.
    Phase 1 –The Banking Sector
  • 20.
    Results  Overall, the Information Security Officers confirmed the main issues proposed in the conceptual model.  The four pillars, security policy, security awareness, access control, and TLMS were rated as extremely important for each of the interviewees.
  • 21.
  • 22.
  • 23.
    Future Research Phase II Developing and administering a survey to a larger sample.  Seeking advice on potential sponsorship, professional affiliations that may be interested in working with us.
  • 24.
    Thank You! Dankje! Merci! Danke!