ENTERPRISE INFORMATION

SYSTEMS SECURITY: A
CASE STUDY IN THE
BANKING SECTOR
SEPTEMBER 20TH, 2012
CONFENIS - GHENT, BELGIUM

Sohail Chaudhry, Peggy Chaudhry, Kevin Clark and Darryl Jones

Villanova School of Business, Villanova, PA USA

Agenda

Introduction
Research Approach
Conceptual Model
Phase I Banking Sector
Results
Future Research

Current Events

Have you had any cases of insider sabotage or

IT security fraud conducted at your workplace?

Source: Cyber-Ark Snooping Survey, April 2011, p. 3.

Research Approach

Focus: Enterprise Information Systems

Security Internal threats.
Literature Review & Development of Model.
Phase 1: Model tested via personal interviews
of 4 senior information officers in a highly
regulated industry the Banking Industry.

Information Security Officers

Interviewed
Bank A

Bank B

Bank C

Bank D

Public
100
Years
1.1 Bil
USD
Assets
11
Branches

Private,
70 years
20 Mil
USD in
Assets
2
Branches

Private,
15 years
1.8 Bil
USD in
assets
13
Branches

Private, 8
years
550 Mil
USD in
assets
10
Branches

Federal Financial Institutions

Examination Council (FFIEC)
Security Process (e.g., Governance issues)
Information Security Risk Assessment (e.g., steps in gathering
information)
Information Security Strategy (e.g., architecture considerations)

Security Controls Implementation (e.g., access control)

Security Monitoring (e.g., network intrusion detection systems)
Security Process Monitoring and Updating

The Gramm-Leach-Bliley Act

Access controls on customer information systems
Access restrictions at physical locations containing customer
information
Encryption of electronic customer information
Procedures to ensure that system modifications do not affect
security.
Dual control procedures, segregation of duties, and employee
background checks
Monitoring Systems to detect actual attacks on or intrusions
into customer information systems
Response programs that specify actions to be taken when
unauthorized access has occurred.
Protection from physical destruction or damage to customer
information

Conceptual Framework
Enterprise Information
System Security
Implementation
Security Policy

Security
Awareness

Access
Control

Corporate Governance

Top Level
Management
Support

Pillar 1: Security Policy

Set rules for behavior

Define consequences of violations
Procedure for dealing with breach
Authorize company to monitor and
investigate
Legal and regulatory compliance

Excerpt from interview:

Information Security Policy is
not an option, its demanded
from the top of the house on
down, its board approved,
accepted by regulators, and
executed throughout the
organization.

Pillar 2: Security Awareness

Continued education
Collective and individual activities
Formal classes, emails, discussion groups
Employee compliance

Excerpt from interview:

In training, we tell employees
that we are tracking them,
when we are not. Its a
deterrent. The fact is we have
to use implied security in
addition to actual security.

Pillar 3: Access Control

Limit information
Access linked to job function
Restrict information not relevant to position
Management of access rule changes

Have you ever accessed information on a

system that was not relevant to your role?

EMEA

US

C-Level

Yes

250

44%

243

28%

21

30%

No

313

56%

616

72%

50

70%

Grand Total

563

100%

859

100%

71

100%

Source: Cyber-Ark Snooping Survey, April 2011, p. 2.

Do you agree that majority of recent security attacks have

involved the exploitation of privileged account access?

24%
12%

Agree

64%

Disagree
Not Sure

Source: Cyber-Ark 2012 TRUST, SECURITY & PASSWORDS SURVEY, June 2012

Pillar 4: Top Level Management

Support (TLMS)

Transparent support for policies and

procedures
Engrain information security into company
culture
Effective Communications

IT governance is a mystery
to key decision-makers at
most companies and that
only about one-third of the
managers surveyed
understood how IT is
governed at his or her
company.
Source: Weill, P., and Ross, J., A Matrixed Approach to
Designing IT Governance, Sloan Management Review,
46(2), 2005, p. 26.

Phase 1 The Banking Sector

Results

Overall, the Information Security Officers

confirmed the main issues proposed in the
conceptual model.

The four pillars, security policy, security

awareness, access control, and TLMS were
rated as extremely important for each of the
interviewees.

Interview Content Analysis

Agreement

Interview Content Analysis Dissonance

Future Research
Phase II
Developing and administering a survey to a
larger sample.
Seeking advice on potential sponsorship,
professional affiliations that may be interested
in working with us.

Thank You!
Dankje!
Merci!
Danke!