Ula, U., Mohamed, Z. y Ismail, Z. (2013).

Information
security governance framework for banking environment (043924)

Information Security Governance Framework for Banking

Environment
Munirul Ula

Zailani Mohamed Sidek

Zuraini bt Ismail

CASE, UTM CityCampus

Jln Semarak
Kuala Lumpur 54100

CASE, UTM CityCampus

Jln Semarak
Kuala Lumpur 54100

College of Science and Technology

Jln Semarak
Kuala Lumpur 54100

munirul_ula@yahoo.com

zailani@citycampus.utm.my

Zurainisma@citycampus.utm.my

ABSTRACT
The field of Information Security Governance has emerged to
address security issues in the business practices especially for
banks and financial institutions. Because of banks increasingly
rely on information technology and the internet to operate their
businesses and market interactions, technology risks will
potentially increases, both for the individual banks and the
financial industry at large. This paper is present the progressing
research work on producing Information Security governance
framework for the banking environment. Information Security
governance is the preparation for, making of and implementation
of IT-related decisions regarding goals, processes, people and
technology on a tactical or strategic level. The paper further
examines the three widely used information security governance
practices which are COBIT DS5, ITIL Security Management, and
ISO 27002. The above Information security governance
framework will be derived by mapping and integrating the three
best practices of ITIL security management, ISO 27002 and
COBIT DS5 control objectives. This progressing research is to
develop a specific information security governance framework to
fit with banking environment.

Keywords
Information security governance, COBIT DS5, ITIL security
management, ISO 27002.

1. INTRODUCTION
Continuing developments and innovations in technology have
significant impact on the way banks interact with their customers,
suppliers, and other counterparts. Technology has also changed
the basic operations in the banking system.
Banks face the
challenge of adapting, innovating and responding to the
opportunities posed by computer systems, telecommunications,
networks and other technology-related solutions to drive their
businesses in an increasingly competitive domestic and global
market.
The Internet in particular offers major opportunities for banks to
reach new markets and expand the range of products and services
they provide to customers. The very accessibility and dynamism
of the Internet brings both benefits and risks.
As banks increasingly rely on Information Technology and the
Internet to operate their businesses and interact with the market,

technology risks will potentially increase, both for individual

banks and the financial industry at large.
The most common technology risk or threat to banking and
financial institution is phishing attack [1]. The typical phishing
attack is based on social engineering because the consumers who
are the targets are manipulated. They are tricked into divulging
their usernames and passwords needed to access their online
banking accounts. With these credentials, the fraudster can skim
funds, take over accounts, and steal the account holders' identity.
The newer attack techniques are of a different kind than the
classic phishing and require different defenses.
The other forms of attack, like spyware, trojan horses, and
keyloggers, can cause a user to unwittingly download malware
which is computer code developed for the malicious intention of
collecting various user information. The stolen information can
be used for identity theft, which is a much more insidious
prospect than the account skimming or account takeover
associated with the more common phishing attacks.
In the past several years, the rise in these new attacks has been
astonishing. For example, the Brazilian authorities arrested a
crime ring in November 2004 for allegedly stealing US$30
million from Internet bank accounts by sending out e-mails with
Trojan horses capable of stealing users' passwords and security
codes. In January 2005, police arrested a ring of 13 people for
allegedly stealing $600,000.
They used spoofed online
advertisements and spam e-mails to install keyboard loggers on
user PCs to steal user name and password. In February 2005, a
Bank of America corporate banking customer sued the Bank after
US$90,000 was allegedly stolen from his account through the use
of a keyboard logger [1].
Financial institutions are clearly responsible for compromised
data in their possession that results in fraud. Account holders
have typically been held responsible for guarding against the theft
of their banking information as well as any fraud perpetrated as a
result of compromised credentials. While this continues to hold
true in the traditional banking channels, banks have to be
responsible for fraudulent activity perpetrated via the Internet
channel. In the recent rise of phishing attacks, banks have
reimbursed most customers for losses, although the customer
clearly compromised their account credentials.
A major difficulty experienced by the Banking IT departments is
the process of organizing and structuring their functions and the
way they interact with other units. They argued that Banks must
implement a governance strategy to help senior executives

manage their IT related activities and the perceptions between IT

and the rest of the organization. In doing this, the leadership
must balance the needs of the business units with the way IT
structures its service delivery to ensure that the IT department is
capable of delivering acceptable services to the end users. This
balance is also needed to allow the organizations to meet their
strategic goals.

are needed to support security programs. These include items

such as the number of reported incidents and number of viruses
detected. Ongoing tasks, such as review of documentation,
change management procedures, audit material, and response
enhance security efforts. COBIT 4.1 is strong in IT controls and
IT metrics but it does not say how the processes flow, and is not
strong in security.

2. INFORMATION SECURITY
GOVERNANCE DEFINITION

3.2 ITIL Security Management

Academicians and practitioners have both lack of consensus in the

definition for Information Security governance. Some of the
prevalent definitions of Information Security governance in the
literature are as follows: according to Moulton and Cole,
Information Security Governance is the establishment and
maintenance of the control environment to manage the risks
relating to the confidentiality, integrity and availability of
information and its supporting processes and systems [2].
Shon Harris said Information security governance is all of the
tools, personnel and business processes that ensure that security is
carried out to meet an organization's specific needs. It requires
organizational structure, roles and responsibilities, performance
measurement, defined tasks and oversight mechanisms [3].
The white paper from IT Governance Institute define that
Information security governance is the set of responsibilities and
practices exercised by the board and executive management with
the goal of providing strategic direction, ensuring that objectives
are achieved, ascertaining that risks are managed appropriately
and verifying that the enterprise's resources are used responsibly
[4].

3. INFORMATION SECURITY
GOVERNANCE STANDARDS
There are a number of IT governance frameworks, best practices
and standards examined in this research. Most of them are
complementary to each other, with strengths and weaknesses in
different areas. The most well known and widely used are
COBIT 4.1, ITIL, and ISO 27002 [5] [6].

ITIL is the IT Infrastructure Library, developed in the UK by the

Oce of Government of Commerce (OGC), is gaining traction in
the global IT community as a framework for IT governance. The
library currently consists of eight aspects, including: Software
Asset Management, Service Support, Service Delivery, Security
Management, Application Management, ICT Infrastructure
Management, The Business Perspective, and Planning to
Implement Service Management. ITIL is strong in IT processes
but limited in security and system development.

3.3 ISO 27002:2005

ISO 27002 is originally ISO 17799 which in December 2000 was
accepted word-for-word from BS 7799 Security Standard
published by the British Standards Institute. The ISO 27002 Code
of Practice opens with an Introduction describing Information
Security, why it is needed, how to assess security requirements
and how to assess risks and assign controls.
ISO 27002 refers to hundreds of best-practice information
security control measures that organizations should consider to
satisfy the stated control objectives. The standard does not
mandate specific controls but leaves it to the user organizations to
select and implement controls, using a risk-assessment process to
identify the most appropriate controls for their specific
requirements. They are also free to select controls not listed in
the standard, just so long as their control objectives are satisfied.
ISO 27002s relatively narrow focus on security makes it
unsuitable as the sole basis for an IT governance framework, but
since risk management is a component of IT governance, there is
relevance to ISO 27002, and parts of it can be adopted in building
an overall IT governance framework. ISO 27002 is strong in
security controls but does not describe how the process flows.

3.1 COBIT 4.1 Delivery and Support 5 (DS5)

Control Objectives for Information and related Technologies
(COBIT) is a set of best practices for information technology
management created by the Information Systems Audit and
Control Association (ISACA) and the IT Governance Institute.
COBIT provides guideline for managers, auditors, and IT users
with a set of best practice to help them manage their organization
information technology resource [7].
COBIT 4.1 provide
framework and control objective over the information technology
domains which is planning and organizing, acquisition and
implementation, delivery and support and monitoring.
COBIT DS5 is an effective tool for managing security metrics
and operations, security monitoring, user management, and user
awareness [8]. Security metrics and operations are indices that

4. FRAMEWORK FOR INFORMATION

SECURITY GOVERNANCE
COBlT DS5 can be used at the highest level, providing an overall
control framework based on an IT process model that should
generically suit every organization [9]. Specific practices and
standards such as ITIL Security Management and ISO 27002
cover discrete areas and can be mapped to the COBlT framework.
In TABLE 1 (see Appendix 1) shows a mapping of ISO 27002
and ITIL security management to COBIT DS5 Control Objective.
This mapping process is done by reviewing and categorizing the
areas of discussion of the three standards. This mapping can be
used to produce a combined Information security governance
framework for Banking Environment. But at this stage of our

progressing research, the complete framework is still in refining

process.

CONCLUSION
In todays technological and social environment, security is a very
important part of a banking and financial institution system.
Customers are very concerns about privacy and identity theft rise.
Business partners, suppliers, and vendors are requiring it from one
another, particularly when providing mutual network and
information access. Espionage through the use of networks to
gain competitive intelligence and to extort organizations is
becoming more prevalent.
Banks ability to take advantage of new opportunities often
depends on its ability to provide open, accessible, available, and
secure network connectivity and services. Having a reputation for
safeguarding information and the environment within which it
resides enhances an organizations ability to preserve and increase
market share.
A comprehensive information security governance framework is
highly needed in this growing market. Some general standards
and best practices have been developed such as COBIT, ITIL and
ISO 27002, but not one of them can fulfill specific and unique
needs of an organization. This progressing research is to develop
a specific information security governance framework to fit with
banking environment and it information system.

REFERENCES
[1] Tubin, G. 2005, The Sky IS Falling: The Need for Stronger
Consumer Online Banking Authentication, TowerGroups,
USA

[2] Moulton, R and Coles, R. S. 2003, Applying Information

Security Governance, Elsevier, Volume 22, Issue 7, Pp 580584
[3] Harris S. 2006 Information Security Governance Guide.
www.SearchSecurity.com (date accessed 03-04-2008)
[4]

IT Governance Institute 2006, Information Security

Governance: Guiding for Board of Director and Executive
Management 2nd Edition. Available online at www.itgi.org

[5] Hoekstra, A. and Conradie, N., 2002, CobiT, ITIL and

ISO17799, How to use them in conjunction, Price Water
House Copper, www.pwcgobal.com
[6] Sambamurthy, V., & Zmud, R. W. 2000. Research
commentary: The organizing logic for an enterprise's IT
activities in the digital era - a prognosis of practice and a call
for research. Information Systems Research, 11(2), 105-114.
[7] Spafford, G. 2003. The benefits of standard IT governance
frameworks. Datamation, Retrieved November 13, 2005,
from
http://itmanagement.earthweb.eom/netsys/article.php/219505
1
[8] COBIT, 2007, COBIT 4.1 Executive Summaries, Rolling
Meadow, IL, IT Governance Institute
[9] Gaw, L. 2003. Designing the security program for your
organization: A top down approach (White Paper). Bethesda,
MD: SANS Institute.
[10] Ridley, G., Young, J., & Carroll, P. 2004. COBIT and its
utilization: A framework from the literature. 37th Hawaii
International Conference on Systems Sciences, (pp. 8023380241). Big Island, HI: IEEE.

9.5 Operating system access

control
9.7 Monitoring system access
and use
10.4 Security of system files
12.1 Compliance with legal
Requirements
malfunctions
12.2
Reviews of security
policy
and
technical
compliance

APPENDIX I
TABLE 1. Mapping of ITIL and ISO 27002 to COBIT DS5
COBIT
(DS5)

4.1

DS5.1
Management
of IT Security

ITIL (Security
Management)

ISO 27002 : 2005

Fundamental
Information
Security,
2.3.1.2 Plan

4.1 Information security

infrastructure
5. Information classification
9.1 Business requirement for
access control
10.1 Security requirement of
system
12.1 Compliance with legal
requirement
12.2 reviews of security
policy
and
technical
compliance

Security
Management
Measures,
4.1 Control
4.3 Audit
evaluate
4.4 Maintain
DS5.2
IT
Security Plan

DS5.3 Identity
Management

Fundamental
Information
Security,
2.3.1.2 Plan
Resources
restricted
authorized
personnel

of

and

DS5.5 Security
Testing,
Surveillance
and
Monitoring

to

Security
Management
Measures;
4.2
Implementation
4.3 Audit and
evaluate security
reviews
of
IT
systems

Security
Management
Measures;
4.2 Implement
4.5 Report

ITIL and security

management;
3.3.2
Incident
control help desk

DS5.7
Protection of
Security
Technology

Security
Management
Measures;
4.2
Implementation

DS5.8
Cryptographic
Key
Management

Security
Management
Measures,
4.2
Implementation

10.3 Cryptographic controls

DS5.9
Malicious
Software
Prevention,
Detection and
Correction

Security
Management
Measures,
4.2
Implementation

6.3 Responding to security

incident and malfunction
8.3
Protection
against
malicious software

DS5.10
Network
Security

Security
Management
Measures,
4.2
Implementation
Security
Management
Measures,
4.2
Implementation

8.5 Network management

9.4 Network access control

of

Security
Management
Measures;
4.2.2
Access
control
4.2.4
Access
control
DS5.4
User
Account
Management

DS5.6 Security
Incident
Definition

4.2 Security of third-party

access
9.2 User access management
9.4 Network access control
9.5 Operating system access
control
9.6
Application
access
control

4.1 Information security

infrastructure
4.2 Security of third-party
access
6.1 Security in job definition
and resourcing
7.1 Secure areas
8.1 Operational procedures
and responsibilities
8.6 Media handling and
security
9.1 Business requirement for
access control
9.2 User access management
9.3 User responsibilities
9.5 Operating system access
control
9.6
Application access
control
10.4 Security of system files
3.1 Information security
policy
4.1 Information security
infrastructure
6.3 Responding to security
incidents and
9.3 User responsibilities
9.1 Business requirement for
access control

DS5.11
Exchange
of
Sensitive Data

3.1
Information security
policy
4.1 Information security
infrastructure
6.3 Responding to security
incidents and malfunctions
8.I Operational procedures
and
responsibilities
9.5 Operating system access
control
7.1 Secure areas
8.6
Media handling and
security
10.3 Cryptographic controls

8.5 Network management

9.4 Network access control
10.2 Security in application
systems
10.3 Cryptographic controls