Professional Documents
Culture Documents
Information
security governance framework for banking environment (043924)
Zuraini bt Ismail
munirul_ula@yahoo.com
zailani@citycampus.utm.my
Zurainisma@citycampus.utm.my
ABSTRACT
The field of Information Security Governance has emerged to
address security issues in the business practices especially for
banks and financial institutions. Because of banks increasingly
rely on information technology and the internet to operate their
businesses and market interactions, technology risks will
potentially increases, both for the individual banks and the
financial industry at large. This paper is present the progressing
research work on producing Information Security governance
framework for the banking environment. Information Security
governance is the preparation for, making of and implementation
of IT-related decisions regarding goals, processes, people and
technology on a tactical or strategic level. The paper further
examines the three widely used information security governance
practices which are COBIT DS5, ITIL Security Management, and
ISO 27002. The above Information security governance
framework will be derived by mapping and integrating the three
best practices of ITIL security management, ISO 27002 and
COBIT DS5 control objectives. This progressing research is to
develop a specific information security governance framework to
fit with banking environment.
Keywords
Information security governance, COBIT DS5, ITIL security
management, ISO 27002.
1. INTRODUCTION
Continuing developments and innovations in technology have
significant impact on the way banks interact with their customers,
suppliers, and other counterparts. Technology has also changed
the basic operations in the banking system.
Banks face the
challenge of adapting, innovating and responding to the
opportunities posed by computer systems, telecommunications,
networks and other technology-related solutions to drive their
businesses in an increasingly competitive domestic and global
market.
The Internet in particular offers major opportunities for banks to
reach new markets and expand the range of products and services
they provide to customers. The very accessibility and dynamism
of the Internet brings both benefits and risks.
As banks increasingly rely on Information Technology and the
Internet to operate their businesses and interact with the market,
2. INFORMATION SECURITY
GOVERNANCE DEFINITION
3. INFORMATION SECURITY
GOVERNANCE STANDARDS
There are a number of IT governance frameworks, best practices
and standards examined in this research. Most of them are
complementary to each other, with strengths and weaknesses in
different areas. The most well known and widely used are
COBIT 4.1, ITIL, and ISO 27002 [5] [6].
CONCLUSION
In todays technological and social environment, security is a very
important part of a banking and financial institution system.
Customers are very concerns about privacy and identity theft rise.
Business partners, suppliers, and vendors are requiring it from one
another, particularly when providing mutual network and
information access. Espionage through the use of networks to
gain competitive intelligence and to extort organizations is
becoming more prevalent.
Banks ability to take advantage of new opportunities often
depends on its ability to provide open, accessible, available, and
secure network connectivity and services. Having a reputation for
safeguarding information and the environment within which it
resides enhances an organizations ability to preserve and increase
market share.
A comprehensive information security governance framework is
highly needed in this growing market. Some general standards
and best practices have been developed such as COBIT, ITIL and
ISO 27002, but not one of them can fulfill specific and unique
needs of an organization. This progressing research is to develop
a specific information security governance framework to fit with
banking environment and it information system.
REFERENCES
[1] Tubin, G. 2005, The Sky IS Falling: The Need for Stronger
Consumer Online Banking Authentication, TowerGroups,
USA
APPENDIX I
TABLE 1. Mapping of ITIL and ISO 27002 to COBIT DS5
COBIT
(DS5)
4.1
DS5.1
Management
of IT Security
ITIL (Security
Management)
Fundamental
Information
Security,
2.3.1.2 Plan
Security
Management
Measures,
4.1 Control
4.3 Audit
evaluate
4.4 Maintain
DS5.2
IT
Security Plan
DS5.3 Identity
Management
Fundamental
Information
Security,
2.3.1.2 Plan
Resources
restricted
authorized
personnel
of
and
DS5.5 Security
Testing,
Surveillance
and
Monitoring
to
Security
Management
Measures;
4.2
Implementation
4.3 Audit and
evaluate security
reviews
of
IT
systems
Security
Management
Measures;
4.2 Implement
4.5 Report
DS5.7
Protection of
Security
Technology
Security
Management
Measures;
4.2
Implementation
DS5.8
Cryptographic
Key
Management
Security
Management
Measures,
4.2
Implementation
DS5.9
Malicious
Software
Prevention,
Detection and
Correction
Security
Management
Measures,
4.2
Implementation
DS5.10
Network
Security
Security
Management
Measures,
4.2
Implementation
Security
Management
Measures,
4.2
Implementation
of
Security
Management
Measures;
4.2.2
Access
control
4.2.4
Access
control
DS5.4
User
Account
Management
DS5.6 Security
Incident
Definition
DS5.11
Exchange
of
Sensitive Data
3.1
Information security
policy
4.1 Information security
infrastructure
6.3 Responding to security
incidents and malfunctions
8.I Operational procedures
and
responsibilities
9.5 Operating system access
control
7.1 Secure areas
8.6
Media handling and
security
10.3 Cryptographic controls