Framework Gobierno Seguridad de la Informacion

8/18/2019 Framework Gobierno Seguridad de la Informacion

1/4

Information Security Governance Framework for Banking

EnvironmentMunirul Ula

CASE, UTM CityCampusJln Semarak

Kuala Lumpur 54100

[email protected]

Zailani Mohamed SidekCASE, UTM CityCampus

Jln SemarakKuala Lumpur 54100

[email protected]

Zuraini bt IsmailCollege of Science and Technology

Jln SemarakKuala Lumpur 54100

[email protected]

ABSTRACT The field of Information Security Governance has emerged toaddress security issues in the business practices especially for

banks and financial institutions. Because of banks increasinglyrely on information technology and the internet to operate their

businesses and market interactions, technology risks will potentially increases, both for the individual banks and thefinancial industry at large. This paper is present the progressingresearch work on producing Information Security governanceframework for the banking environment. Information Securitygovernance is the preparation for, making of and implementationof IT-related decisions regarding goals, processes, people andtechnology on a tactical or strategic level. The paper furtherexamines the three widely used information security governance

practices which are COBIT DS5, ITIL Security Management, andISO 27002. The above Information security governanceframework will be derived by mapping and integrating the three

best practices of ITIL security management, ISO 27002 andCOBIT DS5 control objectives. This progressing research is todevelop a specific information security governance framework tofit with banking environment.

Keywords Information security governance, COBIT DS5, ITIL securitymanagement, ISO 27002.

1. INTRODUCTIONContinuing developments and innovations in technology havesignificant impact on the way banks interact with their customers,

suppliers, and other counterparts. Technology has also changedthe basic operations in the banking system. Banks face thechallenge of adapting, innovating and responding to theopportunities posed by computer systems, telecommunications,networks and other technology-related solutions to drive their

businesses in an increasingly competitive domestic and globalmarket.

The Internet in particular offers major opportunities for banks toreach new markets and expand the range of products and servicesthey provide to customers. The very accessibility and dynamismof the Internet brings both benefits and risks.

As banks increasingly rely on Information Technology and theInternet to operate their businesses and interact with the market,

technology risks will potentially increase, both for individual banks and the financial industry at large.

The most common technology risk or threat to banking andfinancial institution is phishing attack [1]. The typical phishingattack is based on social engineering because the consumers whoare the targets are manipulated. They are tricked into divulgingtheir usernames and passwords needed to access their online

banking accounts. With these credentials, the fraudster can skimfunds, take over accounts, and steal the account holders' identity.The newer attack techniques are of a different kind than theclassic phishing and require different defenses.

The other forms of attack, like spyware, trojan horses, andkeyloggers, can cause a user to unwittingly download malwarewhich is computer code developed for the malicious intention ofcollecting various user information. The stolen information can

be used for identity theft, which is a much more insidious prospect than the account skimming or account takeoverassociated with the more common phishing attacks.

In the past several years, the rise in these new attacks has beenastonishing. For example, the Brazilian authorities arrested acrime ring in November 2004 for allegedly stealing US$30million from Internet bank accounts by sending out e-mails withTrojan horses capable of stealing users' passwords and securitycodes. In January 2005, police arrested a ring of 13 people forallegedly stealing $600,000. They used spoofed onlineadvertisements and spam e-mails to install keyboard loggers onuser PCs to steal user name and password. In February 2005, aBank of America corporate banking customer sued the Bank afterUS$90,000 was allegedly stolen from his account through the useof a keyboard logger [1].

Financial institutions are clearly responsible for compromiseddata in their possession that results in fraud. Account holdershave typically been held responsible for guarding against the theftof their banking information as well as any fraud perpetrated as aresult of compromised credentials. While this continues to holdtrue in the traditional banking channels, banks have to beresponsible for fraudulent activity perpetrated via the Internetchannel. In the recent rise of phishing attacks, banks havereimbursed most customers for losses, although the customerclearly compromised their account credentials.

A major difficulty experienced by the Banking IT departments isthe process of organizing and structuring their functions and theway they interact with other units. They argued that Banks mustimplement a governance strategy to help senior executives

Ula, U., Mohamed, Z. y Ismail, Z. (2013). Informationsecurity governance framework for banking environment (043924)


2/4

manage their IT related activities and the perceptions between ITand the rest of the organization. In doing this, the leadershipmust balance the needs of the business units with the way ITstructures its service delivery to ensure that the IT department iscapable of delivering acceptable services to the end users. This

balance is also needed to allow the organizations to meet theirstrategic goals.

2. INFORMATION SECURITYGOVERNANCE DEFINITIONAcademicians and practitioners have both lack of consensus in thedefinition for Information Security governance. Some of the

prevalent definitions of Information Security governance in theliterature are as follows: according to Moulton and Cole,Information Security Governance is the establishment andmaintenance of the control environment to manage the risksrelating to the confidentiality, integrity and availability ofinformation and its supporting processes and systems [2].

Shon Harris said Information security governance is all of thetools, personnel and business processes that ensure that security iscarried out to meet an organization's specific needs. It requiresorganizational structure, roles and responsibilities, performancemeasurement, defined tasks and oversight mechanisms [3].

The white paper from IT Governance Institute define thatInformation security governance is the set of responsibilities and

practices exercised by the board and executive management withthe goal of providing strategic direction, ensuring that objectivesare achieved, ascertaining that risks are managed appropriatelyand verifying that the enterprise's resources are used responsibly

[4].

3. INFORMATION SECURITYGOVERNANCE STANDARDSThere are a number of IT governance frameworks, best practicesand standards examined in this research. Most of them arecomplementary to each other, with strengths and weaknesses indifferent areas. The most well known and widely used areCOBIT 4.1, ITIL, and ISO 27002 [5] [6].

3.1 COBIT 4.1 Delivery and Support 5 (DS5)

Control Objectives for Information and related Technologies(COBIT) is a set of best practices for information technologymanagement created by the Information Systems Audit andControl Association (ISACA) and the IT Governance Institute.COBIT provides guideline for managers, auditors, and IT userswith a set of best practice to help them manage their organizationinformation technology resource [7]. COBIT 4.1 provideframework and control objective over the information technologydomains which is planning and organizing, acquisition andimplementation, delivery and support and monitoring.

COBIT DS5 is an effective tool for managing security metricsand operations, security monitoring, user management, and userawareness [8]. Security metrics and operations are indices that

are needed to support security programs. These include itemssuch as the number of reported incidents and number of virusesdetected. Ongoing tasks, such as review of documentation,change management procedures, audit material, and responseenhance security efforts. COBIT 4.1 is strong in IT controls andIT metrics but it does not say how the processes flow, and is notstrong in security.

3.2 ITIL Security Management

ITIL is the IT Infrastructure Library, developed in the UK by theOffi ce of Government of Commerce (OGC), is gaining traction inthe global IT community as a framework for IT governance. Thelibrary currently consists of eight aspects, including: SoftwareAsset Management, Service Support, Service Delivery, SecurityManagement, Application Management, ICT InfrastructureManagement, The Business Perspective, and Planning to

Implement Service Management. ITIL is strong in IT processes but limited in security and system development.

3.3 ISO 27002:2005

ISO 27002 is originally ISO 17799 which in December 2000 wasaccepted word-for-word from BS 7799 Security Standard

published by the British Standards Institute. The ISO 27002 Codeof Practice opens with an Introduction describing InformationSecurity, why it is needed, how to assess security requirementsand how to assess risks and assign controls.

ISO 27002 refers to hundreds of best-practice informationsecurity control measures that organizations should consider tosatisfy the stated control objectives. The standard does notmandate specific controls but leaves it to the user organizations toselect and implement controls, using a risk-assessment process toidentify the most appropriate controls for their specificrequirements. They are also free to select controls not listed inthe standard, just so long as their control objectives are satisfied.

ISO 27002’s relatively narrow focus on security makes itunsuitable as the sole basis for an IT governance framework, butsince risk management is a component of IT governance, there isrelevance to ISO 27002, and parts of it can be adopted in buildingan overall IT governance framework. ISO 27002 is strong insecurity controls but does not describe how the process flows.

4. FRAMEWORK FOR INFORMATIONSECURITY GOVERNANCECOBlT DS5 can be used at the highest level, providing an overallcontrol framework based on an IT process model that shouldgenerically suit every organization [9]. Specific practices andstandards such as ITIL Security Management and ISO 27002cover discrete areas and can be mapped to the COBlT framework.In TABLE 1 (see Appendix 1) shows a mapping of ISO 27002and ITIL security management to COBIT DS5 Control Objective.This mapping process is done by reviewing and categorizing theareas of discussion of the three standards. This mapping can beused to produce a combined Information security governanceframework for Banking Environment. But at this stage of our


3/4


4/4

APPENDIX ITABLE 1. Mapping of ITIL and ISO 27002 to COBIT DS5

COBIT 4.1(DS5)

ITIL (SecurityManagement)

ISO 27002 : 2005

DS5.1Managementof IT Security

Fundamental ofInformationSecurity,2.3.1.2 Plan

SecurityManagementMeasures,4.1 Control4.3 Audit andevaluate4.4 Maintain

4.1 Information securityinfrastructure5. Information classification9.1 Business requirement foraccess control10.1 Security requirement ofsystem12.1 Compliance with legalrequirement12.2 reviews of securitypolicy and technicalcompliance

DS5.2 ITSecurity Plan

Fundamental ofInformationSecurity,2.3.1.2 Plan

DS5.3 IdentityManagement

Resourcesrestricted toauthorizedpersonnel

SecurityManagementMeasures;4.2.2 Accesscontrol4.2.4 Access

control

4.2 Security of third-partyaccess9.2 User access management9.4 Network access control9.5 Operating system accesscontrol9.6 Application accesscontrol

DS5.4 UserAccountManagement

SecurityManagementMeasures;4.2Implementation4.3 Audit andevaluate securityreviews of ITsystems

4.1 Information securityinfrastructure4.2 Security of third-partyaccess6.1 Security in job definitionand resourcing7.1 Secure areas8.1 Operational proceduresand responsibilities8.6 Media handling andsecurity9.1 Business requirement foraccess control9.2 User access management

9.3 User responsibilities9.5 Operating system accesscontrol9.6 Application accesscontrol10.4 Security of system files

DS5.5 SecurityTesting,SurveillanceandMonitoring

SecurityManagementMeasures;4.2 Implement4.5 Report

3.1 Information securitypolicy4.1 Information securityinfrastructure6.3 Responding to securityincidents and9.3 User responsibilities9.1 Business requirement foraccess control

9.5 Operating system accesscontrol9.7 Monitoring system accessand use

10.4 Security of system files12.1 Compliance with legalRequirementsmalfunctions12.2 Reviews of securitypolicy and technicalcompliance

DS5.6 SecurityIncidentDefinition

ITIL and securitymanagement;3.3.2 Incidentcontrol help desk

3.1 Information securitypolicy4.1 Information securityinfrastructure6.3 Responding to securityincidents and malfunctions8.I Operational proceduresand

responsibilities9.5 Operating system accesscontrol

DS5.7Protection ofSecurityTechnology

SecurityManagementMeasures;4.2Implementation

7.1 Secure areas8.6 Media handling andsecurity10.3 Cryptographic controls

DS5.8CryptographicKeyManagement

SecurityManagementMeasures,4.2Implementation

10.3 Cryptographic controls

DS5.9

MaliciousSoftwarePrevention,Detection andCorrection

Security

ManagementMeasures,4.2Implementation

6.3 Responding to security

incident and malfunction8.3 Protection againstmalicious software

DS5.10NetworkSecurity


8.5 Network management9.4 Network access control

DS5.11Exchange ofSensitive Data


8.5 Network management9.4 Network access control10.2 Security in applicationsystems10.3 Cryptographic controls

Framework Gobierno Seguridad de la Informacion

Documents

Transcript of Framework Gobierno Seguridad de la Informacion