Framework Gobierno Seguridad de la Informacion
Transcript of Framework Gobierno Seguridad de la Informacion
-
8/18/2019 Framework Gobierno Seguridad de la Informacion
1/4
Information Security Governance Framework for Banking
EnvironmentMunirul Ula
CASE, UTM CityCampusJln Semarak
Kuala Lumpur 54100
Zailani Mohamed SidekCASE, UTM CityCampus
Jln SemarakKuala Lumpur 54100
Zuraini bt IsmailCollege of Science and Technology
Jln SemarakKuala Lumpur 54100
ABSTRACT The field of Information Security Governance has emerged toaddress security issues in the business practices especially for
banks and financial institutions. Because of banks increasinglyrely on information technology and the internet to operate their
businesses and market interactions, technology risks will potentially increases, both for the individual banks and thefinancial industry at large. This paper is present the progressingresearch work on producing Information Security governanceframework for the banking environment. Information Securitygovernance is the preparation for, making of and implementationof IT-related decisions regarding goals, processes, people andtechnology on a tactical or strategic level. The paper furtherexamines the three widely used information security governance
practices which are COBIT DS5, ITIL Security Management, andISO 27002. The above Information security governanceframework will be derived by mapping and integrating the three
best practices of ITIL security management, ISO 27002 andCOBIT DS5 control objectives. This progressing research is todevelop a specific information security governance framework tofit with banking environment.
Keywords Information security governance, COBIT DS5, ITIL securitymanagement, ISO 27002.
1. INTRODUCTIONContinuing developments and innovations in technology havesignificant impact on the way banks interact with their customers,
suppliers, and other counterparts. Technology has also changedthe basic operations in the banking system. Banks face thechallenge of adapting, innovating and responding to theopportunities posed by computer systems, telecommunications,networks and other technology-related solutions to drive their
businesses in an increasingly competitive domestic and globalmarket.
The Internet in particular offers major opportunities for banks toreach new markets and expand the range of products and servicesthey provide to customers. The very accessibility and dynamismof the Internet brings both benefits and risks.
As banks increasingly rely on Information Technology and theInternet to operate their businesses and interact with the market,
technology risks will potentially increase, both for individual banks and the financial industry at large.
The most common technology risk or threat to banking andfinancial institution is phishing attack [1]. The typical phishingattack is based on social engineering because the consumers whoare the targets are manipulated. They are tricked into divulgingtheir usernames and passwords needed to access their online
banking accounts. With these credentials, the fraudster can skimfunds, take over accounts, and steal the account holders' identity.The newer attack techniques are of a different kind than theclassic phishing and require different defenses.
The other forms of attack, like spyware, trojan horses, andkeyloggers, can cause a user to unwittingly download malwarewhich is computer code developed for the malicious intention ofcollecting various user information. The stolen information can
be used for identity theft, which is a much more insidious prospect than the account skimming or account takeoverassociated with the more common phishing attacks.
In the past several years, the rise in these new attacks has beenastonishing. For example, the Brazilian authorities arrested acrime ring in November 2004 for allegedly stealing US$30million from Internet bank accounts by sending out e-mails withTrojan horses capable of stealing users' passwords and securitycodes. In January 2005, police arrested a ring of 13 people forallegedly stealing $600,000. They used spoofed onlineadvertisements and spam e-mails to install keyboard loggers onuser PCs to steal user name and password. In February 2005, aBank of America corporate banking customer sued the Bank afterUS$90,000 was allegedly stolen from his account through the useof a keyboard logger [1].
Financial institutions are clearly responsible for compromiseddata in their possession that results in fraud. Account holdershave typically been held responsible for guarding against the theftof their banking information as well as any fraud perpetrated as aresult of compromised credentials. While this continues to holdtrue in the traditional banking channels, banks have to beresponsible for fraudulent activity perpetrated via the Internetchannel. In the recent rise of phishing attacks, banks havereimbursed most customers for losses, although the customerclearly compromised their account credentials.
A major difficulty experienced by the Banking IT departments isthe process of organizing and structuring their functions and theway they interact with other units. They argued that Banks mustimplement a governance strategy to help senior executives
Ula, U., Mohamed, Z. y Ismail, Z. (2013). Informationsecurity governance framework for banking environment (043924)
-
8/18/2019 Framework Gobierno Seguridad de la Informacion
2/4
manage their IT related activities and the perceptions between ITand the rest of the organization. In doing this, the leadershipmust balance the needs of the business units with the way ITstructures its service delivery to ensure that the IT department iscapable of delivering acceptable services to the end users. This
balance is also needed to allow the organizations to meet theirstrategic goals.
2. INFORMATION SECURITYGOVERNANCE DEFINITIONAcademicians and practitioners have both lack of consensus in thedefinition for Information Security governance. Some of the
prevalent definitions of Information Security governance in theliterature are as follows: according to Moulton and Cole,Information Security Governance is the establishment andmaintenance of the control environment to manage the risksrelating to the confidentiality, integrity and availability ofinformation and its supporting processes and systems [2].
Shon Harris said Information security governance is all of thetools, personnel and business processes that ensure that security iscarried out to meet an organization's specific needs. It requiresorganizational structure, roles and responsibilities, performancemeasurement, defined tasks and oversight mechanisms [3].
The white paper from IT Governance Institute define thatInformation security governance is the set of responsibilities and
practices exercised by the board and executive management withthe goal of providing strategic direction, ensuring that objectivesare achieved, ascertaining that risks are managed appropriatelyand verifying that the enterprise's resources are used responsibly
[4].
3. INFORMATION SECURITYGOVERNANCE STANDARDSThere are a number of IT governance frameworks, best practicesand standards examined in this research. Most of them arecomplementary to each other, with strengths and weaknesses indifferent areas. The most well known and widely used areCOBIT 4.1, ITIL, and ISO 27002 [5] [6].
3.1 COBIT 4.1 Delivery and Support 5 (DS5)
Control Objectives for Information and related Technologies(COBIT) is a set of best practices for information technologymanagement created by the Information Systems Audit andControl Association (ISACA) and the IT Governance Institute.COBIT provides guideline for managers, auditors, and IT userswith a set of best practice to help them manage their organizationinformation technology resource [7]. COBIT 4.1 provideframework and control objective over the information technologydomains which is planning and organizing, acquisition andimplementation, delivery and support and monitoring.
COBIT DS5 is an effective tool for managing security metricsand operations, security monitoring, user management, and userawareness [8]. Security metrics and operations are indices that
are needed to support security programs. These include itemssuch as the number of reported incidents and number of virusesdetected. Ongoing tasks, such as review of documentation,change management procedures, audit material, and responseenhance security efforts. COBIT 4.1 is strong in IT controls andIT metrics but it does not say how the processes flow, and is notstrong in security.
3.2 ITIL Security Management
ITIL is the IT Infrastructure Library, developed in the UK by theOffi ce of Government of Commerce (OGC), is gaining traction inthe global IT community as a framework for IT governance. Thelibrary currently consists of eight aspects, including: SoftwareAsset Management, Service Support, Service Delivery, SecurityManagement, Application Management, ICT InfrastructureManagement, The Business Perspective, and Planning to
Implement Service Management. ITIL is strong in IT processes but limited in security and system development.
3.3 ISO 27002:2005
ISO 27002 is originally ISO 17799 which in December 2000 wasaccepted word-for-word from BS 7799 Security Standard
published by the British Standards Institute. The ISO 27002 Codeof Practice opens with an Introduction describing InformationSecurity, why it is needed, how to assess security requirementsand how to assess risks and assign controls.
ISO 27002 refers to hundreds of best-practice informationsecurity control measures that organizations should consider tosatisfy the stated control objectives. The standard does notmandate specific controls but leaves it to the user organizations toselect and implement controls, using a risk-assessment process toidentify the most appropriate controls for their specificrequirements. They are also free to select controls not listed inthe standard, just so long as their control objectives are satisfied.
ISO 27002’s relatively narrow focus on security makes itunsuitable as the sole basis for an IT governance framework, butsince risk management is a component of IT governance, there isrelevance to ISO 27002, and parts of it can be adopted in buildingan overall IT governance framework. ISO 27002 is strong insecurity controls but does not describe how the process flows.
4. FRAMEWORK FOR INFORMATIONSECURITY GOVERNANCECOBlT DS5 can be used at the highest level, providing an overallcontrol framework based on an IT process model that shouldgenerically suit every organization [9]. Specific practices andstandards such as ITIL Security Management and ISO 27002cover discrete areas and can be mapped to the COBlT framework.In TABLE 1 (see Appendix 1) shows a mapping of ISO 27002and ITIL security management to COBIT DS5 Control Objective.This mapping process is done by reviewing and categorizing theareas of discussion of the three standards. This mapping can beused to produce a combined Information security governanceframework for Banking Environment. But at this stage of our
-
8/18/2019 Framework Gobierno Seguridad de la Informacion
3/4
-
8/18/2019 Framework Gobierno Seguridad de la Informacion
4/4
APPENDIX ITABLE 1. Mapping of ITIL and ISO 27002 to COBIT DS5
COBIT 4.1(DS5)
ITIL (SecurityManagement)
ISO 27002 : 2005
DS5.1Managementof IT Security
Fundamental ofInformationSecurity,2.3.1.2 Plan
SecurityManagementMeasures,4.1 Control4.3 Audit andevaluate4.4 Maintain
4.1 Information securityinfrastructure5. Information classification9.1 Business requirement foraccess control10.1 Security requirement ofsystem12.1 Compliance with legalrequirement12.2 reviews of securitypolicy and technicalcompliance
DS5.2 ITSecurity Plan
Fundamental ofInformationSecurity,2.3.1.2 Plan
DS5.3 IdentityManagement
Resourcesrestricted toauthorizedpersonnel
SecurityManagementMeasures;4.2.2 Accesscontrol4.2.4 Access
control
4.2 Security of third-partyaccess9.2 User access management9.4 Network access control9.5 Operating system accesscontrol9.6 Application accesscontrol
DS5.4 UserAccountManagement
SecurityManagementMeasures;4.2Implementation4.3 Audit andevaluate securityreviews of ITsystems
4.1 Information securityinfrastructure4.2 Security of third-partyaccess6.1 Security in job definitionand resourcing7.1 Secure areas8.1 Operational proceduresand responsibilities8.6 Media handling andsecurity9.1 Business requirement foraccess control9.2 User access management
9.3 User responsibilities9.5 Operating system accesscontrol9.6 Application accesscontrol10.4 Security of system files
DS5.5 SecurityTesting,SurveillanceandMonitoring
SecurityManagementMeasures;4.2 Implement4.5 Report
3.1 Information securitypolicy4.1 Information securityinfrastructure6.3 Responding to securityincidents and9.3 User responsibilities9.1 Business requirement foraccess control
9.5 Operating system accesscontrol9.7 Monitoring system accessand use
10.4 Security of system files12.1 Compliance with legalRequirementsmalfunctions12.2 Reviews of securitypolicy and technicalcompliance
DS5.6 SecurityIncidentDefinition
ITIL and securitymanagement;3.3.2 Incidentcontrol help desk
3.1 Information securitypolicy4.1 Information securityinfrastructure6.3 Responding to securityincidents and malfunctions8.I Operational proceduresand
responsibilities9.5 Operating system accesscontrol
DS5.7Protection ofSecurityTechnology
SecurityManagementMeasures;4.2Implementation
7.1 Secure areas8.6 Media handling andsecurity10.3 Cryptographic controls
DS5.8CryptographicKeyManagement
SecurityManagementMeasures,4.2Implementation
10.3 Cryptographic controls
DS5.9
MaliciousSoftwarePrevention,Detection andCorrection
Security
ManagementMeasures,4.2Implementation
6.3 Responding to security
incident and malfunction8.3 Protection againstmalicious software
DS5.10NetworkSecurity
SecurityManagementMeasures,4.2Implementation
8.5 Network management9.4 Network access control
DS5.11Exchange ofSensitive Data
SecurityManagementMeasures,4.2Implementation
8.5 Network management9.4 Network access control10.2 Security in applicationsystems10.3 Cryptographic controls