IT Security Governance in E-banking

Most industries have been influenced in different ways by e-commerce, and the banking industry is no exception. Particularly, banks are embracing electronic banking (e-banking) as a service to reach a wider market share, increase customer satisfaction and lower operational costs. This increased supply and demand in e-banking services has caused not only opportunities but also risks. The need to manage and regulate those risks calls for a sound Information Technology Security Governance (ITSG) program as means to deliver value business and mitigate Information Technology (IT) risks. In this regard, the chapter’s objectives are to explore, evaluate, and compare the current status and characteristics of Information Security Governance (ISG) approaches for e-banking. Therefore, the authors focus on an analysis of reputed best standards, guidelines on governance, risk management methods, and internal controls currently used for e-banking as means to research which satisfies best ISG objectives. Results show that banks should not be restricted to currently used approaches to ISG for e-banking but should take into consideration benefits and shortcomings other approaches possess. In this regard, the authors propose an ITSG framework for e-banking as a continuous process for assuring ISG objectives. They also highlight the importance of consistent measurement of metrics of ITSG performance with the aid of security content automation protocol.

Ontology Based Multi Agent Modelling for Information Security Measurement

IT security governance bridges the gap between corporate governance and information security which is defined as the protection of information and other valuable assets in the organization from a wide range of threats in order to maximize ROI (Return On Investment) and minimize risk. These risks emanate from multiple sources like espionage, sabotage, malicious code, computer hacking, sophisticated denial of service attacks, vandalism, fire, flood, and other natural or manmade calamities. Information security in an organization is achieved by implementing suitable sets of safeguards or controls, including policies, processes, procedures etc. These controls need to be established, monitored, and suitably implemented across organization to ensure smooth functioning of business. There are existing sets of internationally recognized standards like CobiT, ISO17799, and others available, which are country and industry specific. These standards include a set of specific controls. Organizations operating in a particular country should be compliant of these standards, and as often these are legal obligations. Stakeholders and auditors are concerned with discrepancies that accrue in the implementation phases of implementation of these standards in any organization. Compliance Auditing (CA) is the process that identifies and analyses any misalignment of the organization’s rules and policies with respect to government regulations/industry best practices, which they are supposed to implement. A distinct challenge in compliance auditing is the measurement of discrepancies between company policies, controls, and industry standards vis-a-vis actual organizational practices.

IT Security Governance Legal Issues

The protection of the investment and creativity made in producing computer programs and databases by intellectual property rights is still not harmonised internationally. Taking into account that IT is used not only to produce these goods, but also to infringe their intellectual property rights, national laws nowadays also protect the so-called technological protection measures, such as passwords, encryption or copy-protection software, created to protect the intellectual property rights. Besides, IT must fulfill the privacy protection regulations currently in force and the companies using it must carry out the international auditing standards. But intellectual property rights cannot protect simple data and information, apart from the substantial investment made in either obtaining, verification, or presentation of data, by sui generis right over databases (or database right). This chapter examines and compares the current legislations of developed countries in order to find the characteristics -and the criticism- in common.

An Information Governance Model for Information Security Management

The purpose of this paper is to propose an IS security governance model to enhance the security of information systems in an organisation by viewing security from a holistic perspective of encompassing information security, information assurance, audit, governance, and compliance. This is achieved through the strategic integration of appropriate frameworks, models, and concepts in information governance, IS service management, and information security. This involves analysing the relevant frameworks, models, and concepts used in the above domains, extracting the best practices for implementing them from the literature and mapping these into an integrated standard. The frameworks identified are Control Objectives for Information and related Technology (COBIT), Information Technology Infrastructure Library (ITIL), ISO 27002, Risk IT, and Payment Card Industry Data Security Standard (PCI DSS). While it is evident that each of these five frameworks serve different purpose of information systems, such as information auditing and governance, facilitating the delivery of high-quality IT services, providing a model managing an Information Security Management System, providing a risk focus, and protection of cardholder data, all of these frameworks have the common objective to secure the IS assets in an organisation. Hence, extraction of the best practices in each of these framework can provide effective security of organisational IS assets rather than adequate security.

Overview of Key Information Security Governance Frameworks

Security awareness has spread inside many organizations leading them to tackle information security not just as a technical matter, but from a corporate point of view. Information Security Governance (ISG) provides enterprises with means of dealing with the security of their information assets in a comprehensive manner, involving every stakeholder through the whole governance and management processes. Boards of Public and Private Entities cannot remain unaware of this development and should make efforts to include ISG into their business processes. Realizing of this relevant role, scientific literature contains a variety of proposals which define different frameworks to foster ISG inside any corporation. In order to facilitate the adoption of any of them by the public sector, this chapter compiles existing approaches, highlighting the main contributions and characteristics of each one. Senior executives and security managers may need support on their decisions about adopting one of these frameworks, so a comparative analysis is performed. This chapter tries to provide an overview of state of the art of the most current relevant security governance frameworks by means of a comparison through a set of comparative criteria that have been defined and applied to every proposal, so that strengths and weaknesses of each one can be pointed out. These criteria have been selected from a deep analysis of existing ISG papers, including both governance and management aspects.

Adoption of ISO 27001 in Cyprus Enterprises

This chapter presents the findings of an investigation on current security practices in Cypriot organizations, including enterprises and public sector divisions. In order to gain knowledge on the deployed security technologies by organizations, a survey was conducted and concluded in late 2010. The survey primarily examined compliance of enterprise current security policies and procedures with ISO 27001 security guidelines. A research analysis has been performed and identified that security mechanisms and the management of information technology (IT) resources may be improved on a number of aspects. Based on the research findings, an assessment of the viability of ISO 27001 in Cyprus is given as well as recommendations on the further deployment of ISO 27001.

Information Security Governance Using Biometrics

To establish the identity of an individual is very critical with the advancement of technology in networked society. Thus, there is need for reliable user authentication technique to solve the growing demand for high level of Information Security Governance (ISG) depending on the requirement. Biometrics can be explained as the method to recognize an individual based on physical (face, fingerprint, ear, iris, etc.) or behavioral (voice, signature, gait, etc.) features to identify an individual person. Nowadays, biometric systems are being used for different purposes for information security like commercial, defense, government, and forensic applications as a means of establishing identity and to mitigate the risk which is one of the important objectives of Information Security Governance. In this chapter, an attempt has been made to explain the use and proper selection of biometric trait to help in Information Security Governance.

Information Technology Service Management

Nowadays, there is an increasing dependence on information and on the systems that provide such information. So, for many organizations, the information and technology that supports them represent the most valuable assets of the company. Research on Information Technology (IT) management practices in many organizations around the world has revealed that most of them are not optimizing their investment on IT. The differentiating factor between those who succeed and those who failed is the participation of management in key IT decisions that must be aligned with the strategic and operational business plans and a proper corporate governance of IT. Corporate governance evaluates and directs the use of IT to support the organization, monitoring its use to achieve plans, and provides guidance to advising, informing or assisting directors, and assuring the compliance with laws and regulations. Some frameworks and models have been developed related to the governance and service management of IT. ITIL® (Information Technology Infrastructure Library) is the most used and extended model related to IT service management. The purpose of this chapter is to describe briefly the main phases and processes related to the ITIL® service lifecycle, detailed information related to the information security management process, and the qualifying system for IT Service Management with ITIL®.

Using Indicators to Monitor Security Risk in Systems of Systems

Systems of systems are collections of systems interconnected through the exchange of services. Their often complex service dependencies and very dynamic nature make them hard to analyze and predict with respect to quality in general, and security in particular. In this chapter, the authors put forward a method for the capture and monitoring of impact of service dependencies on the security of provided services. The method is divided into four main steps focusing on documenting the system of systems and IT service dependencies, establishing the impact of service dependencies on risk to security of provided services, identifying measureable indicators for dynamic monitoring, and specifying their design and deployment, respectively. The authors illustrate the method in an example-driven fashion based on a case within power supply.

Information Security Governance

Detecting malicious software or malware is one of the major concerns in information security governance as malware authors pose a major challenge to digital forensics by using a variety of highly sophisticated stealth techniques to hide malicious code in computing systems, including smartphones. The current detection techniques are futile, as forensic analysis of infected devices is unable to identify all the hidden malware, thereby resulting in zero day attacks. This chapter takes a key step forward to address this issue and lays foundation for deeper investigations in digital forensics. The goal of this chapter is, firstly, to unearth the recent obfuscation strategies employed to hide malware. Secondly, this chapter proposes innovative techniques that are implemented as a fully-automated tool, and experimentally tested to exhaustively detect hidden malware that leverage on system vulnerabilities. Based on these research investigations, the chapter also arrives at an information security governance plan that would aid in addressing the current and future cybercrime situations.