ITSG APPROACHES FOR E-BANKING

We expand important studies (Da Veiga and El- off, 2007; Rao et al., 2007; Holmquist, 2008) to present the reader with the most commonly used ISG frameworks. The first eight in the row along with CobiT and ISO 27002 have evidence as direct fits in an e-banking environment (Kondabagil, 2007) however we expand into other well known approaches so as to evaluate (Table 2) which one can satisfy ISG objectives more holistically.

Basel Committee on Banking Supervision

The Basel Committee objective is to formulate broad supervisory standards and guidelines about the banking industry in the areas of system super­vision and regulation. The Committee does not possess any formal supranational supervisory au­thority and does not enforce any kind of compliance

266

Table 2. ITSG approach/method comparison

/ = yes/= partial x = no

IT Security Governance in E-Banking

however it offers comprehensive coverage of Risk Management and ISG issues relating to e-banking such as operational Risk Management, outsourc­ing, business continuity management, anti-money laundering, privacy of customer information and audit procedures. Specifically in a 2003 report (B asel Committee, 2003), the Committee describes Risk Management challenges, requirements and principles in the area of e-banking. Risk Manage­ment principles for e-banking include

1. Board and Management oversight,

2. Identification and evaluation of security controls

3. Legal and reputational Risk Management principles.

Among the challenges the Committee consid­ers to e-banking activities are the complex charac­teristic s of the Internet delivery channel, the speed of change relating to customer innovation and the e-banking trends such as outsourcing diversify the applicability of these principles. Moreover, the Committee in a series of documents expects that such principles must be tailored to fit the exact needs of a bank.

The Joint Forum

The Joint Forum is considered as an advisory group formed under the guidance of the Bank for International Settlements, Basel, Switzerland and consists of three members namely the Basel Com­mittee on Banking Supervision, the International Organization of Securities Commissions (IOSCO) and the International Association of Insurance Supervisors (IAIS). The Joint Forum mainly provides recommendations for the insurance, se­curities, and banking industries worldwide setting high level principles including Risk Assessment guidelines. Relevant principles about e-banking also refer to outsourcing of e-banking activities and to the importance of a Business Continuity Planning (BCP).

Operationally Critical Threat, Asset, and Vulnerability Assessment (OCTAVE)

OCTAVE stands for the “Operationally Critical Threat, Asset and Vulnerability Assessment,” a risk-based strategic assessment and planning technique for IS developed by the Software Engineering Institute of the Carnegie Mellon University Computer Emergency Response Team. This framework is team-driven from business department and IT that cooperate to address the security needs of an organization. OCTAVE is also an asset-driven method and represents visually the range of threats during the evaluation in tree structures. Currently, there exist three variations of the OCTAVE method namely the original OC­TAVE method as a comprehensive suite of tools, the OCTAVE-S for smaller organizations and the OCTAVE-Allegro as a streamline approach for IS and assurance. OCTAVE is based on interactive workshops to accumulate the different knowledge perspectives of the employees, the Board and Executives and other stakeholders for the purpose to measure current organization security practices and develop security improvement strategies and risk mitigation planning (OCTAVE, 2003).

Phase 1: Build Asset-Based Threat Profiles (or­ganizational evaluation),

Phase 2: Identify Infrastructure Vulnerabilities (information infrastructure evaluation, and

Phase 3: Develop Security Strategy and Plan (evaluation of mitigation plans).

The OCTAVE methods acquire certain benefits namely it is self-directed since the method is guided by stakeholders, flexible since it can be tailored to suit a unique risk environment and, evolving since it moves the operational risk-based view of security into a business context supporting the organization’s mission and priorities.

Committee of Sponsoring Organization of the Treadway Commission (COSO)

COSO stands for the “Committee of Sponsoring Organization of the Treadway Commission,” formed in 1985 to sponsor the National Com­mission on Fraudulent Financial Reporting (the Treadway Commission) and in 1992 issued the Internal Control - Integrated Framework to help businesses assess and improve their security pos­ture via internal control systems. COSO emphasize on the concept of Enterprise Risk Management (ERM) as a “process effected by an entity’s board of directors, management and other personnel, ap­plied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (Commit­tee of Sponsoring Organizations of the Treadway Commission, 2004). In this regard, COSO is an enterprise Risk Management framework with four distinct categories namely

1.

2. Operations (effective use of resources),

3. Reporting (in support to documentation) and

4. Compliance (with applicable laws and regulations).

In addition, the ERM framework is built on eight interrelated components namely

1. Internal environment,

2. Objective setting,

3. Event identification,

4. Risk assessment,

5. Risk response,

6. Control activities,

7. Information and communication and

8. Monitoring.

COSO and similar compliant frameworks (such as CobiT) are generally accepted as internal control framework for enterprises. CobiT is more accepted as an internal control framework for IT. One concern about COSO is the overwhelming nature which can appear for some organizations or systems, such as e-banking, as a heavy task especially if they lack a Risk Management culture (Kondabagil, 2007).

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is an acronym for the “Payment Card Industry Data Security Standard,” released in 2004 as a joint effort between all major credit card associations to enhance payment account data security by driving education and awareness about cardholder data security. It includes guidelines for user authentication, firewalls, encryption, anti­virus measures, policy issues and others (Koons and Minoli, 2010). In other words, PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of creditcard holders. The latest version of the standard is PCI DSS 2.0 and institutions compliant with this stan­dard show to customers that sensitive credit card information being processed is protected against fraud or financial terrorism. The standard contains twelve major requirements supported by 175 sub­requirements that apply to system components, which are defined as “any element attached to cardholder data environment” (PCI, 2010). The new version supports a prolonged lifecycle of three years (compared to two years in the previ­ous versions) to ensure multiple opportunities for stakeholder input and feedback in order to remain ahead of the threat landscape.

Financial Action Task Force (FATF)

FATF is an acronym for the “Financial Action Task Force,” based in Paris, an inter-governmental body with the purpose to develop and promote policies to combat money laundering and terrorist financ­ing. Forty Recommendations were developed in 1996 by FATF as a policy document issued to provide a set of security controls against money laundering covering from criminal justice to law enforcement (FATF, 1996). In 2001, the FATF expanded its mandate to deal with the issue of financing of the terrorism by creating the Eight Special Recommendations on Terrorism Financ­ing. These recommendations are supportive set of countermeasures to the Forty Recommendations. The security objective of FATF is to set standards against “dirty” money from corruption, terrorism or tax evasion (Task Force on Financial Integrity and Economic Development, 2011). The purpose is to expand and strengthen the bank’s ability to handle money from high level political officials, prevent the creation of anonymous companies that cannot be traced to a real person and stop tax evasion as a trigger crime for money laundering.

Corporate Governance Codes (CGC)

CGC is an acronym for “Corporate Governance Codes” issued from the European Corporate Governance Institute. Among the most important governance codes is the “Dey Report,” developed in 1994, recommended 14 best practice guidelines for financial institutions. The guidelines provide directions for the Board of Directors about stew­ardship, strategic planning, Risk Management and internal audits. Another well recognized CGC was the Sarbanes-Oxley Act of 2002 in the United States. This was a legal framework for CG and internal controls. Other CGCs principles about CG are available as full texts from the website of the European Governance Institute. (www.ecgi.org).

Federal Financial Institutions Examination Council (FFIEC)

FFIEC is an acronym for the “Federal Financial Institutions Examination Council,” established in 1979 authority with the purpose to set principles, standards, and report forms for the federal exami­nation of financial institutions. FFIEC guidelines have replaced previously issued Banking Circulars BC-177 and BC-226 (Brotby, 2009).

A Platform for Risk Analysis of Security Critical Systems (CORAS)

CORAS is an acronym for “A Platform for Risk Analysis of Security Critical Systems” and is a model-driven risk analysis method developed by the European Union (EU) for the purpose to im­prove security during the systems design process (Lund et al., 2010). CORAS uses the Unified Modeling Language (UML) to model and target the analysis results in terms of reporting and documenting. CORAS provides a standard for the safety requirements of high security informa­tion systems, such as e-banking, supporting Risk Assessments process. The CORAS framework is based on the Australian/New Zealand Standard for Risk Management AN/NZS4360:2004 and is inspired by the asset-driven strategy of CRAMM. CORAS has eights steps in the risk analysis namely

1. Preparation for the analysis,

2. Customer presentation of the target,

3. Refining the target description using asset diagrams,

4. Approval of the target description,

5. Risk identification using threat diagrams,

6. Risk estimation using threat diagrams,

7. Risk evaluation using risk diagrams and

8. Risk treatment using treatment diagrams.

CORAS covers an extensive range of security objectives from business context goals to IS com­pliance and legal requirements. The main concern about CORAS and other Risk Assessments, such as OCTAVE and CRAMM, is that the focus is not on trade-offs and calculated risks meaning that there has been no prior activity on determining what are acceptable risks based on budget, time and resource constraints (Houmba et al., 2010)

Organization for Economic Co­Operation and Development (OECD)

OECD is an acronym for “Organization for Economic Co-operation and Development” es­tablished in 1947 and its publication of “OECD Principles of Corporate Governance” recommends policies and actions against financial terrorism, tax evasion, money laundering and other actions that can harm the well-being of the society. The principles are a living instrument offering non­binding standards and best practices towards implementation of good CG. Examples of such principles are

1. Ensuring the basis for an effective corporate governance framework,

2. The rights of shareholders and key ownership functions,

3. The equitable treatment of stakeholders,

4. The role of stakeholders,

5. Disclosure and transparency, and

6. The responsibilities of the board.

The OECD also provides a forum in which governments policy makers, investors, corpora­tions and other stakeholders worldwide can work together to share experiences and seek solutions to common problems (OECD, 2004).

Information Systems Security Association (ISSA)

ISSA is an acronym for the “Information Sys­tems Security Association,” a not-for-profit in­ternational organization of IS professionals and practitioners. The primary goal of the ISSA is to promote management practices that will ensure the confidentiality, integrity and availability of information resources. ISSA has published GAISP V3.0 in 2003 - the Generally Accepted Information Security Principles project - in an attempt to address the challenges that IS faces in front of new changes in regulatory compliance and upcoming risks. Among the benefits and goals of the GAISP are the comprehensive guid­ance on good CG practice throughout industry, commerce, and government globally; increase the effectiveness and efficiency of business, promote trade and commerce, and improve productivity through good IS practice; enable certification and self-policing of practitioners against a Common Body of Knowledge (CBK); help preserve public trust in the ability to leverage modern information technology while avoiding unintended conse­quences; ensure global harmonization of cultur­ally diverse IS principles to minimize artificial barriers to the free flow of information that can result from conflicting standards and controls; promote increased customer confidence, trust, and acceptance of vendor products conforming to GAISP (GAISP, 2003).

Corporate Information Security Working Group (CISWG)

CISWG is an acronym for the “Corporate Infor­mation Security Working Group” established by Adam H. Putnam in 2003 as an actionable program on the development of information security and compliance metrics to monitor whether or not information security is being effectively man­aged (CISWF, 2004). The responsibility resides with the Board of Directors/Trustees in its role to adhere to a governance framework. Organizations follow the CISWG guidelines should conduct a Risk Assessment with emphasis placed on key corporate assets and functions. While total risk elimination is impossible, risk mitigation strategies should indicate the amount of residual risk as the level of risk tolerance to executive management in a meaningful way.

ISO/IEC 27005:2008

ISO 27005 is a key IS Risk Management standard that supports the concepts specified in ISO 27001 and is designed to assist the implementation of IS based on a Risk Management approach. ISO 27005 offers general advice for IS Risk Management in an organization supporting the requirements of an ISMS in conjunction with ISO 27001 and ISO 27002. ISO 27005 is applicable to all types of organizations and systems with an intention to manage IT risks that could compromise the organizations information security. ISO 27005 indicate how a Risk Assessment should be con­ducted without however indicating a certain type of method (ISO/IEC 27005:2008).

ISO/IEC 38500:2008

ISO 38500 is a “Corporate Governance of Infor­mation Technology” standard with the objective to provide a framework which comprises of defi­nitions, principles and a model for the Board of Directors to use when evaluating, directing and monitoring the use of IT in their organizations. ISO 38500 is a high level advisory standard ap­plicable to the governance of management pro­cesses (and decisions) relating to the information and communication services used. The purpose of this standard is a) to assure stakeholders for a sound CG program if the standard’s framework is attained, b) guide directors in governing the use of IT and c) provide a basis of objective evalua­tion of the CG of IT. Among the principles sup­ported by this standard include the responsibility of stakeholders, a Risk Management strategy for CG of IT and guidelines on human behavior (ISO/ IEC 38500:2008).

AS ISO 15489:2002

ISO 15489 is a standard designed to meet records management requirements in businesses and governments. The standard is an Australian codi­fication of the International Standard on Records Management and consists of two parts namely part 1 which describes generally the standard itself and part 2 which describes guidelines for the implementation of the standard. Specifically, part 1 describes a framework for record management with legal and audit considerations (ISO 15489­1:2001). Part 2 is a technical report supports part 1 by providing additional guidance on records management policies and the responsibilities to be defined and assigned to stakeholders (ISO 15489­2:2001). Additionally, the alignment of ISO 27001 to ISO 15489 strengthens the delivery of existing records management systems and its drivers. This is critical to build strong information governance projects, which enable risks to be assessed in an ever-changing information management world (Lomas, 2010).

NIST SP 800-39

NIST 800-39 Special Publication is a standard that describes a Risk Management framework (RMF) as a structured process for managing risks related to the operation and use of information systems. NIST 800-39 has a similar approach with IS O/IEC 27001:2005 in Risk Management with focus on selecting and documenting security controls for in­formation systems. Additionally, the RMF process describes risk-based protection strategies support the overall goals and objectives of organizations, can be tightly coupled to enterprise architectures, and can operate effectively within system develop­ment life cycles. The RFM framework is based on a combination of other NIST Special Publications (e.g. NIST SP 800-53, NIST SP 800-70 and NIST SP 800-37) to support assessment authorization and monitoring of information systems (NIST SP 800-39, 2011).

In Table 2 we compare each approach against a number of ISG objectives under a scale: “yes,” “partial” and “no” - levels of fulfillment. For example, the Basel Committee of Banking Super­vision for e-banking provides guidelines for moni­toring and reporting, however, it does not provide performance measurement in the sense of exact metrics. Most of the aforementioned frameworks, best standards and Risk Management methods sug­gest security policies, procedures, and guidelines as key components in order to provide manage­ment, support compliance and direct employees with what is expected as behavior. Every single approach has its own strengths and weaknesses but none covers all ITSG components. Thereby, according to literature (Rao et al., 2007; Brotby, 2009) customization seems to be a solution when we deal with complex IT environments such as the e-banking environment. This table is intended to outline not only the baseline ISG objectives (namely the first six in the row) but also other objectives related to the concept of ITSG in order to enforce the applicability of a method in the e-banking domain. Thereby, the ISG Objectives and requirements depicted in this table define the internal configuration and management issues for each approach, to a level that is granular enough to be implemented.