Research proposal

TOPIC: INFORMATION SECURITY IN BANKING SECTOR

Submitted to Lovely Professional University In partial fulfillment of the requirements for the award of degree of MASTER OF BUSINESS ADMINISTRATION

Submitted by:
Group No Q-58 Gaurav Bhalla Nitin Sindhwani Rajnish Thakur Tarlok Singh Roll No A01 Roll No A02 Roll No A03 Roll No A04

Supervisor:
Miss japneet kaur Lecturar, Lovely Professional University

DEPARTMENT OF MANAGEMENT LOVELY PROFESSIONAL UNIVERSITY PHAGWARA

2012

CONTENT

Title

Page No.

01

INTRODUCTION

02

LITERATURE REVIEW

03

NEED, OBJECTIVES AND SCOPE

04

RESEARCH METHODOLOGY

05

REFERENCES

CHAPTER 1
Introduction

Introduction
Information - As an asset Information is an asset that, like other important business assets, is essential to a organization‘s business and therefore needs to be updated regularly and suitably protected. Since most of the businesses in the present and recent past have been electronically connected in networks, the IS and its management plays a major role. As a result of this existing and ever-increasing interconnectivity, information is now exposed to a growing number and a wide variety of threats and vulnerabilities.

Businesses are vulnerable to various kinds of information risks inflicting varied damage and resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers or facilities. To control IS risks, the management needs to anticipate and be aware of the potential threats, risks and resultant loss and accordingly deploy the necessary controls across the environment. IS is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize the return on investment (ROI) and thereby extend the business opportunities.

Definition- The protection of information and information systems against unauthorized access or
modification of information, whether in storage, processing, or transit, and against denial of service to authorized users. Information security includes those measures necessary to detect, document, and counter such threats. Information security is composed of computer security and communications security. Also called INFOSEC.

“Security is like oxygen; when you have it, you take it for granted, But when you don’t, getting it becomes the immediate and pressing priority” -joseph Nye, Harvard university. An IS Risk can be defined as any activity or event which threatens the achievement of identified business objectives by compromising

In fact. It also acknowledges that there are internal threats (maybe from disgruntled employees. if a new virus is released. b) transferred. The important thing is that risk is identified. as . to protect the estimated value of your assets.Importance of the Study All organizations today face a certain level of security risk. For example. after all. a tradeoff between the amount of money you wish to spend on counter-measures. All organizations are subject to security threats. c) insured. Security risk is also heavily influenced by time. and either a) mitigated. against the perceived level of threat and vulnerability. It is important to recognise that all organizations accept some level of risk. Risk is. or d) clearly documented as a risk acceptance. the deployment of technologies such as Intrusion Detection and Monitoring acknowledges that a certain level of suspicious or malicious activity is likely to get through. then the rate of infection is critical. for which no patch is available. or simply human error) which have to be countered with skill and imagination.

etc. this study may prove important and extremely significant as itwould provide better insights with regards to updating security personnel. Trojans and Worms  Phishing  Pharming  Email SPAM  Web Site Defacements  Denial of Service Attacks (DoS)  Spoofing  Identity theft War walking. etc. This would definitely enable them to handle any kind of security issues at any given point of time.. Hence. source code.g. Some of the key threats to organizations include:  Virus.these expose their vulnerabilities. the profile of the organization. For this increases significantly with factors. credit card details. War driving. and the value of their assets. High profile corporations are under constant threat because of the possible infamy associated with security breaches. such as their need to do business over the Internet. THREE PILLAR OF INFORMATION SECURITY Confidentiality Integrity Availability . (Wireless Network Threats) Theft of information (e. biotechnology Secrets).

Traditionally. National Electronic Clearing System (NECS). These. Banking as a business involves the management of risks based on a repository of trust extended by the customers. All these have safety and security at the heart of the respective systems A major area where IT security assumes significance pertains to the transmission of information using IT as a channel for communication.IMPORTANCE OF INFORMATION SECURITY IN BANKING SECTOR Information is at the heart of today‘s business. Keeping pace with time and marshalling international practices. In addition. collating and processing huge volumes of information is definitive. the National Electronic Funds Transfer (NEFT) System. the risks arising out of the large scale implementation of technology and IT is not so well defined. In this scenario. This conference on Security Framework in Indian Banks‖ jointly organized by the Indian Banks‘ Association. all of which have an impact on the reputational risk faced by banks. RBI has issued broad guidelines on mobile banking and prepaid (stored) value cards. This is particularly valid for the banking sector where day-to-day operations are centered on information and information processing. While every banker understands the implications of financial risks. and the all-pervasive impact of Information Technology in harnessing. Security in banks thus assumes significant proportions. which in turn is highly dependent on Technology. the need for ensuring that information is kept confidential adhering to accepted norms of privacy and making it available to authorized users at the appropriate time assumes great significance. Regional Electronic Clearing System (RECS). paper based systems have been subject to certain controls . and the Guidelines for Information Systems Security Audit in 2001 were early initiatives aimed at ensuring safe and secure technology based operations by banks. comprising physical security in addition to the factors relating to security of Information and Information Systems. have transformed the way of banking and today‘s customers have a wide array of options to choose from. The guidelines on Internet Banking. along with the setting up of systemically important payment and settlement systems such as Real Time Gross Settlement System (RTGS) and other retail payment systems like the Electronic Clearing Systems (Credit and Debit Clearing). If this objective has to be accomplished. Technology implementation has benefited the banks also due to the facilitation of the Reserve Bank both from the operational and legal perspectives. the Data Security Council of India in collaboration with the Institute for Development and Research in Banking Technology as the Knowledge partner is thus not only appropriate but also of topical relevance to banks. the Reserve Bank had provided the broad framework for many innovative technology based systems. it becomes imperative for all security concerns especially customer sensitive data to be addressed in an effective way so as to ensure that the trust levels are well preserved and information assets perform the role that they are supposed to.

these aspects gain greater importance not only because of the speed with which IT based electronic information flows but also on account of the potential havoc that could arise on account of incorrect instructions. it has become obvious that. Hence. ensuring that there are no corrections.market are few business benefits which are driving organizations to make IS a part of the organizational DNA. An increased need for efficiency and productivity. • Phase Shift of IS The role of IS has changed during the past few years. Integrity. are met with. these are authenticated properly and so on. History of information security • IS Management . reducing costs. These included verification of signatures.to ensure that the basic requirements pertaining to genuineness.to. authenticity. etc. Security is now a way of life and a must-do for businesses in order to survive. and Availability of Information and Information Systems. . security follows no longer can IS be an afterthought. or if there are corrections. The Traditional definition of protecting networks and the datacenters has undergone a shift in focus resulting in the enablement of the businesses with security solutions actually moving the business forward or even to the next step. wherever the information goes.A Concept IS Management is the process used to identify and understand risks to the Confidentiality. reaching multiple markets and faster time. In the IT-based scenario.

CHAPTER 02 LITERATURE REVIEW .

even so. transaction security is likely to emerge as the biggest concern among the e-bank‘s account holders. The review also focuses on drawing the readers attention towards the understanding of IS at length. . extremely sensitive. doing business via a public network introduces new challenges for security and trustworthiness. including banks. thus. But. a wide range of threats have been mentioned below with some actual facts. The focus area for all the organizations. Information about financial institutions. their customers. Given the open nature of the Internet. Ganesan and Vivekanandan (2009) Described a secured hybrid architecture model for the internet banking using Hyperelliptic curve cryptosystem and MD5 is described. This also puts light on the makeover or the phase shift which has occurred in the field of IT. The negative publicity damages consumer trust in the online service. The literature review also attempts to focus on the computer frauds that have occurred and their repercussions. their impacts or effects and the victims are explained in the review. The rapid growth in account hijacking and online fraud are on the rise. It also points out the reason why computer crimes are difficult to prove in a court of law. The literature review shows how the IS and Risk Management is applicable to the banks. by necessity. is the IT spending pattern. this academic research is unable to throw light on all the threats or mention the remedies for them. The types of computer crimes. Why is it essential to take the responsibility and subdue the threats causing the financial losses to the business sector as well as to the national and world economies? In order to achieve this feat it becomes even more important to understand what kinds of attacks are possible and the manner in which they should be dealt with? Due to the scope and limited constraint. The chapter also defines the scope of Information Systems and IS.REVIEW OF LITERATURE The chapter provides further insights regarding the traditional definition of IS and Risk Management along with its historical background. and their transactions are.

Sayar and Wolfe. A majority of studies highlight the fact that security is the biggest single concern for customers when faced with the decision to use internet banking. perceived Web security has a strong and direct effect on acceptance of internet banking. . Security. has been another important issue in safe use of the internet when conducting financial transactions in Saudi Arabia. 1974).( 2006) The banking sector was reluctant to use e-commerce applications as they felt that transactions conducted electronically were open to hackers and viruses. potential customer’s ranked Internet security and customer’s privacy as the most important future challenges that banks are facing. customers may fear that an unauthorized party will gain access to their online account and serious financial implications will follow. A high level of perceived risk is considered to be a barrier to propagation of new innovations (Ostlund. Security has always been an issue. Abdulwahed and Yaqoub. reliability and privacy. technology investment costs and a lack of market readiness have all conspired to make e-banking unattractive White and Nteli (2004) Study of online banking. Friedman et. (2007). Influenced by the imagination-capturing stories of hackers. but its scope has changed from mere doubts about the privacy of personal information to worries of financial loss the selection of an internet banking service provider is effected by security. It was discovered that about 72 participants cannot tell if a connection is secure Security and Privacy. al (2002) The principal characteristics that inhibit online banking adoption are security and privacy. Perceived usefulness. As well as convinced that online services are a mixture of customer insecurities. An interview held on web security and showed four screen shots of a browser connecting to a website and asked participants to state if the connection was secure or not secure and to affirm the motivating factor for their appraisal. too. which involves protecting users from the risk of fraud and financial loss. which are beyond their control.

minimize business risk. Security perceptions are defined as the subjective probability with which consumers believe that their private information will not be viewed. Since security is closely related to trust. In other words the objective and focus of the IS Management is to protect and manage the Information assets. they need to keep their promises regarding security and privacy. Scope of IS IS Management defines the controls we must implement to ensure we sensibly manage computer related risk. If company wish to maintain customer trust. and maximize return on investments and business opportunities. store and manipulated during transit and storage by inappropriate parties in a manner consistent with their confident expectations. Security in the form of keeping customer safe from an invasion of their privacy. Security and privacy are one of the most challenging problems faced by customers who wish to trade in the e-commerce world. affects trust and satisfaction. . however there are also additions such as Accountability and Audit ability. Integrity and Availability. violations of security norms may backfire in terms of losing customers and negative word of mouth.Pavlou (2001). A basic IS model should encompass Confidentiality. Security Management process IS is the protection of information from a wide range of threats in order to ensure business continuity. Now day‘s uptake of EC applications in the banking industry is very slow only because of security and data confidentiality issues have been a major barrier.

competitors and disgruntled employees. organized crime. . Passive attacks involve passive monitoring of communications sent over public media and include monitoring plaintext. On the other hand. Some of them explained below. which would also concern world at large. insider. other criminal elements. poses a threat to the Information Systems. not a destination--there are always new challenges to meet. crackers. This makes them more attractive targets for potential adversaries.HOW IS INFORMATION SECURITY APPLICABLE TO BANKS? "IS is definitely a journey. careless or poorly trained employees would be non-malicious adversaries who either through lack of training. decrypting weakly encrypted traffic. terrorists/ cyber terrorists." -. and password sniffing and traffic analysis. Potential adversaries could be either malicious or non-malicious.Chief IS officer at a major financial services corporation Banking Institutions have become critical centers of gravity‘. Among them alicious adversaries would be hackers (including phreakers. close-in or distribution attacks. trashers and pirates). Adversaries would employ attack techniques that could be classified as passive or active. lack of concern. A collapse in the banking Institution can lead to collapse in the banking sector and cause a huge setback to economy of the nation. or lack of attentiveness.

Active attacks would include attempts to: Type of attack Circumvent or break security features Introduce malicious code (such as computer viruses. Trojan or worms) Subvert data or system integrity Modify data in transit Replay (insertion of data) Hijack sessions Masquerade as authorized user Exploit vulnerabilities in software that runs with system privileges Exploit network trust Set in denial of service .

CHAPTER 03 NEED & SCOPE .

639 companies that responded to the 2005 CSI/FBI Computer Crime and Security Survey reported total losses of $130 million with viruses. Given the risks. -Cyber Attacks -Data Loss Prevention -Identity and Access Management SCOPE of the Study IS is a continual imperative for banks as vulnerabilities in IS Information Availability are continuously being exploited in new ways. IS should be a top priority of any organization and not just for its IT department. Security of new technologies channels need to be focused. unauthorized access and theft of proprietary information accounting for 80% of it. This becomes even more essential in the light of increase in fraud related losses in these areas along with the existing technologies and manual transaction processing risks. Banks have always been and are one of the most important targets for hackers. for e. However. as IS breach may lead to potential losses. crackers and cyber criminals.g. online banking and debit cards.NEED & SCOPE Need of information security in banking sector: For prevention and protection of these biggest issues in banking sector. The actual losses on account of IS issues are difficult to estimate. These losses may lead to downfall of the banking industry and thus have its impact on the economy.-commerce. .

CHAPTER 04 RESEARCH OBJECTIVES .

. To determine the factors which play the important role in information security 2.RESEARCH OBJECTIVES 1. To Check the effectiveness of information security used in Banking Sector.

CHAPTER 05 RESEARCH METHODOLOGY .

The questionnaire is structured type and contained questions relating to need and security of information in banking field.RESEARCH METHODOLOGY  Type of study: The study will be exploratory in nature. magazines published from time to time. The study will give a tentative idea about the situation.  Data Collection Procedures:  Primary data: Questionnaire is used to collect primary data from respondents. The study will be conducted to understand the basic information security risk and their controlling measures in banking sectors.  Secondary data: Articles from journals.  Tools Questionnaire Public Interaction . Through internet.

.CUSTOMER ANALYSIS PART In which bank you have an account Banks Preference by customer 15 Public Private 35 INTERPRETATION Above chart shows that out of 50. 15 people have opened their account in private bank and 35 people in public bank.

30 customer has said that they satisfied with the security policy of bank. 20 customer has said that they do not satisfied with the security policy of bank. .Are you satisfied with security policy of your bank satisfaction 20 Yes No 30 INTERPRETATION Above chart depicts that out of 50.

10 customer are strongly Agree. 0 1. and 3 customer are strongly disagree with the proper security of login facility.12 customer are Disagree.2 4th Qtr INTERPRETATION Above chart depicts that out of 50. .20 customer are agree.5 customer are Neutral.Data security in your bank is well managed by proper use of login facility.2 1.4 1st Qtr 2nd Qtr 3rd Qtr 3.2 8.

45 customer has said that banks provided proper security to database against viruses and rest of 5 has said that banks are not provided proper security to database against viruses. .Does the bank provided Proper security to the database against viruses 5 Yes No 45 INTERPRETATION Above chart shows that out of 50.

Sales 2 Yes No 48 INTERPRETATION Above chart shows that out of 50.48 customer has said that their banks keep proper mechanism to manage back date entries or transactions and only 2 customer has said that no.Your bank keeps proper mechanism to manage back date entries or transactions. .

Your bank’s all entries in Information Security are as per banking standards 18 Yes NO 32 INTERPRETATION Above chart shows that out of 50.32 customer has said that yes their all entries in Information Security are as per banking standards and 18 customer has said that no. .

it will shows that mostly implementation of policy are perfect regarding information security and bank are more conscious and alert for the security purposes . 45 5 YES NO INTERPRETATION: According to our research only 5 percent bank’s employee says that roles and responsibilities are not defined and rest of all is agreeing with the same.QUESTIONS FROM THE EMPLOYEES Q1: The bank’s security roles and responsibilities are defined according to bank’s information security policy.

hence it will shows that how maintain confidentiality . integrity and availability .Q2: The bank’s security policy makes it clear that all assets must be protected from unauthorized access YES NO INTERPRETATION: According to our research all banks’ employee are agreed and accepted that their assets are well are protected from unauthorized access .

licensed or approved Certifying Authorities or vendors. The User shall not use or permit to use Internet Banking Service or any related service for any illegal or improper purposes. The USER would be allotted a User-id and a password (to be used at the time of login) by the BANK in the first instance. advice the USER to adopt any other means of authentication including but not limited to smart cards. at least once in 90 days. at its discretion. .SBI : The Bank takes reasonable care to. The USER will be required to mandatorily change the User-Id and password assigned by the BANK on accessing Internet Banking Services for the first time. The USER shall not attempt or permit others to attempt accessing the account information stored in the computers and computer networks of the BANK through any means other than the Internet Banking Services. As a safety measure the USER shall change the password as frequently as possible. In addition to User-id and Password the BANK may. One Time SMS Password and/or Digital certification issued by Bank. ensure the security of and prevent unauthorized access to the Internet Banking Services using technology reasonably available to the Bank.

.

Q3: Does the bank verify the applicant’s curriculum vitae (resume) while recruiting staff? NO 20 YES 30 INTERPRETATION According to our research 60% bank duly verify their employee’ cv Rest 40% (mostly private organization) sometime not verify they simply checks certificates and id proof but not verify that it is authentic or not or duplicate. . this is the major cause of loosing of information security .

there are all kinds of loans. Vmware.Lot of EMC. . .Q5: What database technologies does the Bank use? 15 12 11 12 ORACLE MICROSOFT SQL FINACLE OTHER INTERPRETATION: According to our research mostly finacle are using now a days in mostly banks but Banks have a mixture. some mainframe stuff even some old AIX. Oracle. etc. etc so they have multiple systems. We have Windows. leases. they have more than just checking accounts. redhat. investments. etc. solaris.

Network wide anomaly-detection tools will provide data on traffic patterns that are indicative of an incident. could prevent timely recovery of operations. and prevents tampering and the collection of false evidence.IPS products that have detection capabilities should be fully used during an incident to limit any further impact on the organization. .RECOMMENDATIONS  Secure attendance of outsiders with relevant expertise. including operational workflow to ensure that the information from these tools is routed to the appropriate response team.  Security measures against Malware    At host level At network level At user level  E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence. or interruption of vital business processes.  Network Behaviour Analysis (NBA) . Once the attack has been identified.  Ratifying that the business strategy is indeed aligned with IT strategy  Use Intrusion Detection and Prevention System (IDS and IPS) . IDS and IPS products are often the primary source of information leading to the identification of an attack. Once an incident has been identified through the use of these tools.  Failure of critical systems. it is important to capture that information for the purposes of supporting further mitigation activities. it is essential to enable the appropriate IPS rule sets to block further incident propagation and to support containment and eradication.

who has been appointed by management or by the IS Audit Team.e. complexity. a management consultant. given the risks involved include : administration or other privileged access to sensitive or critical IT assets. re-use limitations and frequency of change) and increasing the number and/or type of authentication factors used.LIMITATIONS  An expert could be an IS Auditor from external auditing firm.  The examples where increased authentication strength may be required. an IT domain expert. . or an expert in the area of audit. The required strength of authentication needs to be commensurate with risk. Common techniques for increasing the strength of identification and authentication include the use of strong password techniques (i. remote access through public networks to sensitive assets and activities carrying higher risk like third-party fund transfers. The period for which authentication is valid would need to be commensurate with the risk. increased length. etc.  A bank should take appropriate measures to identify and authenticate users or IT assets.

Generally.e. either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested. critical vulnerabilities. .  Vulnerability scanning tools should be tuned to compare services that are listening on each machine against a list of authorized services. say monthly or weekly or more frequently. specific.. repeatable and time-dependent. to overcome limitations of unauthenticated vulnerability scanning.  The security function should have updated status regarding numbers of unmitigated. attainable.  Each dimension of the IT security risk management framework can be measured by at least one metric to enable the monitoring of progress towards set targets and the identification of trends. or by documenting and accepting a reasonable business risk.e. for each department/division. it is suggested that effective metrics need to follow the SMART acronym i.  Banks should ensure that vulnerability scanning is performed in an authenticated mode (i. configuring the scanner with administrator credentials) at least quarterly.SUGGESTIONS  Automated vulnerability scanning tools need to be used against all systems on their networks on a periodic basis.  Banks should compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed either by patching. plan for mitigation and should share vulnerability reports indicating critical issues with senior management to provide effective incentives for mitigation. The use of metrics needs to be targeted towards the areas of greatest criticality.. The tools should be further tuned to identify changes over time on systems for both authorized and unauthorized services. implementing a compensating control. measurable.

re-use limitations and frequency of change) and increasing the number and/or type of authentication factors used.CONCLUSION In my all research project we all are found that all bank’s use security tools to prevent the data from the unauthorized access. All employee data or cv verify very effective way because they also a reason to lose of information. say monthly or weekly or more frequently. But due to lose of data we suggest to bank take appropriate measures to identify and authenticate users or IT assets. complexity. Use Common techniques for increasing the strength of identification and authentication include the use of strong password techniques (i. Scanning tools need to be used against all systems on their networks on a periodic basis. After doing the research we find that all banks provided proper security to database against viruses all banks employee are agreed and accepted that their assets are well are protected from unauthorized access. \ . increased length.e.

CHAPTER 05 REFERENCES .

pdf Article: http://www.bankinfosecurity.eu/doc/pdf/deliverables/enisa_cd_awareness_raising.eu/doc/pdf/deliverables/enisa_measuring_awareness.infoworld.enisa.enisa.pdf http://www.REFERENCES Websites: http://www.europa.com/articles.com/article/08/03/06/10NF-data-loss-prevention http://www.europa.php?art_id=960andrf=090908eb Books: .

Yes B. A. Private Bank Q2-Are you satisfied with security policy of your bank? A.4. Yes B. A.Strongly Disagree Q.Your bank keep proper mechanism to manage back date entries or transactions.QUESTIONAIRE Questions for bank’s customer Name………………… Bank Name………… Age………………… Location……………. Yes B.In which bank you have an account? A. A . No .Does the bank provided Proper security to the database against viruses. No Q. Public Bank B. No Q. Q1.3.5.Data security in your bank is well managed by proper use of login facility.Strongly Agree B – Agree C – Neutral D – Disagree E .

6. B . C .No Increase in Satisfied Customer base.Your bank’s all entries in Information Security are as per banking standards. D .7 Information Security increases the level of customer satisfaction hence increase in satisfied customer base.More than 20% every year. A .Q. . Yes B. A.Less than 10% every year. No Q.10% to 20% every year.

No Q2: The bank’s security policy makes it clear that all assets must be protected from unauthorized access A. Yes B. Q1: The bank’s security roles and responsibilities are defined according to bank’s information security policy.Questions for bank Emp. oracle C. Finacle (IBM) B. Yes B. No B. A. Yes Q5: What database technologies does the Bank use? A. No Q4: The bank uses Firewalls and other security tools for the security purposes A. Microsoft SQL D. Yes B. No Q3: Does the bank verify the applicant’s curriculum vitae (resume) while recruiting staff? A.Name………………… Bank Name…………………. Location……………………. Other .

Sign up to vote on this title
UsefulNot useful

Master Your Semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master Your Semester with a Special Offer from Scribd & The New York Times

Cancel anytime.