Professional Documents
Culture Documents
INFORMATION SECURITY IN BANKING SECTOR Capstone-Project PDF
INFORMATION SECURITY IN BANKING SECTOR Capstone-Project PDF
of
Gaurav Bhalla
Roll No A01 Lecturer, Lovely Professional University
DEPARTMENT OF MANAGEMENT
2012
TO WHOMSOEVER IT MAY CONCERN
This is to certify that the Synopsis titled information security in banking sector carried out
by Mr. Gaurav bhalla S/o Dr. Vijay bhalla has been accomplished under my guidance &
supervisions a duly registered MBA student of the Lovely Professional University, Phagwara.
His Synopsis represents his original work and is worthy of consideration for making for
research project
___________________________________
I GAURAV BHALLA, hereby declare that the work presented herein is genuine work done
originally by me and has not been published or submitted elsewhere for the requirement of a
degree program. Any literature, data or works done by others and cited within this synopsis has
been given due acknowledgement and listed in the reference section.
GAURAV BHALLA
The above saying highlights the importance of Practical knowledge. Practical training is an
important part of the theoretical studies. It is of an immense importance in the field of
management. It offers the student to explore the valuable treasure of experience and an
exposure to real work culture followed by the industries and thereby helping the students to
bridge gap between the theories explained in the books and their practical implementations.
Research Project plays an important role in future building of an individual so that he/she can
better understand the real world in which he has to work in future. The theory greatly enhances
our knowledge and provides opportunities to blend theoretical with the practical knowledge.
GAURAV BHALLA
ACKNOWLEDGEMENT
I take this opportunity to express my deepest gratitude to my manager and project guide Mr.
Sahil Rampal (Asst. Professor, Department of Management, LPU) for his able guidance and
support in this phase of transition to this academic life. His support and valuable inputs helped me
immensely in completing this project. I am also grateful to Ms. Japneet kaur dhillon (lecturer ,
Department of Management, LPU) for guiding me through the research portion of the project
and for making me understand the concepts of Research work and the technicalities of tests being
applied. I extend my heartiest thanks to Mr. Suresh Kashyap (HOD, Lovely School of
Management, LPU) for giving me the opportunity to undergo this Research Project. I shall be
failing in my duty if I dont express my heartiest thanks to my respected parents for providing
me every kind of support during the completion of this Project. Last but not the least, I would be
honourable to thank all my sincere friends and the people at Lovely Professional University
for being so cordial and cooperative throughout the period of this research and at last how can I
forget GOD the almighty who is helping everybody at every step.
GAURAV BHALLA
TABLE OF CONTENTS
1. Acknowledgement
Declaration
Preface
Executive Summary
Introduction
Information security
Definition
5.1 Conclusion
5.2 Limitations
5.3 Recommendations
6 CHAPTER: References
7 CHAPTER: Appendix
7.1 Questionnaire
7.2 Glossary
CHAPTER I
Information - As an asset
Information is an asset that, like other important business assets, is essential to a organizations
business and therefore needs to be updated regularly and suitably protected. Since most of the
businesses in the present and recent past have been electronically connected in networks, the IS
and its management plays a major role. As a result of this existing and ever-increasing
interconnectivity, information is now exposed to a growing number and a wide variety of threats
and vulnerabilities.
Businesses are vulnerable to various kinds of information risks inflicting varied damage and
resulting in significant losses. This damage can range from errors harming database integrity to
fires destroying entire computer centres or facilities. To control IS risks, the management needs to
anticipate and be aware of the potential threats, risks and resultant loss and accordingly deploy the
necessary controls across the environment.
IS is the protection of information from a wide range of threats in order to ensure business
continuity, minimize business risk, and maximize the return on investment (ROI) and thereby
extend the business opportunities.
Definition- The protection of information and information systems against unauthorized access
or modification of information, whether in storage, processing, or transit, and against denial
of service to authorized users. Information security includes those measures necessary to
detect, document, and counter such threats. Information security is composed of computer
security and communications security also called INFOSEC.
Security is like oxygen; when you have it, you take it for granted,
But when you dont, getting it becomes the immediate and pressing priority
- Joseph Nye, Harvard University.
An IS Risk can be defined as any activity or event which threatens the achievement of identified
business objectives by compromising
Importance of the Study
All organizations today face a certain level of security risk. In fact, the deployment of technologies
such as Intrusion Detection and Monitoring acknowledges that a certain level of suspicious or
malicious activity is likely to get through. It also acknowledges that there are internal threats
(maybe from disgruntled employees, or simply human error) which have to be countered with skill
and imagination.
It is important to recognize that all organizations accept some level of risk. Risk is, after all, a trade
off
between the amount of money you wish to spend on counter-measures, against the perceived level of
threat
and vulnerability, to protect the estimated value of your assets. The important thing is that
risk is
identified, and either a) mitigated, b) transferred, c) insured, or d) clearly documented as a risk
acceptance.
Security risk is also heavily influenced by time. For example, if a new virus is released, for which no
patch is available, then the rate of infection is critical. All organizations are subject to security threats, as
these expose their
Vulnerabilities. For this increases significantly with factors, such as their need to do
business over the Internet, the profile of the organization, and the value of their assets. High profile
Corporations are under constant threat because of the possible infamy associated with security breaches .
Hence, this study may prove important and extremely significant as it would provide better insights
with regards to updating security personnel. This would definitely enable them to handle any kind of
security issues at any given point of time.
Confidentiality
Integrity
Availability
IMPORTANCE OF INFORMATION SECURITY IN BANKING SECTOR
Information is at the heart of todays business, and the all-pervasive impact of Information Technology
in harnessing, collating and processing huge volumes of information is definitive. In this scenario, the
need for ensuring that information is kept confidential adhering to accepted norms of privacy and
making it available to authorized users at the appropriate time assumes great significance. This is
particularly valid for the banking sector where day-to-day operations are cantered on
information and information processing, which in turn is highly dependent on Technology. This
conference on Security Framework in Indian Banks jointly organized by the Indian Banks
Association, the Data Security Council of India in collaboration with the Institute for
Development and Research in Banking Technology as the Knowledge partner is thus not only
appropriate but also of topical relevance to banks.
Banking as a business involves the management of risks based on a repository of trust extended by the
customers. If this objective has to be accomplished, it becomes imperative for all security
concerns especially customer sensitive data to be addressed in an effective way so as to ensure that the
trust levels are well preserved and information assets perform the role that they are supposed to. While
every banker understands the implications of financial risks, the risks arising out of the large scale
implementation of technology and IT is not so well defined. Security in banks thus assumes
significant proportions, comprising physical security in addition to the factors relating to security of
Information and Information Systems, all of which have an impact on the reputational risk faced by
banks.
Technology implementation has benefited the banks also due to the facilitation of the Reserve Bank -
both from the operational and legal perspectives. In addition, the Reserve Bank had provided the broad
framework for many innovative technology based systems. The guidelines on Internet Banking, and the
Guidelines for Information Systems Security Audit in 2001 were early initiatives aimed at ensuring safe
and secure technology based operations by banks. Keeping pace with time and marshalling
international practices, RBI has issued broad guidelines on mobile banking and prepaid (stored) value
cards. These, along with the setting up of systemically important payment and settlement systems such
as Real Time Gross Settlement System (RTGS) and other retail payment systems like the Electronic
Clearing Systems (Credit and Debit Clearing), the National Electronic Funds Transfer (NEFT) System,
National Electronic Clearing System (NECS), Regional Electronic Clearing System (RECS), have
transformed the way of banking and todays customers have a wide array of options to choose from.
All these have safety and security at the heart of the respective systems
A major area where IT security assumes significance pertains to the transmission of information using
IT as a channel for communication. Traditionally, paper based systems have been subject to certain
controls
to ensure that the basic requirements pertaining to genuineness, authenticity, etc. are met with.
These included verification of signatures, ensuring that there are no corrections, or if there are
corrections, these are authenticated properly and so on. In the IT-based scenario, these aspects gain
greater importance not only because of the speed with which IT based electronic information flows
but also on account of the potential havoc that could arise on account of incorrect instructions.
Phase Shift of IS
The role of IS has changed during the past few years. The Traditional definition of protecting networks
and the data centres has undergone a shift in focus resulting in the enablement of the businesses with
security solutions actually moving the business forward or even to the next step. Security is now a way
of life and a must-do for businesses in order to survive. Hence, it has become obvious that,
wherever the information goes, security follows no longer can IS be an afterthought. An increased
need for efficiency and productivity, reducing costs, reaching multiple markets and faster time-
to- market are few business benefits which are driving organizations to make IS a part of the
organizational DNA.
Scope of IS
IS Management defines the controls we must implement to ensure we sensibly manage computer related
risk.
"IS is definitely a journey, not a destination--there are always new challenges to meet."
Banking Institutions have become critical centres of gravity. A collapse in the banking
Institution can lead to collapse in the banking sector and cause a huge setback to economy of the
nation, which would also concern world at large. This makes them more attractive targets for
potential adversaries. Potential adversaries could be either malicious or non-malicious. Among
them alicious adversaries would be hackers (including phreakers, crackers, and pirates),
terrorists/ cyber terrorists, organized crime, other criminal elements, competitors and disgruntled
employees. On the other hand, careless or poorly trained employees would be non-malicious
adversaries who either through lack of training, lack of concern, or lack of attentiveness, poses
a threat to the Information Systems. Adversaries would employ attack techniques that could be
classified as passive or active, insider, close-in or distribution attacks. Some of them explained
below. Passive attacks involve passive monitoring of communications sent over public media and
include monitoring plaintext, decrypting weakly encrypted traffic, and password sniffing and
traffic analysis.
TYPES OF ATTACKS
Circumvent or break security features
Introduce malicious code (such as computer viruses, Trojan or worms)
Subvert data or system integrity
Modify data in transit
Replay (insertion of data)
Hijack sessions
Masquerade as authorized user
Exploit vulnerabilities in software that runs with system privileges
Exploit network trust
Set in denial of service
CHAPTER II
REVIEW OF LITERATURE
REVIEW OF LITERATURE
The chapter provides further insights regarding the traditional definition of ISand Risk
Management alongwith its historical background. This also puts light on the makeover or the
phase shift which has occurred in the field of IT. Thechapter also defines the scope of
Information Systems and IS. The literature review shows how the IS and Risk Management is
applicable to the banks. Why is it essential to take the responsibility and subdue the threats
causing the financial losses to the business sector as well as to the national and world economies?
In order to achieve this feat it becomes even more important to understand what kinds of attacks
are possible and the manner in which they should be dealt with? Due to the scope and limited
constraint, this academic research is unable to throw light on all the threats or mention the
remedies for them. But, even so, a wide range of threats have been mentioned below with
some actual facts. The literature review also attempts to focus on the computer frauds that have
occurred and their repercussions. It also points out the reason why computer crimes are difficult
to prove in a court of law. The types of computer crimes, their impacts or effects and the victims
are explained in the review. The review also focuses on drawing the readers attention towards
the understanding of IS at length. The focus area for all the organizations, including banks, is the
IT spending pattern.
-Cyber Attacks
The actual losses on account of ISissues are difficult to estimate. However, 639 companies that
responded to the 2005 CSI/FBI Computer Crime and Security Survey reported total losses of
$130 million with viruses, unauthorized access and theft of proprietary information accounting
for 80% of it. Given the risks, IS should be a top priority of any organization and not just for
its IT department.
RESEARCH OBJECTIVES
1. To determine the factors which play the important role in information security
3. To know about how information security policies of bank impacts to the customer perception.
RESEARCH METHODOLOGY
Type of study:
The study will be exploratory in nature. The study will give a tentative idea about the situation. The study
will be conducted to understand the basic information security risk and their controlling measures in
banking sectors.
Primary data:
Questionnaire is used to collect primary data from respondents. The questionnaire is structured type and
contained questions relating to need and security of information in banking field.
Secondary data:
Through internet.
Tools
Questionnaire
PublicInteraction
CHAPTER IV
30%
70%
INTERPRETATION
Above chart shows that out of 50, 15 people have opened their account in private bank and 35
people in public bank.
satisfaction
Yes No
40%
60%
INTERPRETATION
Above chart depicts that out of 50, 30 customer has said that they satisfied with the security policy
of bank, 20 customer has said that they do not satisfied with the security policy of bank.
Q.No-3 Data security in your bank is well managed by proper use of login facility.
Sales
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr
0%
9%
10%
23% 58%
INTERPRETATION
Above chart depicts that out of 50, 10 customer are strongly Agree,20 customer are agree,5
customer are Neutral,12 customer are Disagree, and 3 customer are strongly disagree with the
proper security of login facility.
Q.No-4 Does the bank provided Proper security to the database against viruses
Column3
Yes No
10%
90%
INTERPRETATION
Above chart shows that out of 50,45 customer has said that banks provided proper security to
database against viruses and rest of 5 has said that banks are not provided proper security to
database against viruses.
Q.No-5 Your bank keeps proper mechanism to manage back date entries or transactions.
Sales
Yes No
4%
96%
INTERPRETATION
Above chart shows that out of 50,48 customer has said that their banks keep proper mechanism to
manage back date entries or transactions and only 2 customer has said that no.
Q.No-6 Your banks all entries in Information Security are as per banking standards
Column1
Yes NO
36%
64%
INTERPRETATION
Above chart shows that out of 50,32 customer has said that yes their all entries in Information
Security are as per banking standards and 18 customer has said that no.
QUESTIONS FROM THE EMPLOYEES
Q1:The banks security roles and responsibilities are defined according to banks
information security policy.
Series 1
Series 1
45
5
YES NO
INTERPRETATION:
According to our research only 5 percent banks employee says that roles and responsibilities are
not defined and rest of all is agreeing with the same, it will shows that mostly implementation of
policy are perfect regarding information security and bank are more conscious and alert for the
security purpose.
Q2: The banks security policy makes it clear that all assets must be protected from
unauthorized access.
Sales
YES NO
0%
100%
INTERPRETATION:
According to our research all banks employee are agreed and accepted that their assets are well are
protected from unauthorized access , hence it will shows that how maintain confidentiality ,
integrity and availability
Q3: Does the bank verify the applicants curriculum vitae (resume) while recruiting staff?
Series 1
Series 1
NO 20
YES 30
INTERPRETATION
According to our research 60% bank duly verify their employee cv Rest 40% (mostly private
organization) sometime not verify they simply checks certificates and id proof but not verify that it
is authentic or not or duplicate, this is the major cause of loosing of information security.
Series 1
Series 1
15
12 11 12
INTERPRETATION:
According to our research mostly finacle are using now a days in mostly banks but Banks have a
mixture, they have more than just checking accounts, there are all kinds of loans, leases,
investments, etc so they have multiple systems. We have Windows, solaris, redhat, some
mainframe stuff even some old AIX, etc. ,Lot of EMC, Oracle, Vmware, etc.
CHAPTER V
LIMITATION, CONCLUSION
AND RECOMMENDATION
LIMITATIONS
A bank should take appropriate measures to identify and authenticate users or IT assets. The
required strength of authentication needs to be commensurate with risk. Common techniques for
increasing the strength of identification and authentication include the use of strong password
techniques (i.e. increased length, complexity, re-use limitations and frequency of change) and
increasing the number and or type of authentication factors used.
The examples where increased authentication strength may be required, given the risks involved
include : administration or other privileged access to sensitive or critical IT assets, remote access
through public networks to sensitive assets and activities carrying higher risk like third-party fund
transfers, etc. The period for which authentication is valid would need to be commensurate with
the risk.
CONCLUSION
In my all research project we all are found that all banks use security tools to prevent the data from
the unauthorized access. After doing the research we find that all banks provided proper security to
database against viruses all banks employee are agreed and accepted that their assets are well are
protected from unauthorized access. But due to lose of data we suggest to bank take appropriate
measures to identify and authenticate users or IT assets. Use Common techniques for increasing the
strength of identification and authentication include the use of strong password techniques (i.e.
increased length, complexity, re-use limitations and frequency of change) and increasing the
number and/or type of authentication factors used.Scanning tools need to be used against all
systems on their networks on a periodic basis, say monthly or weekly or more frequently. All
employee data or cv verify very effective way because they also a reason to lose of information.
SUGGESTIONS
Automated vulnerability scanning tools need to be used against all systems on their networks on a
periodic basis, say monthly or weekly or more frequently.
Banks should ensure that vulnerability scanning is performed in an authenticated mode (i.e.,
configuring the scanner with administrator credentials) at least quarterly, either with agents
running locally on each end system to analyze the security configuration or with remote scanners
that are given administrative rights on the system being tested, to overcome limitations of
unauthenticated vulnerability scanning.
Banks should compare the results from back-to-back vulnerability scans to verify that
vulnerabilities were addressed either by patching, implementing a compensating control, or by
documenting and accepting a reasonable business risk..
Vulnerability scanning tools should be tuned to compare services that are listening on each
machine against a list of authorized services. The tools should be further tuned to identify changes
over time on systems for both authorized and unauthorized services.
The security function should have updated status regarding numbers of unmitigated, critical
vulnerabilities, for each department/division, plan for mitigation and should share vulnerability
reports indicating critical issues with senior management to provide effective incentives for
mitigation.
Each dimension of the IT security risk management framework can be measured by at least one
metric to enable the monitoring of progress towards set targets and the identification of trends.
The use of metrics needs to be targeted towards the areas of greatest criticality. Generally, it is
suggested that effective metrics need to follow the SMART acronym i.e. specific, measurable,
attainable, repeatable and time-dependent.
RECOMMENDATIONS
References
REFERENCES
Sayar and Wolfe, (2007), studies highlight the fact that security is the biggest single concern
forcustomers,journalofservicemarketing,vol.12,no.5,pp.334-347availableaturl:http://www.inf
ormationsecutrty.com/Insight/ViewContentServlet?contentType=Article&Filename=Publishe
d/EmeraldFullTextArticle/Articles/0750120501.html
White and Nteli (2004),. Journal ofStudy of online banking,, Vol. 40, Iss. 1/2, p. 29-34 (6 pp.)
Friedman et. al.,(2002)Web users online banking adoption are security and privacy toward
online advertising, International Journal of Internet Marketing and Advertising, vol.4,
no.4,Pp.281-301. Available at
url:http://indersonlinebanking.com/app/home/contribution.asp?referrer=parent&backto=issue,1,5;
journal,2,15;linkingpublicationresults,1:110872,1
Electronic books:
Information security awareness initiatives: Current practice and the measurement of
success, 2007, available at url
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_measuring_awareness.pdf
Raising Awareness in Information Security - Insight and Guidance for Member States,
2005,available at url
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_cd_awareness_raising.pdf
Heiser, Jay, Understanding data leakage, Gartner, 21 August 2007.
BankInfoSecurity.com, 8 September, 2008
Websites:
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_measuring_awareness.pdf
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_cd_awareness_raising.pdf
Article:
BERR,2008 Information Security Breaches Survey,2008, available at url
http://www.security-survey.gov.uk (last visited on 22 July 2008).
http://www.infoworld.com/article/08/03/06/10NF-data-loss-prevention
problem_1.html (last visited on 2 June 2008).
http://www.bankinfosecurity.com/articles.php?art_id=960andrf=090908eb
Glossary:
IS- Information security
CHAPTER VII
APPENDIX
APPENDIX
Name Age
A. Yes B. No
Q.3- Data security in your bank is well managed by proper use of login facility.
A - Strongly Agree
B Agree
C Neutral
D Disagree
E - Strongly Disagree
Q.4- Does the bank provided Proper security to the database against viruses.
A. YesB. No
Q.5- Your bank keep proper mechanism to manage back date entries or transactions.
A. YesB. No
Q.6- Your banks all entries in Information Security are as per banking standards.
A. YesB. No
Q.7 Information Security increases the level of customer satisfaction hence increase in
satisfied customerbase.
Location.
Q1: The banks security roles and responsibilities are defined according to banks information
security policy.
A. Yes B. No
Q2: The banks security policy makes it clear that all assets must be protected from unauthorized
access
A. Yes B. No
Q3: Does the bank verify the applicants curriculum vitae (resume) while recruiting staff?
A. Yes B. No
Q4: The bank uses Firewalls and other security tools for the security purposes
A. Yes B. No
Q5: What database technologies does the Bank use?
A. oracle B. Microsoft SQL
A. Yes B. NO