Вы находитесь на странице: 1из 41

Research Project

TOPIC: INFORMATION SECURITY IN BANKING SECTOR

Project TOPIC: INFORMATION SECURITY IN BANKING SECTOR Submitted to Lovely Professional University In partial

Submitted to Lovely Professional University

In partial fulfilment of the requirements for the award of degree

of

MASTER OF BUSINESS ADMINISTRATION

Submitted by:

Group No Q-58

Gaurav Bhalla Roll No A01

Supervisor:

Miss Japneet kaur

Lecturer, Lovely Professional University

DEPARTMENT OF MANAGEMENT

LOVELY PROFESSIONAL UNIVERSITY

2012

TO WHOMSOEVER IT MAY CONCERN

This is to certify that the Synopsis titled “information security in banking sector” carried out by Mr. Gaurav bhalla S/o Dr. Vijay bhalla has been accomplished under my guidance & supervisions a duly registered MBA student of the Lovely Professional University, Phagwara. His Synopsis represents his original work and is worthy of consideration for making for research project

(Name & Signature of the Faculty Advisor)

Date: 27 April 2012

DECLARATION

I GAURAV BHALLA, hereby declare that the work presented herein is genuine work done originally by me and has not been published or submitted elsewhere for the requirement of a degree program. Any literature, data or works done by others and cited within this synopsis has been given due acknowledgement and listed in the reference section.

GAURAV BHALLA

(Student’s name & Signature)

Date: 27 APRIL 2012

PREFACE

“Give a man a fish, he will eat it.

Train a man to fish, he will feed his family.”

The above saying highlights the importance of Practical knowledge. Practical training is an important part of the theoretical studies. It is of an immense importance in the field of management. It offers the student to explore the valuable treasure of experience and an exposure to real work culture followed by the industries and thereby helping the students to bridge gap between the theories explained in the books and their practical implementations.

Research Project plays an important role in future building of an individual so that he/she can better understand the real world in which he has to work in future. The theory greatly enhances our knowledge and provides opportunities to blend theoretical with the practical knowledge.

We have completed the Research Project on Information security in banking sector”. We have tried to cover each and every aspect related to the topic with best of my capability.

We hope research would help many people in the future.

GAURAV BHALLA

ACKNOWLEDGEMENT

I take this opportunity to express my deepest gratitude to my manager and project guide Mr. Sahil Rampal (Asst. Professor, Department of Management, LPU) for his able guidance and support in this phase of transition to this academic life. His support and valuable inputs helped me immensely in completing this project. I am also grateful to Ms. Japneet kaur dhillon (lecturer , Department of Management, LPU) for guiding me through the research portion of the project and for making me understand the concepts of Research work and the technicalities of tests being applied. I extend my heartiest thanks to Mr. Suresh Kashyap (HOD, Lovely School of Management, LPU) for giving me the opportunity to undergo this Research Project. I shall be failing in my duty if I don‟t express my heartiest thanks to my respected parents for providing me every kind of support during the completion of this Project. Last but not the least, I would be honourable to thank all my sincere friends and the people at Lovely Professional University for being so cordial and cooperative throughout the period of this research and at last how can I forget GOD the almighty who is helping everybody at every step.

GAURAV BHALLA

1. Acknowledgement

Declaration

Preface

Executive Summary

1 CHAPTER: Introduction to the Topic

Introduction

Information security

Definition

2. CHAPTER: Review of Literature

TABLE OF CONTENTS

3 . CHAPTER: Need, Objectives, Scope and Methodology

3.1 Need of the Study

3.2 Scope of the Research

3.3 Research Objectives

3.4 Research Methodologies

4. CHAPTER: Objectives Analysis and Findings

5. CHAPTER: Limitations, Conclusion and Recommendations

5.1 Conclusion

5.2 Limitations

5.3 Recommendations

6

CHAPTER: References

7

CHAPTER: Appendix

7.1

Questionnaire

7.2

Glossary

CHAPTER – I INTRODUCTION OF THE TOPIC
CHAPTER – I
INTRODUCTION OF THE TOPIC

Information - As an asset

INTRODUCTION

Information is an asset that, like other important business assets, is essential to a organization„s business and therefore needs to be updated regularly and suitably protected. Since most of the businesses in the present and recent past have been electronically connected in networks, the IS and its management plays a major role. As a result of this existing and ever-increasing interconnectivity, information is now exposed to a growing number and a wide variety of threats and vulnerabilities.

Businesses are vulnerable to various kinds of information risks inflicting varied damage and resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centres or facilities. To control IS risks, the management needs to anticipate and be aware of the potential threats, risks and resultant loss and accordingly deploy the necessary controls across the environment.

IS is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize the return on investment (ROI) and thereby extend the business opportunities.

Definition- The protection of information and information systems against unauthorized access

or modification of information, whether in storage, processing, or transit, and against denial of service to authorized users. Information security includes those measures necessary to

detect, document, and counter such threats. Information security is composed of computer security and communications security also called INFOSEC.

“Security is like oxygen; when you have it, you take it for granted,

But when you don‟t, getting it becomes the immediate and pressing priority”

- Joseph Nye, Harvard University.

An IS Risk can be defined as any activity or event which threatens the achievement of identified business objectives by compromising

Importance of the Study

All organizations today face a certain level of security risk. In fact, the deployment of technologies such as Intrusion Detection and Monitoring acknowledges that a certain level of suspicious or malicious activity is likely to get through. It also acknowledges that there are internal threats (maybe from disgruntled employees, or simply human error) which have to be countered with skill and imagination.

It is important to recognize that all organizations accept some level of risk. Risk is, after all, a trade off between the amount of money you wish to spend on counter-measures, against the perceived level of threat and vulnerability, to protect the estimated value of your assets. The important thing is that

risk

identified, and either a) mitigated, b) transferred, c) insured, or d) clearly documented as a risk

acceptance.

is

Security risk is also heavily influenced by time. For example, if a new virus is released, for which no patch is available, then the rate of infection is critical. All organizations are subject to security threats, as these expose their

Vulnerabilities. For this increases significantly with factors, such as their need to do business over the Internet, the profile of the organization, and the value of their assets. High profile

Corporations are under constant threat because of the possible infamy associated with security breaches .

Some of the key threats to organizations include:

Virus, Trojans and Worms

Phishing

Email SPAM

Web Site Defacements

Denial of Service Attacks (DoS)

Spoofing

Identity theft

War walking, War driving, etc., (Wireless Network Threats)

Theft of information (e.g. credit card details, source code, biotechnology

Secrets), etc.

Hence, this study may prove important and extremely significant as it would provide better insights

with regards to updating security personnel. This would definitely enable them to handle any kind of

security issues at any given point of time.

THREE PILLAR OF INFORMATION SECURITY

 Confidentiality

 Integrity

 Availability

IMPORTANCE OF INFORMATION SECURITY IN BANKING SECTOR

Information is at the heart of today„s business, and the all-pervasive impact of Information Technology

in harnessing, collating and processing huge volumes of information is definitive. In this scenario, the

need for ensuring that information is kept confidential adhering to accepted norms of privacy and making it available to authorized users at the appropriate time assumes great significance. This is particularly valid for the banking sector where day-to-day operations are cantered on information and information processing, which in turn is highly dependent on Technology. This conference on Security Framework in Indian Banks‖ jointly organized by the Indian Banks„ Association, the Data Security Council of India in collaboration with the Institute for Development and Research in Banking Technology as the Knowledge partner is thus not only appropriate but also of topical relevance to banks.

Banking as a business involves the management of risks based on a repository of trust extended by the customers. If this objective has to be accomplished, it becomes imperative for all security concerns especially customer sensitive data to be addressed in an effective way so as to ensure that the trust levels are well preserved and information assets perform the role that they are supposed to. While every banker understands the implications of financial risks, the risks arising out of the large scale implementation of technology and IT is not so well defined. Security in banks thus assumes significant proportions, comprising physical security in addition to the factors relating to security of Information and Information Systems, all of which have an impact on the reputational risk faced by banks.

Technology implementation has benefited the banks also due to the facilitation of the Reserve Bank -

both from the operational and legal perspectives. In addition, the Reserve Bank had provided the broad

framework for many innovative technology based systems. The guidelines on Internet Banking, and the

Guidelines for Information Systems Security Audit in 2001 were early initiatives aimed at ensuring safe

and secure technology based operations by banks. Keeping pace with time and marshalling

international practices, RBI has issued broad guidelines on mobile banking and prepaid (stored) value

cards. These, along with the setting up of systemically important payment and settlement systems such

as Real Time Gross Settlement System (RTGS) and other retail payment systems like the Electronic

Clearing Systems (Credit and Debit Clearing), the National Electronic Funds Transfer (NEFT) System,

National Electronic Clearing System (NECS), Regional Electronic Clearing System (RECS), have

transformed the way of banking and today„s customers have a wide array of options to choose from.

All these have safety and security at the heart of the respective systems

A major area where IT security assumes significance pertains to the transmission of information using

IT as a channel for communication. Traditionally, paper based systems have been subject to certain

controls

to ensure that the basic requirements pertaining to genuineness, authenticity, etc. are met with. These included verification of signatures, ensuring that there are no corrections, or if there are corrections, these are authenticated properly and so on. In the IT-based scenario, these aspects gain greater importance not only because of the speed with which IT based electronic information flows but also on account of the potential havoc that could arise on account of incorrect instructions.

History of information security

• IS Management - A Concept IS Management is the process used to identify and understand risks to the Confidentiality,

Integrity, and Availability of Information and Information Systems.

• Phase Shift of IS The role of IS has changed during the past few years. The Traditional definition of protecting networks

and the data centres has undergone a shift in focus resulting in the enablement of the businesses with

security solutions actually moving the business forward or even to the next step. Security is now a way

of life and a must-do for businesses in order to survive. Hence, it has become obvious that,

wherever the information goes, security follows no longer can IS be an afterthought. An increased

need for efficiency and productivity, reducing costs, reaching multiple markets and faster time-

to- market are few business benefits which are driving organizations to make IS a part of the

organizational DNA.

Scope of IS

IS Management defines the controls we must implement to ensure we sensibly manage computer related

risk.

Security Management process IS is the protection of information from a wide range of threats in order to ensure business

continuity, minimize business risk, and maximize return on investments and business

opportunities. A basic IS model should encompass Confidentiality, Integrity and Availability;

however there are also additions such as Accountability and Audit ability. In other words the objective

and focus of the IS Management is to protect and manage the Information assets.

HOW IS INFORMATION SECURITY APPLICABLE TO BANKS?

"IS is definitely a journey, not a destination--there are always new challenges to meet."

-- Chief IS officer at a major financial services corporation

Banking Institutions have become critical centres of gravity„. A collapse in the banking

Institution can lead to collapse in the banking sector and cause a huge setback to economy of the

nation, which would also concern world at large. This makes them more attractive targets for

potential adversaries. Potential adversaries could be either malicious or non-malicious. Among

them alicious adversaries would be hackers (including phreakers, crackers, and pirates),

terrorists/ cyber terrorists, organized crime, other criminal elements, competitors and disgruntled

employees. On the other hand, careless or poorly trained employees would be non-malicious

adversaries who either through lack of training, lack of concern, or lack of attentiveness, poses

a threat to the Information Systems. Adversaries would employ attack techniques that could be

classified as passive or active, insider, close-in or distribution attacks. Some of them explained

below. Passive attacks involve passive monitoring of communications sent over public media and

include monitoring plaintext, decrypting weakly encrypted traffic, and password sniffing and

traffic analysis.

TYPES OF ATTACKS

Circumvent or break security features

Introduce malicious code (such as computer viruses, Trojan or worms)

Subvert data or system integrity

Modify data in transit

Replay (insertion of data)

Hijack sessions

Masquerade as authorized user

Exploit vulnerabilities in software that runs with system privileges

Exploit network trust

Set in denial of service

CHAPTER – II REVIEW OF LITERATURE
CHAPTER – II
REVIEW OF LITERATURE

REVIEW OF LITERATURE

The chapter provides further insights regarding the traditional definition of ISand Risk Management alongwith its historical background. This also puts light on the makeover or the phase shift which has occurred in the field of IT. Thechapter also defines the scope of Information Systems and IS. The literature review shows how the IS and Risk Management is applicable to the banks. Why is it essential to take the responsibility and subdue the threats causing the financial losses to the business sector as well as to the national and world economies? In order to achieve this feat it becomes even more important to understand what kinds of attacks are possible and the manner in which they should be dealt with? Due to the scope and limited constraint, this academic research is unable to throw light on a ll the threats or mention the remedies for them. But, even so, a wide range of threats have been mentioned below with some actual facts. The literature review also attempts to focus on the computer frauds that have occurred and their repercussions. It also points out the reason why computer crimes are difficult to prove in a court of law. The types of computer crimes, their impacts or effects and the victims are explained in the review. The review also focuses on drawing the reader‟s attention towards the understanding of IS at length. The focus area for all the organizations, including banks, is the IT spending pattern.

Ganesan and Vivekananda (2009) Described a secured hybrid architecture model for the internet banking using Hyper elliptic curve cryptosystem and MD5 is described. Information about financial institutions, their customers, and their transactions are, by necessity, extremely sensitive; thus, doing business via a public network introduces new challenges for security and trustworthiness. Given the open nature of the Internet, transaction security is likely to emerge as the biggest concern among the e-bank„s account holders. The rapid growth in account hijacking and online fraud are on the rise. The negative publicity damages consumer trust in the online service.

Sayar and Wolfe, (2007). A majority of studies highlight the fact that security is the biggest single concern for customers when

faced with the decision to use internet banking. Security has always been an issue, but its scope has

changed from mere doubts about the privacy of personal information to worries of financial loss the

selection of an internet banking service provider is effected by security, reliability and privacy.

Security, which involves protecting users from the risk of fraud and financial loss, has been

another important issue in safe use of the internet when conducting financial transactions in Saudi

Arabia.

Abdulwahed and Yaqoub,( 2006) The banking sector was reluctant to use e-commerce applications as they felt that transactions

conducted electronically were open to hackers and viruses, which are beyond their control. As

well as convinced that online services are a mixture of customer insecurities, technology

investment costs and a lack of market readiness have all conspired to make e-banking

unattractive

White and Nteli (2004) Study of online banking, potential customer‟s ranked Internet security and customer‟s privacy as

the most important future challenges that banks are facing. Perceived usefulness, perceived Web

security has a strong and direct effect on acceptance of internet banking, too. A high level of

perceived risk is considered to be a barrier to propagation of new innovations (Ostlund, 1974).

Influenced by the imagination-capturing stories of hackers, customers may fear that an

unauthorized party will gain access to their online account and serious financial implications will

follow.

Friedman et. al (2002)

The principal characteristics that inhibit online banking adoption are security and privacy. An

interview held on web security and showed four screen shots of a browser connecting to a website

and asked participants to state if the connection was secure or not secure and to affirm the motivating

factor for their appraisal. It was discovered that about 72 participants cannot tell if a connection is secure

Security and Privacy.

Pavlou (2001). Now day„s uptake of EC applications in the banking industry is very slow only because of security and data confidentiality issues have been a major barrier. Security and privacy are one of the most challenging problems faced by customers who wish to trade in the e-commerce world. Security in the form of keeping customer safe from an invasion of their privacy, affects trust and satisfaction. If company wish to maintain customer trust, they need to keep their promises regarding security and privacy. Since security is closely related to trust, violations of security norms may backfire in terms of losing customers and negative word of mouth. Security perceptions are defined as the subjective probability with which consumers believe that their private information will not be viewed, store and manipulated during transit and storage by inappropriate parties in a manner consistent with their confident expectations.

CHAPTER – III NEED, OBJECTIVE, SCOPE AND METHODOLOGY
CHAPTER – III
NEED, OBJECTIVE, SCOPE AND
METHODOLOGY

NEED & SCOPE

Need of information security in banking sector:

For prevention and protection of these biggest issues in banking sector,

-Cyber Attacks

-Data Loss Prevention

-Identity and Access Management

SCOPE of the Study

IS is a continual imperative for banks as vulnerabilities in IS Information Availability are continuously being exploited in new ways. Security of new technologies channels need to be focused, for e.g.-commerce, online banking and debit cards. This becomes even more essential in the light of increase in fraud related losses in these areas along with the existing technologies and manual transaction processing risks. Banks have always been and are one of the most important targets for hackers, crackers and cyber criminals, as IS breach may lead to potential losses. These losses may lead to downfall of the banking industry and thus have its impact on the economy.

The actual losses on account of ISissues are difficult to estimate. However, 639 companies that responded to the 2005 CSI/FBI Computer Crime and Security Survey reported total losses of $130 million with viruses, unauthorized access and theft of proprietary information accounting for 80% of it. Given the risks, IS should be a top priority of any organization and not just for its IT department.

RESEARCH OBJECTIVES

1. To determine the factors which play the important role in information security

2. To Check the effectiveness of information security used in Banking Sector.

3. To know about how information security policies of bank impacts to the customer perception.

RESEARCH METHODOLOGY

Type of study:

The study will be exploratory in nature. The study will give a tentative idea about the situation. The study will be conducted to understand the basic information security risk and their controlling measures in banking sectors.

Data Collection Procedures:

Primary data:

Questionnaire is used to collect primary data from respondents. The questionnaire is structured type and contained questions relating to need and security of information in banking field.

Secondary data:

Articles from journals, magazines published from time to time.

Through internet.

Tools

 Questionnaire

 PublicInteraction

CHAPTER – IV DISCUSSION ON OBJECTIVES AND FINDINGS
CHAPTER – IV
DISCUSSION ON OBJECTIVES AND
FINDINGS

CUSTOMER ANALYSIS PART

Q.No-1 In which bank you have an account.

Banks Preference by customer

Public Private 30% 70%
Public
Private
30%
70%

INTERPRETATION

Above chart shows that out of 50, 15 people have opened their account in private bank and 35 people in public bank.

Q.No-2 Are you satisfied with security policy of your bank.

satisfaction

Yes No 40% 60%
Yes
No
40%
60%

INTERPRETATION

Above chart depicts that out of 50, 30 customer has said that they satisfied with the security policy of bank, 20 customer has said that they do not satisfied with the security policy of bank.

Q.No-3 Data security in your bank is well managed by proper use of login facility.

1st Qtr Sales 2nd Qtr 3rd Qtr 0% 9% 10% 23% 58% 4th Qtr

1st Qtr

Sales

2nd Qtr 3rd Qtr 0% 9% 10% 23% 58%
2nd Qtr
3rd Qtr
0%
9%
10%
23%
58%
1st Qtr Sales 2nd Qtr 3rd Qtr 0% 9% 10% 23% 58% 4th Qtr

4th Qtr

INTERPRETATION

Above chart depicts that out of 50, 10 customer are strongly Agree,20 customer are agree,5 customer are Neutral,12 customer are Disagree, and 3 customer are strongly disagree with the proper security of login facility.

Q.No-4 Does the bank provided Proper security to the database against viruses

Column3

Yes No 10% 90%
Yes
No
10%
90%

INTERPRETATION

Above chart shows that out of 50,45 customer has said that banks provided proper security to database against viruses and rest of 5 has said that banks are not provided proper security to database against viruses.

Q.No-5 Your bank keeps proper mechanism to manage back date entries or transactions.

Sales Yes No
Sales
Yes
No

4%

96%
96%

INTERPRETATION

Above chart shows that out of 50,48 customer has said that their banks keep proper mechanism to manage back date entries or transactions and only 2 customer has said that no.

Q.No-6 Your bank’s all entries in Information Security are as per banking standards

Column1

Yes NO 36% 64%
Yes
NO
36%
64%

INTERPRETATION

Above chart shows that out of 50,32 customer has said that yes their all entries in Information Security are as per banking standards and 18 customer has said that no.

QUESTIONS FROM THE EMPLOYEES

Q1:The bank’s security roles and responsibilities are defined according to bank’s information security policy.

Series 1 Series 1
Series 1
Series 1
45 5
45
5

YES

NO

INTERPRETATION:

According to our research only 5 percent bank‟s employee says that roles and responsibilities are not defined and rest of all is agreeing with the same, it will shows that mostly implementation of policy are perfect regarding information security and bank are more conscious and alert for the security purpose.

Q2: The bank’s security policy makes it clear that all assets must be protected from unauthorized access.

Sales

YES NO 0% 100%
YES
NO
0%
100%

INTERPRETATION:

According to our research all banks‟ employee are agreed and accepted that their assets are well are protected from unauthorized access , hence it will shows that how maintain confidentiality , integrity and availability

Q3: Does the bank verify the applicant’s curriculum vitae (resume) while recruiting staff?

NO

YES

Series 1 Series 1
Series 1
Series 1
20 30
20
30

INTERPRETATION

According to our research 60% bank duly verify their employee‟ cv Rest 40% (mostly private organization) sometime not verify they simply checks certificates and id proof but not verify that it is authentic or not or duplicate, this is the major cause of loosing of information security.

Q4: What database technologies does the Bank use?

Series 1 Series 1
Series 1
Series 1

15

12 12 11 ORACLE MICROSOFT SQL FINACLE OTHER
12
12
11
ORACLE
MICROSOFT SQL
FINACLE
OTHER

INTERPRETATION:

According to our research mostly finacle are using now a days in mostly banks but Banks have a mixture, they have more than just checking accounts, there are all kinds of loans, leases, investments, etc so they have multiple systems. We have Windows, solaris, redhat, some mainframe stuff even some old AIX, etc. ,Lot of EMC, Oracle, Vmware, etc.

CHAPTER – V LIMITATION, CONCLUSION AND RECOMMENDATION
CHAPTER – V
LIMITATION, CONCLUSION
AND RECOMMENDATION

LIMITATIONS

A bank should take appropriate measures to identify and authenticate users or IT assets. The required strength of authentication needs to be commensurate with risk. Common techniques for increasing the strength of identification and authentication include the use of strong password techniques (i.e. increased length, complexity, re-use limitations and frequency of change) and increasing the number and or type of authentication factors used.

The examples where increased authentication strength may be required, given the risks involved include : administration or other privileged access to sensitive or critical IT assets, remote access through public networks to sensitive assets and activities carrying higher risk like third-party fund transfers, etc. The period for which authentication is valid would need to be commensurate with the risk.

CONCLUSION

In my all research project we all are found that all bank‟s use security tools to prevent the data from

the unauthorized access. After doing the research we find that all banks provided proper security to

database against viruses all banks employee are agreed and accepted that their assets are well are

protected from unauthorized access. But due to lose of data we suggest to bank take appropriate

measures to identify and authenticate users or IT assets. Use Common techniques for increasing the

strength of identification and authentication include the use of strong password techniques (i.e.

increased length, complexity, re-use limitations and frequency of change) and increasing the

number and/or type of authentication factors used.Scanning tools need to be used against all

systems on their networks on a periodic basis, say monthly or weekly or more frequently. All

employee data or cv verify very effective way because they also a reason to lose of information.

SUGGESTIONS

Automated vulnerability scanning tools need to be used against all systems on their networks on a periodic basis, say monthly or weekly or more frequently.

Banks should ensure that vulnerability scanning is performed in an authenticated mode (i.e., configuring the scanner with administrator credentials) at least quarterly, either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested, to overcome limitations of unauthenticated vulnerability scanning.

Banks should compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed either by patching, implementing a compensating control, or by documenting and accepting a reasonable business risk

Vulnerability scanning tools should be tuned to compare services that are listening on each machine against a list of authorized services. The tools should be further tuned to identify changes over time on systems for both authorized and unauthorized services.

The security function should have updated status regarding numbers of unmitigated, critical vulnerabilities, for each department/division, plan for mitigation and should share vulnerability reports indicating critical issues with senior management to provide effective incentives for mitigation.

Each dimension of the IT security risk management framework can be measured by at least one metric to enable the monitoring of progress towards set targets and the identification of trends. The use of metrics needs to be targeted towards the areas of greatest criticality. Generally, it is suggested that effective metrics need to follow the SMART acronym i.e. specific, measurable, attainable, repeatable and time-dependent.

RECOMMENDATIONS

Secure attendance of outsiders with relevant expertise.

Ratifying that the business strategy is indeed aligned with IT strategy

Use Intrusion Detection and Prevention System (IDS and IPS) - IPS products that have detection capabilities should be fully used during an incident to limit any further impact on the organization. IDS and IPS products are often the primary source of information leading to the identification of an attack. Once the attack has been identified, it is essential to enable the appropriate IPS rule sets to block further incident propagation and to support containment and eradication.

Failure of critical systems, or interruption of vital business processes, could prevent timely recovery of operations.

Security measures against Malware

At host level

At network level

At user level

E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence, and prevents tampering and the collection of false evidence.

Network Behaviour Analysis (NBA) - Network wide anomaly-detection tools will provide data on traffic patterns that are indicative of an incident. Once an incident has been identified through the use of these tools, it is important to capture that information for the purposes of supporting further mitigation activities, including operational workflow to ensure that the information from these tools is routed to the appropriate response team.

CHAPTER – VI References
CHAPTER – VI
References

REFERENCES

Sayar and Wolfe, (2007), studies highlight the fact that ―security‖ is the biggest single concern

forcustomers”,journalofservicemarketing,vol.12,no.5,pp.334-347availableaturl:http://www.inf

ormationsecutrty.com/Insight/ViewContentServlet?contentType=Article&Filename=Publishe

d/EmeraldFullTextArticle/Articles/0750120501.html

Abdulwahed and Yaqoub,( 2006), “a Survey of Internet users'use e-commerce applications”, journal of interactive marketing, vol. 13, no. 3, pp. 34-54, Series No 54. Available at url:

http://www3.ecommerce.com/journal/70002580

White and Nteli (2004),. Journal ofStudy of online banking,, Vol. 40, Iss. 1/2, p. 29-34 (6 pp.)

International

Journal

of

Internet

Marketing

and

Advertising,

vol.4,

no.4,Pp.281-301.

 

Available

at

url:http://indersonlinebanking.com/app/home/contribution.asp?referrer=parent&backto=issue,1,5;

journal,2,15;linkingpublicationresults,1:110872,1

Pavlou (2001).Web advertising uptake of EC applications in the banking industry”, Journal of

Consumer Marketing, vol.

http://www.ecapplicationt.com/Insight/ViewContentServlet?contentType=Article&Filename=Pub

lished/EmeraldFullTextArticle/Articles/0770180204.html

18,

no.

2,

pp.

134-152.availableat

url:

Electronic books:

 Information security awareness initiatives: Current practice and the measurement of

success, 2007, available at url

http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_measuring_awareness.pdf

 Raising Awareness in Information Security - Insight and Guidance for Member States,

2005,available at url

 Heiser, Jay, Understanding data leakage, Gartner, 21 August 2007.

 BankInfoSecurity.com, 8 September, 2008

Websites:

Article:

 BERR,2008

Information

Security

Breaches

Survey,2008,

available

at url

http://www.security-survey.gov.uk (last visited on 22 July 2008).

 Data-leak security proves to be too hard to use„, Infoworld.com, available at

problem_1.html (last visited on 2 June 2008).

Glossary:

IS- Information security

CHAPTER – VII APPENDIX
CHAPTER – VII
APPENDIX

APPENDIX

QUESTIONS FOR BANK’S CUSTOMER

Name…………………

Bank Name…………

Q1- In which bank you have an account?

A. Public Bank

Q1- In which bank you have an account? A. Public Bank B. Private Bank Age…………………

B. Private Bank

Age…………………

Location…………….

Bank Age………………… Location……………. Q2-Are you satisfied with security policy of your bank? A.

Q2-Are you satisfied with security policy of your bank?

A. Yes

you satisfied with security policy of your bank? A. Yes B. No Q.3- Data security in

B. No

satisfied with security policy of your bank? A. Yes B. No Q.3- Data security in your

Q.3- Data security in your bank is well managed by proper use of login facility.

A - Strongly Agree

B Agree

C Neutral

D Disagree

E - Strongly Disagree

Q.4- Does the bank provided Proper security to the database against viruses.

A. YesB. No

Proper security to the database against viruses. A. YesB. No Q.5- Your bank keep proper mechanism
Proper security to the database against viruses. A. YesB. No Q.5- Your bank keep proper mechanism

Q.5- Your bank keep proper mechanism to manage back date entries or transactions.

A. YesB. No

against viruses. A. YesB. No Q.5- Your bank keep proper mechanism to manage back date entries
against viruses. A. YesB. No Q.5- Your bank keep proper mechanism to manage back date entries
Q.6- Your bank‟s all entries in Information Security are as per banking standards. A. YesB.
Q.6- Your bank‟s all entries in Information Security are as per banking standards.
A. YesB. No
Q.7
Information
Security
increases
the
level
of
customer
satisfaction
hence
increase
in
satisfied customerbase.
A - More than 20% every year.
B - 10% to 20% every year.
C - Less than 10% every year.
D - No Increase in Satisfied Customer base.

QUESTIONS FOR BANK

Emp.Name…………………

Location…………………….

Bank Name………………….

Q1: The bank‟s security roles and responsibilities are defined according to bank‟s information security policy.

A. Yes

Q2: The bank‟s security policy makes it clear that all assets must be protected from unauthorized access

that all assets must be protected from unauthorized access B. No A. Yes B. No Q3:

B. No

all assets must be protected from unauthorized access B. No A. Yes B. No Q3: Does

A. Yes

must be protected from unauthorized access B. No A. Yes B. No Q3: Does the bank

B. No

be protected from unauthorized access B. No A. Yes B. No Q3: Does the bank verify

Q3: Does the bank verify the applicant‟s curriculum vitae (resume) while recruiting staff?

A. Yes

Q4: The bank uses Firewalls and other security tools for the security purposes

Firewalls and other security tools for the security purposes B. No A. Yes Q5: What database

B. No

and other security tools for the security purposes B. No A. Yes Q5: What database technologies

A. Yes

Q5: What database technologies does the Bank use?

No A. Yes Q5: What database technologies does the Bank use? B. No A. oracle B.

B. No

A. oracle

database technologies does the Bank use? B. No A. oracle B. Microsoft SQL C. Finacle (IBM)

B. Microsoft SQL

C. Finacle (IBM)

Bank use? B. No A. oracle B. Microsoft SQL C. Finacle (IBM) D. Other Q6: Your

D. Other

B. No A. oracle B. Microsoft SQL C. Finacle (IBM) D. Other Q6: Your bank provides
B. No A. oracle B. Microsoft SQL C. Finacle (IBM) D. Other Q6: Your bank provides
B. No A. oracle B. Microsoft SQL C. Finacle (IBM) D. Other Q6: Your bank provides

Q6: Your bank provides security against loop false?

A. Yes

No A. oracle B. Microsoft SQL C. Finacle (IBM) D. Other Q6: Your bank provides security

B. NO

No A. oracle B. Microsoft SQL C. Finacle (IBM) D. Other Q6: Your bank provides security