Advertisement

Enterprise Information Systems Security: A Case Study in the Banking Sector

  • Peggy E. Chaudhry
  • Sohail S. Chaudhry
  • Kevin D. Clark
  • Darryl S. Jones
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 139)

Abstract

One important module of Enterprise Information System (EIS) is the development and implementation of the security component of EIS. Furthermore, this EIS Security structure needs to be monitored through the corporate governance of the firm. Based on a literature review and our previous work, we identified four key pillars of a model for EIS Security. These pillars are Security Policy (e.g., set rules for employee behavior), Security Awareness (e.g., continued education of employees), Access Control (e.g., access linked to employee job function), and Top Level Management Support (e.g., engrain information security into the company’s culture). We explore the relevance of this model using a case study approach by way of interviewing top-level information systems mangers in the banking sector. We validate the model through using key informant in-depth interviews and qualitative research methods.

Keywords

Enterprise information systems security conceptual model banking sector case study 

References

  1. 1.
    Davenport, T.: Putting the Enterprise into the Enterprise System. Harvard Business Review 76(4), 121–131 (1998)Google Scholar
  2. 2.
    Sherr, I.: Sony Faces Lawsuit Over PlayStation Network Breach (April 28, 2011), http://online.wsj.com/article/BT-CO-20110428-720452.html (accessed on April 30, 2011)
  3. 3.
    Cyber-Ark Snooping Survey (April 2011), http://www.cyber-ark.com/downloads/pdf/2011-Snooping-Survey-data.pdf (accessed on April 30, 2011)
  4. 4.
    Boss, S., Kirsch, L., Angermeier, I., Shingler, R., Boss, R.: If Someone is Watching, I’ll Do What I’m Asked: Mandatoriness, Control, and Information Security. European Journal of Information Systems 18(2), 151–164 (2009)CrossRefGoogle Scholar
  5. 5.
    Keller, S., Powell, A., Horstmann, B., Predmore, C., Crawford, C.: Information Security Threats and Practices in Small Businesses. Information Systems Management 22(2), 7–19 (2005)CrossRefGoogle Scholar
  6. 6.
    Sumner, M.: Information Security Threats: A Comparative Analysis of Impact, Probability, and Preparedness. Information Systems Management 26(1), 2–12 (2009)CrossRefGoogle Scholar
  7. 7.
    Walsh, K.: The ERP Security Challenge (January 8, 2008), http://www.cio.com/article/216940/The_ERP_Security_Challenge (accessed on April 30, 2011)
  8. 8.
    Siponen, M.T.: An Analysis of the Traditional IS Security Approaches: Implications for Research and Practice. European Journal of Information Systems 14(3), 303–315 (2005)CrossRefGoogle Scholar
  9. 9.
    Herath, T., Rao, H.R.: Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations. European Journal of Information Systems 18(2), 106–125 (2009)CrossRefGoogle Scholar
  10. 10.
    Vroom, C., von Solms, R.: Towards Information Security Behavioural Compliance. Computers & Security 23(3), 191–198 (2004)CrossRefGoogle Scholar
  11. 11.
    Kankanhalli, A., Teo, H.H., Tan, B.C.Y., Wei, K.K.: An Integrative Study of Information Systems Security Effectiveness. International Journal of Information Management 23(2), 139–154 (2003)CrossRefGoogle Scholar
  12. 12.
    Swartz, N.: Protecting Information from Insiders. Information Management Journal 41(3), 20–24 (2007)Google Scholar
  13. 13.
    D’aubeterre, F., Singh, R., Iyer, L.: Secure Activity Resource Coordination: Empirical Evidence of Enhanced Security Awareness in Designing Secure Business Processes. European Journal of Information Systems 17(5), 528–542 (2008)CrossRefGoogle Scholar
  14. 14.
    Knapp, K., Morris, R., Marshall, T., Byrd, T.: Information Security Policy: An Organizational-Level Process Model. Computers & Security 28(7), 493–508 (2009)CrossRefGoogle Scholar
  15. 15.
    Kadam, A.W.: Information Security Policy Development and Implementation. Information Systems Security 16(5), 246–256 (2007)CrossRefGoogle Scholar
  16. 16.
    Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., Vance, A.: What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules? An Empirical Study. European Journal of Information Systems 18(2), 126–139 (2009)CrossRefGoogle Scholar
  17. 17.
    Hagen, J.M., Albrechtsen, E., Hovden, J.: Implementation and Effectiveness of Organizational Information Security Measures. Information Management & Computer Security 16(4), 377–397 (2008)CrossRefGoogle Scholar
  18. 18.
    Chang, A.J.T., Yeh, Q.J.: On Security Preparations against Possible IS Threats across Industries. Information Management & Computer Security 14(4), 343–360 (2006)CrossRefGoogle Scholar
  19. 19.
    Son, J.: Out of Fear or Desire? Toward a Better Understanding of Employees’ Motivation to follow IS Security Policies. Information and Management 48, 296–302 (2011)CrossRefGoogle Scholar
  20. 20.
    She, W., Thuraisingham, B.: Security for Enterprise Resource Planning Systems. Information Systems Security 16, 152–163 (2007)CrossRefGoogle Scholar
  21. 21.
    Sandhu, R., Cope, E.J., Feinstein, H.L., Youman, C.E.: Role Based Access Control Models. IEEE (1996) 0018-9162Google Scholar
  22. 22.
    Sinderen, M.: Challenges and Solutions in Enterprise Computing. Enterprise Information Systems 2(4), 341–346 (2008)CrossRefGoogle Scholar
  23. 23.
    Wang, J.W., Gao, F., Ip, W.H.: Measurement of Resilience and its Application to Enterprise Information Systems. Enterprise Information Systems 4(2), 215–223 (2010)CrossRefGoogle Scholar
  24. 24.
    von Solms, R., von Solms, S.H.B.: Information Security Governance: A Model based on the Direct-Control Cycle. Computers & Security 25(6), 408–412 (2006)CrossRefGoogle Scholar
  25. 25.
    Doughty, K.: Implementing Enterprise Security: A Case Study. Computers & Security 22(2), 99–114 (2003)CrossRefGoogle Scholar
  26. 26.
    Tracey, R.P.: IT Security Management and Business Process Automation: Challenges, Approaches, and Rewards. Information Systems Security 16, 114–122 (2007)CrossRefGoogle Scholar
  27. 27.
    Da Veiga, A., Eloff, J.: An Information Security Governance Framework. Information Systems Management 24(4), 361–372 (2007)CrossRefGoogle Scholar
  28. 28.
    Weill, P., Ross, J.: A Matrixed Approach to Designing IT Governance. Sloan Management Review 46(2), 26–34 (2005)Google Scholar
  29. 29.
    von Solms, S.H.B.: Information Security Governance: Compliance Management vs. Operational Management. Computers & Security 24, 443–447 (2005)CrossRefGoogle Scholar
  30. 30.
    Khoo, B., Harris, P., Hartman, S.: Information Security Governance of Enterprise Information Systems: An Approach to Legislative Compliant. International Journal of Management and Information Systems 14(3), 49–55 (2010)Google Scholar
  31. 31.
    Peltier, T.R.: Information Security Policies, Procedures, and Standards: Guidelines for Effective Security Management. Auerbach Publications, Florida (2002)Google Scholar
  32. 32.
    Sengupta, A., Mazumdar, C., Bagchi, A.: A Formal Methodology for Detecting Managerial Vulnerabilities and Threats in an Enterprise Information System. Journal of Network System Management 19(3), 319–342 (2011)CrossRefGoogle Scholar
  33. 33.
    Chaudhry, P.E., Chaudhry, S.S., Reese, R., Jones, D.S.: Enterprise Information Systems Security: A Conceptual Framework. In: Møller, C., Chaudhry, S. (eds.) CONFENIS 2011. LNBIP, vol. 105, pp. 118–128. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  34. 34.
    Chaudhry, P., Chaudhry, S.S., Reese, R.: Developing a Model for Enterprise Information Systems Security. Journal of Academic Research in Economics 3(3), 243–254 (2011)Google Scholar
  35. 35.
    Banking Sector Security, A Report by MWR Labs, http://labs.mwrinfosecurity.com/assets/130/mwri_annual-research-banking-review-2010-08.pdf (accessed on April 24)
  36. 36.
    About the FFIEC, http://www.ffiec.gov/about.htm (accessed on April 24, 2012)
  37. 37.
    Federal Financial Institutions Examination Council, Information Security (2006), http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf (accessed on April 24, 2012)
  38. 38.
    FDIC Law, Regulations, Related Acts, http://www.fdic.gov/regulations/laws/rules/2000-8660.html (accessed on April 24, 2012)
  39. 39.
    Langin, D.J.: Gramm-Leach-Bliley Security Requirements: Keeping Robbers and Regulators from the Door, http://www.securitymanagement.com/archive/library/gramm_tech0902.pdf (accessed on April 24, 2012)

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Peggy E. Chaudhry
    • 1
  • Sohail S. Chaudhry
    • 1
  • Kevin D. Clark
    • 1
  • Darryl S. Jones
    • 2
  1. 1.Department of Management and Operations/International Business, Villanova School of BusinessVillanova UniversityVillanovaUSA
  2. 2.MBA Program, Villanova School of BusinessVillanova UniversityVillanovaUSA

Personalised recommendations