A Study of Risk Assessment of Information Assets in Banking Industry —A Case of the Taiwan’S Bank
Total Page:16
File Type:pdf, Size:1020Kb
A Study of Risk Assessment of Information Assets in Banking Industry —A Case of the Taiwan’s Bank Patrick S. CHEN Department of Information Management, Tatung University No.40, Sec. 3, Chungshan North Road, Taipei, 104, Taiwan Shu-Chiung LIN Department of Information Management, Tatung University No.40, Sec. 3, Chungshan North Road, Taipei, 104, Taiwan S. H. LI Department of Information Management, Tatung University No.40, Sec. 3, Chungshan North Road, Taipei, 104, Taiwan AND Perry SHI Department of Information Management, Tatung University No.40, Sec. 3, Chungshan North Road, Taipei, 104, Taiwan ABSTRACT The paper reports the results that there is one item that Computer security hacking is rampant, and there are calls for reaches medium-level risk while others stay at the low-level area proper configuration of firewalls as protective means. However, and it also suggests that enhancing security measures for all assets protection of information assets has to be taken two factors into may end up with risk degree greater or equal to 2. A limitation of account—time and cost. In other words, when it comes to risk the research is mentioned in the conclusion part but with the belief assessment, an overall protection without discriminating different that the results of the paper can be of value for academicians and security levels of the information asset is not only cost-ineffective security practitioners. but also impossible in practice. Only by dividing information Keywords : Information Assets, Information Security, Risk assets into different security levels and deciding which security Assessment, Delphi Method measure fits the security needs can we have rational risk assessment for information assets. Banking industry is apparently 1. INTRODUCTION not exceptional to this line of thinking. With the rapid development of information technology, all the Nevertheless, most research reports on risk assessment of procedures are processed by the computers, but endless troubles information assets of the banking industry are rarely made to the caused by the information security. Recently, countless number of public as a result of security policy of its financial sectors. This the fraud groups speculated on the customers’ data because of their paper selects one of Taiwanese major bank as a starting point and significant additive value [3]. It really put the customers in great seeks to evaluate the effectiveness of its security measure by danger and caused the customers and the corresponding banks a dividing its information assets into different security levels. spectacular loss if some of the customers’ data are stolen by fraud Methodologically, the Delphi method is adopted by the groups. Over all observation of the causes that damage and paper and the questionnaires are designed based on the guidelines endanger customers’ data, the careless protection and control of the of information security management of BS 7799-1: 2000, BS customers’ data by the organization system is the main reason to 7799-2: 2002 and ISO/IEC TR 13335. The paper chooses 99 attract crimes made by the interior users or outsiders. Furthermore, information assets that are subject to security concern as targets E-commercial crimes are heading to the direction of profit making for risk assessment, and has 7 experts in information security and behavior [2], such movement has caused panic and turbulence. computer auditing answer the questionnaires with respect to Under such revolutionary information technology, the current value of the assets, possible threats, vulnerability and enhancement of protection and control to the information assets is degree of risks. Risks are presented as low, medium and high level, becoming more and more important and challengeable for banking ranging over 9 degrees on risk scale. industry, herby the classification of the information assets and risk 1 assessment are the most urgent issues for the security of 1. The Importance of Risk Analysis to Enterprises:Budgen [11] customers’ data. The research first refers operation outlines in the stressed that the technique to risk analysis is the guarantees to handbook of information security and management, BS 7799-1 the smooth of excellent engineering;Groom [3] discussed that in 2000 [9], the rules of information security system, BS 7799-2 in continual improvement to the protection of the information 2002 [10], and the directory outlines in the security management of assets is necessary for the security system of information information technology, ISO/IEC TR 13335 [19], to formally technology. define the “information assets”, which hasn’t been reached a 2. The development of risk assessment model:Hoqqanvik et al. consistency among the academia, then followed by the advised [18] analyzed the ideas of risk from experts and students to improvement to the information assets with high level of risk to obtain the conceptual model of risk.;Wang [1] developed avoid the similar E-commercial crimes and hacking problems two-phases method to build up the risk assessment model for happen in the banking industries. To distinguish the results the critical information assets;Chiu [8] constructed the risk presented by this research, all the banks with over $300 billion are assessment and verification system of the information security the targeting objects and then processed by the Delphi Method to to simulate the expected loss when the system is under real collect and anal size the relevant data. The contributions of the attack. research can be summarized as the following two parts: 3. The risk analysis to the information assets in different 1. To discriminate the classes and categories of the information industries: Hsao [7] suggested that military units with assets for the targeting banks and then achieved the details of confidential secrets should enhance the rules of restrict usage the risk level. of notebooks and flash drives.;Chang [4] concluded the 2. To provide the advised improvement for the information alternatives to manage the classification of information assets with high level of risk based on the evaluation results. assets;Harris [11] proposed the pre-service management for the telecom enterprises to transfer the information assets into 2. BACKGROUND KNOWLEDGE AND LITERATURE competitive core;Zheng [5] built up the model with five steps REVIEW to evaluate the risk and summarized helpful messages for the The background of the information system for the targeting management of information security. banks The major banking industry's information environment all divides With the respect of above statement, the discussion of the into two major parts, onstage and the backstage, the onstage is security issues for the information assets has been prevalent. Also, PC’s with open system, the main core operation of onstage is the banking industry rely heavily on the information system bookkeeping, stored in the large-scale main server, the periphery of extinguish the importance of the classification of the information the onstage processes the non-bookkeeping system by the assets. BS 7799, the rules of information security system has been center/small server sharing the workload for the host server; The adopted as security rules by the International Organization for backstage for the enclosed large-scale main server by LAN Standardization, ISO. The research hereby adopted the definition primarily. It would not be certainly easy for the hackers to invade from BS 7799-1 to classify the assets into four items, such as from Internet to the large-scale main engine, and obtains the information assets, software assets, entity assets and service assets. massive information assets. Therefore for all the banks with such The risk management of information assets kind of information environment characteristic, its interior controls National Institute of Standards and Technology (NIST) [29] become the main work for the banking industry. constituted three steps of procedures in Risk Management Guide The current situation of the research and the classification of for Information Technology System. The detail of steps that the information assets manage the risk of information assets is concluded as the The banking industry is one of most important service industries in followings: the world; the information assets by rights should draw more Risk Assessment:Risk is the event with the combination of attention from the banking industry. However, the bank financial possibility and impact after it happened, and also a specific threat materials and information matter privacy and secret. At present, to the possible vulnerability. The main components of the risk for there exists no such research specially aiming at the classification information security consist of asset, vulnerability threat, and the risk assessment of the information property for banking likelihood/probability and impact/consequence. There are 9 steps industry in domestic and foreign countries. Other researches in NIST, stated as the follows: system characterization, threat related information properties mainly stress on following three identification, vulnerability identification, control analysis, aspects: likelihood determination, Impact analysis, risk determination, 2 control recommendation and results documentation. company. The research therefore combined two of the methods Risk Mitigation: Risk mitigation is the systematic way to together to systematically assess the information assets of banking reduce the negative impact to the organization from risk.