With the regulations changing rapidly across the globe the financial sector has undergone massive changes in terms of People, Process and Technology to secure their operations and retain the customer base. Security management has today turned out to be of primary considerations by financial institutions and risk management controls are now being aligned with proper organizational strategies and policies to ensure higher levels of security controls.

The security issue is as important for banks secure their information for banks, because they are the main money suppliers in the economy. The country’s economic strength and security is based on the well formed banking system. So, providing the coherent information security policy is very important.

State economic security is a complex and multifactorial system which presents a material basis for the formation of other components of national security. The economic security assurance is one of the primary problems of the state, as the emergence of the numerous socio-economic problems in the country, as a rule, is conditioned by state's failure to take preventive measures or not implementing them in time. Hence, the state must provide such a level of security which will guarantee internal and external stability, necessary for normal economic functioning, active participation of country in the international division of labor and competitiveness, at the same time it will provide a ground to ensure a sufficient level of security. Generally the economic security of the state acts as a system whose main functions are divided into five groups: protective, regulatory, warning, innovative and social [1].

What is the security in general; and what kind of dangers can threaten the banks security?

Banks are obviously a high-profile target. The data they gather about their customers – both individuals and businesses – is extremely valuable to hackers looking to carry out an easy phishing attack, for example. Because their data is so valuable, they have to be aware of the risks and ready to protect it.

In general, security is “the quality or state of being secure _ to be free from danger.” In other words, protection against adversaries _ from those who would do harm, intentionally or otherwise _ is the objective. National security, for example, is a multilayered system that protects the sovereignty of a state, its assets, its resources, and its people. Achieving the appropriate level of security for an organization also requires a multifaceted system. A successful organization should have the following multiple layers of security in place to protect its operations:

Physical security, to protect physical items, objects, or areas from unauthorized access and misuse;

Personnel security, to protect the individual or group of individuals who are authorized to access the organization and its operations;

Operations security, to protect the details of a particular operation or series of activities;

Communication security, to protect communications media, technology, and content;

Network security, to protect networking components, connections, and contents;

Information security, to protect the confidentiality, integrity and availability of information assets, in storage, processing, or transmission. It is achieved via the application of policy, education, training and awareness, and technology.

Each organization must prioritize the threats it faces, based on the particular security situation in which it operates, its organizational strategy regarding risk, and the exposure levels at which its assets operate.

Organizations often purchase or lease the intellectual property of other organizations, and must abide by the purchase or licensing agreement for its fair and responsible use. The most common IP breach is the unlawful use or duplication of software-based intellectual property, more commonly known as software piracy. This could be the reason for appearing backdoors in the bank's computer system. That will make banks vulnerable to hackers. This of course will leave banks and its clients in loss.

Most piracy software is referred to as malicious code or malicious software, or sometimes malware. These software components or programs are designed to damage, destroy, or deny service to the target systems. Some of the more common instances of malicious code are viruses and worms, Trojan horses, logic bombs, and back doors.

One of the most common methods of virus transmission is via e-mail attachment files. Most banks block the e-mail attachments of certain types and also filter all e-mail for known viruses. In earlier times, viruses were slow-moving creatures that transferred viral payloads through the cumbersome movement of diskettes from system to system. Now, computers are networked, and e-mail programs prove to be fertile ground for computer viruses unless suitable controls are in place. The current software marketplace has several established vendors, such as Symantec Norton Anti-Virus, and McAfee VirusScan, that provide applications to assist in the control of computer viruses.

To protect banks information security it`s important to identify its information assets. After identified the organization’s information assets and the threats and vulnerabilities, it can be evaluated the relative risk for each of the vulnerabilities. This process is called risk assessment. Risk assessment assigns a risk rating or score to each information asset. While this number does not mean anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and facilitates the development of comparative ratings later in the risk control process.

Likelihood is the probability that a specific vulnerability will be the object of a successful attack. In risk assessment, you assign a numeric value to likelihood. Whenever possible, use external references for likelihood values that have been reviewed and adjusted for your specific circumstances. Many asset/vulnerability combinations have sources for likelihood, for example: The likelihood of a fire has been estimated actuarially for each type of structure. The likelihood that, any given e-mail contains a virus or worm has been researched. The number of network attacks can be forecast based on how many assigned network addresses the organization has.

For each threat and its associated vulnerabilities that have residual risk, you must create a preliminary list of potential controls. Residual risk is the risk to the information asset that remains even after the application of controls. As we know controls, safeguards, and countermeasures are terms for security mechanisms, policies, and procedures. These mechanisms, policies, and procedures counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the general state of security within an organization.

There are three general categories of controls: policies, programs, and technologies. Policies are documents that specify an organization’s approach to security. There are four types of security policies: general security policies, program security policies, issue-specific policies, and systems-specific policies. The general security policy is an executive-level document that outlines the organization’s approach and attitude toward information security and relates the strategic value of information security within the organization. This document, typically created by the CIO in conjunction with the CEO and CISO, sets the tone for all subsequent security activities. The program security policy is a planning document that outlines the process of implementing security in the organization. This policy is the blueprint for the analysis, design, and implementation of security. Issue-specific policies address the specific implementations or applications of which users should be aware. These policies are typically developed to provide detailed instructions and restrictions associated with security issues. Examples include policies for Internet use, e-mail, and access to the building. Finally, systems-specific policies address the particular use of certain systems. This could include firewall configuration policies, systems access policies, and other technical configuration areas. Programs are activities performed within the organization to improve security. These include security education, training, and awareness programs. Chapter 5 covers all of these policies in detail.

Security technologies are the technical implementations of the policies defined by the organization.  One particular approach to control is fundamental to the processes of information security. Access control is often considered a simple function of the information system that uses it. In fact the principles of access control apply to physical control and other kinds of systems unrelated to IT.

By the end of the risk assessment process, you probably have in hand long lists of information assets with data about each of them. The goal so far has been to identify the information assets that have specific vulnerabilities and list them, ranked according to those most needing protection. In preparing this list, you collected and preserved a wealth of factual information about the assets, the threats they face, and the vulnerabilities they expose. You should also have collected some information about the controls that are already in place.

The best way to avoid the Information leakage from the banks is choosing the correct defense strategy.  Before deciding on the strategy (defend, transfer, mitigate, accept, or terminate) for a specific vulnerability, the organization must explore all the economic and noneconomic consequences of the vulnerability facing the information asset. This is an attempt to answer the question, “What are the actual and perceived advantages of implementing a control as opposed to the actual and perceived disadvantages of implementing the control?” Risk control involves selecting one of the five risk control strategies for each vulnerability. The flowchart in Figure 2 shows the process of deciding how to proceed with one of the five strategies. As shown in the diagram, after the information system is designed, question is arising whether the protected system has vulnerabilities that can be exploited. If the answer is yes and a viable threat exists, it`s possible to begin examining what the attacker would gain from a successful attack. To determine if the risk is acceptable or not, you estimate the expected loss the organization will incur if the risk is exploited.

So, defense information security and correctly determine the possible risks, which threaten banks requires a lot of hard work and responsibility because that is what determines the quality of our customers' confidence in the bank. Financial strength of banks depending on information security is a determining factor of economic security, which finally determines the economic security of country. 

References:

[1] Tatul Melsik Mkrtchyan, State Economic Security System and Its Components, 4th Int'l Conference on Research in Humanities, Sociology & Corporate Social Responsibility (RHSCSR’15) Sept. 25-26, 2015 Penang (Malaysia).