Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias
Enterprise Security Architecture (ESA) is the practice of translating business security vision and strategy into effective enterprise change by creating, communicating and improving the key security requirements, principles and models that describe the enterprise’s future security state and enabl...
Saved in:
Main Author: | |
---|---|
Format: | Thesis |
Published: |
2017
|
Subjects: | |
Online Access: | http://studentsrepo.um.edu.my/8266/1/All.pdf http://studentsrepo.um.edu.my/8266/6/mahathelge.pdf http://studentsrepo.um.edu.my/8266/ |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
id |
my.um.stud.8266 |
---|---|
record_format |
eprints |
spelling |
my.um.stud.82662020-05-17T19:34:27Z Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias Mahathelge Nicholas , Ruwan Dias HG Finance QA75 Electronic computers. Computer science Enterprise Security Architecture (ESA) is the practice of translating business security vision and strategy into effective enterprise change by creating, communicating and improving the key security requirements, principles and models that describe the enterprise’s future security state and enable its evolution. Besides, ESA must ensure confidentiality, integrity, and availability throughout the enterprise and be aligned with the corporate business objectives. ESA plays a pivotal role in the enterprise nowadays, especially in complex business scenarios and mission critical applications such as banks and financial institutions, where multiple business lines and operations are to be managed and integrated. Currently, practitioners in banks and financial institutions have to use several enterprise architecture (EA) frameworks such as TOGAF and Zachman to model and meet their security requirements. Nonetheless, the frameworks are insufficient to fully cover security attributes and practices needed by the institutions. This research aims at bridging the gaps between existing EA frameworks and the security requirements of banks and financial institutions. Problems related to security in the banking industry were identified using several brainstorming sessions with stakeholders. It was followed by a study on associated work in previous literature, carrying out interviews with industrial experts, and studying relevant case studies to articulate the problem statement, research objectives, and research scope. A systematic literature review (SLR) was conducted that resulted in retrieving 729 research papers published between 1993 and 2015 from 7 databases of which 88 primary studies were selected for further analysis. From the studies, 37 security practices and 17 enterprise securities attributes were identified. A detailed comparison between the practices and attributes with 33 enterprise architecture framework (EAF), 10 security architecture frameworks, and 12 banking frameworks, was conducted. The comparison found out that on an average, the coverage of enterprise security practices is below 40% by the existing frameworks. A questionnaire survey was carried out with several departmental heads to validate and prioritize the security requirements before a holistic Enterprise Security Architecture Framework (ESAF) for banking software development was designed. The framework is designed based on Sherwood Applied Business Security Architecture (SABSA), Control Objectives for Information and related Technology (COBIT) and National Institute of Standards and Technology (NIST). The proposed ESAF defines six key layers, which include ESA fundamentals, ESA requirements, enterprise security core, enterprise security assets, security integration and security governance. Then the 28 selected security practices in the proposed ESAF are aligned with the 15 selected securities attributes to ensure the ESAF covers a full spectrum of the security practices and attributes. In order to evaluate the comprehensiveness, effectiveness and ease of use of the proposed ESAF in a banking environment, extensive interviews have been performed with 23 industry experts to assess the proposed ESAF. The experts also assessed the ESAF based on some selected scenarios. Results of the evaluation concluded that the proposed ESAF is comprehensive, effective and easy to use. 2017-11 Thesis NonPeerReviewed application/pdf http://studentsrepo.um.edu.my/8266/1/All.pdf application/pdf http://studentsrepo.um.edu.my/8266/6/mahathelge.pdf Mahathelge Nicholas , Ruwan Dias (2017) Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias. PhD thesis, University of Malaya. http://studentsrepo.um.edu.my/8266/ |
institution |
Universiti Malaya |
building |
UM Library |
collection |
Institutional Repository |
continent |
Asia |
country |
Malaysia |
content_provider |
Universiti Malaya |
content_source |
UM Student Repository |
url_provider |
http://studentsrepo.um.edu.my/ |
topic |
HG Finance QA75 Electronic computers. Computer science |
spellingShingle |
HG Finance QA75 Electronic computers. Computer science Mahathelge Nicholas , Ruwan Dias Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias |
description |
Enterprise Security Architecture (ESA) is the practice of translating business security
vision and strategy into effective enterprise change by creating, communicating and
improving the key security requirements, principles and models that describe the
enterprise’s future security state and enable its evolution. Besides, ESA must ensure
confidentiality, integrity, and availability throughout the enterprise and be aligned with
the corporate business objectives. ESA plays a pivotal role in the enterprise nowadays,
especially in complex business scenarios and mission critical applications such as banks
and financial institutions, where multiple business lines and operations are to be
managed and integrated. Currently, practitioners in banks and financial institutions have
to use several enterprise architecture (EA) frameworks such as TOGAF and Zachman to
model and meet their security requirements. Nonetheless, the frameworks are
insufficient to fully cover security attributes and practices needed by the institutions.
This research aims at bridging the gaps between existing EA frameworks and the
security requirements of banks and financial institutions. Problems related to security in
the banking industry were identified using several brainstorming sessions with
stakeholders. It was followed by a study on associated work in previous literature,
carrying out interviews with industrial experts, and studying relevant case studies to
articulate the problem statement, research objectives, and research scope. A systematic
literature review (SLR) was conducted that resulted in retrieving 729 research papers
published between 1993 and 2015 from 7 databases of which 88 primary studies were
selected for further analysis. From the studies, 37 security practices and 17 enterprise
securities attributes were identified. A detailed comparison between the practices and
attributes with 33 enterprise architecture framework (EAF), 10 security architecture
frameworks, and 12 banking frameworks, was conducted. The comparison found out that on an average, the coverage of enterprise security practices is below 40% by the
existing frameworks. A questionnaire survey was carried out with several departmental
heads to validate and prioritize the security requirements before a holistic Enterprise
Security Architecture Framework (ESAF) for banking software development was
designed. The framework is designed based on Sherwood Applied Business Security
Architecture (SABSA), Control Objectives for Information and related Technology
(COBIT) and National Institute of Standards and Technology (NIST). The proposed
ESAF defines six key layers, which include ESA fundamentals, ESA requirements,
enterprise security core, enterprise security assets, security integration and security
governance. Then the 28 selected security practices in the proposed ESAF are aligned
with the 15 selected securities attributes to ensure the ESAF covers a full spectrum of
the security practices and attributes. In order to evaluate the comprehensiveness,
effectiveness and ease of use of the proposed ESAF in a banking environment,
extensive interviews have been performed with 23 industry experts to assess the
proposed ESAF. The experts also assessed the ESAF based on some selected scenarios.
Results of the evaluation concluded that the proposed ESAF is comprehensive, effective
and easy to use. |
format |
Thesis |
author |
Mahathelge Nicholas , Ruwan Dias |
author_facet |
Mahathelge Nicholas , Ruwan Dias |
author_sort |
Mahathelge Nicholas , Ruwan Dias |
title |
Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias |
title_short |
Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias |
title_full |
Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias |
title_fullStr |
Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias |
title_full_unstemmed |
Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias |
title_sort |
enterprise security architecture framework (esaf) for banking industry / mahathelge nicholas ruwan dias |
publishDate |
2017 |
url |
http://studentsrepo.um.edu.my/8266/1/All.pdf http://studentsrepo.um.edu.my/8266/6/mahathelge.pdf http://studentsrepo.um.edu.my/8266/ |
_version_ |
1738506120777957376 |
score |
13.209306 |