Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias

Mahathelge Nicholas , Ruwan Dias (2017) Enterprise security architecture framework (ESAF) for banking industry / Mahathelge Nicholas Ruwan Dias. PhD thesis, University of Malaya.

[img] PDF (The Candidate's Agreement)
Restricted to Repository staff only

Download (1701Kb) | Request a copy
    [img] PDF (Thesis (Ph.D.)
    Restricted to Registered users only until 29 November 2019.

    Download (12Mb) | Request a copy

      Abstract

      Enterprise Security Architecture (ESA) is the practice of translating business security vision and strategy into effective enterprise change by creating, communicating and improving the key security requirements, principles and models that describe the enterprise’s future security state and enable its evolution. Besides, ESA must ensure confidentiality, integrity, and availability throughout the enterprise and be aligned with the corporate business objectives. ESA plays a pivotal role in the enterprise nowadays, especially in complex business scenarios and mission critical applications such as banks and financial institutions, where multiple business lines and operations are to be managed and integrated. Currently, practitioners in banks and financial institutions have to use several enterprise architecture (EA) frameworks such as TOGAF and Zachman to model and meet their security requirements. Nonetheless, the frameworks are insufficient to fully cover security attributes and practices needed by the institutions. This research aims at bridging the gaps between existing EA frameworks and the security requirements of banks and financial institutions. Problems related to security in the banking industry were identified using several brainstorming sessions with stakeholders. It was followed by a study on associated work in previous literature, carrying out interviews with industrial experts, and studying relevant case studies to articulate the problem statement, research objectives, and research scope. A systematic literature review (SLR) was conducted that resulted in retrieving 729 research papers published between 1993 and 2015 from 7 databases of which 88 primary studies were selected for further analysis. From the studies, 37 security practices and 17 enterprise securities attributes were identified. A detailed comparison between the practices and attributes with 33 enterprise architecture framework (EAF), 10 security architecture frameworks, and 12 banking frameworks, was conducted. The comparison found out that on an average, the coverage of enterprise security practices is below 40% by the existing frameworks. A questionnaire survey was carried out with several departmental heads to validate and prioritize the security requirements before a holistic Enterprise Security Architecture Framework (ESAF) for banking software development was designed. The framework is designed based on Sherwood Applied Business Security Architecture (SABSA), Control Objectives for Information and related Technology (COBIT) and National Institute of Standards and Technology (NIST). The proposed ESAF defines six key layers, which include ESA fundamentals, ESA requirements, enterprise security core, enterprise security assets, security integration and security governance. Then the 28 selected security practices in the proposed ESAF are aligned with the 15 selected securities attributes to ensure the ESAF covers a full spectrum of the security practices and attributes. In order to evaluate the comprehensiveness, effectiveness and ease of use of the proposed ESAF in a banking environment, extensive interviews have been performed with 23 industry experts to assess the proposed ESAF. The experts also assessed the ESAF based on some selected scenarios. Results of the evaluation concluded that the proposed ESAF is comprehensive, effective and easy to use.

      Item Type: Thesis (PhD)
      Additional Information: Thesis (PhD) – Faculty of Computer Science & Information Technology, University of Malaya, 2017.
      Uncontrolled Keywords: Enterprise Security Architecture (ESA); Banking industry; Business security; Financial institutions
      Subjects: H Social Sciences > HG Finance
      Q Science > QA Mathematics > QA75 Electronic computers. Computer science
      Divisions: Faculty of Computer Science & Information Technology
      Depositing User: Mr Mohd Safri Tahir
      Date Deposited: 20 Jan 2018 10:09
      Last Modified: 20 Jan 2018 10:09
      URI: http://studentsrepo.um.edu.my/id/eprint/8266

      Actions (For repository staff only : Login required)

      View Item