Banking and Finance Sector-Specific Plan - U.S. Department of ...
Banking and Finance Sector-Specific Plan - U.S. Department of ...
Banking and Finance Sector-Specific Plan - U.S. Department of ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
mon set <strong>of</strong> guidelines that would be applicable to most situations. The ability to establish such a document could be easily<br />
adapted to other industries.<br />
N The financial sector is an especially good area for a test due to the large volume <strong>of</strong> transactions <strong>and</strong> their susceptibility to<br />
fraud. For example, use <strong>of</strong> a stenographic technique within the data transfer to identify a user will enhance identity management<br />
benefiting all industries in the short term.<br />
O Where security vulnerabilities present challenges, the only option so far available to the financial sector is to discontinue<br />
service. Research into the motivation for targeting certain financial services <strong>and</strong> institutions may enable the financial sector<br />
<strong>and</strong> other industries to develop methods for devaluing services.<br />
P Simulation is key to predicting the impact <strong>of</strong> vulnerabilities <strong>and</strong> protective measures. Financial service simulation is<br />
relatively easy to accomplish as physical resources generally are not required. Yet research into business process simulation<br />
may benefit all industries.<br />
Q There is currently a distinct inability to rationalize spending additional money on information security due to the lack <strong>of</strong><br />
data on the impact <strong>of</strong> threats enacted due to vulnerabilities that could have been avoided. There is therefore a lack <strong>of</strong> any<br />
st<strong>and</strong>ardized return on investment calculation. Such research could benefit all industries that employ information security<br />
tools <strong>and</strong> techniques.<br />
4.5 Underst<strong>and</strong>ing <strong>and</strong> Avoiding the Insider Threat<br />
B, D, M Prevention <strong>and</strong> protection <strong>of</strong> assets from trusted insiders need to capitalize on automatic mechanisms that enforce<br />
dual controls, separation <strong>of</strong> duties, role-based permissions, <strong>and</strong> configuration controls that can detect, alert, <strong>and</strong> respond to<br />
attempts <strong>of</strong> installing rogue s<strong>of</strong>tware in production systems.<br />
I Financial institutions have numerous case studies <strong>and</strong> scenarios where motivation combined with opportunity result in<br />
fraud. Research in human <strong>and</strong> social issues should be targeted at reducing the motivation quotient <strong>of</strong> the fraud equation.<br />
I Financial institutions provide corrupt insiders with financial motivation. Research into methods <strong>of</strong> devaluing assets upon<br />
detection <strong>of</strong> insider manipulation may serve to reduce this threat.<br />
G Automation <strong>of</strong> mechanisms to detect potential malicious activity or escalation <strong>of</strong> privileges are required for all computing<br />
resources, including end-user PCs <strong>and</strong> laptops attached to corporate networks.<br />
4.6 Financial Information Tracing <strong>and</strong> Policy Enforcement<br />
B Financial information policy enforcement would benefit from advances in prevention systems with respect to real-time<br />
information sharing on known fraud issues to block transactions.<br />
E Financial information policy enforcement would benefit from research into decision support with respect to terrorist<br />
economic activity.<br />
G Financial information tracing would benefit from research into emerging threats to an individual’s financial status <strong>and</strong><br />
vulnerability analysis aids.<br />
H As infrastructure architectures become more advanced, a constant focus on policy enforcement will be required to identify<br />
the infrastructure component upon which a given compute operation depends. A focus on rigorous <strong>and</strong> concrete regulatory<br />
logging requirements will provide detailed requirements for those research activities.<br />
I Human <strong>and</strong> social issues are key to policy enforcement <strong>and</strong> focus on accountability, <strong>and</strong> the level <strong>of</strong> traceability requested<br />
to establish it with respect to financial transactions will serve to establish criteria for success in influencing behavior.<br />
00 <strong>Banking</strong> <strong>and</strong> <strong>Finance</strong> <strong>Sector</strong>-<strong>Specific</strong> <strong>Plan</strong>