Toward Unified Information Security Governance in Banking: Integrat ing Policy Evaluation and Cyber Risk Management for Online Services
Abstract:
Banking institutions face dynamic information security (IS) challenges, requiring a balance between stringent confidentiality and privacy mandates and the operational demands of digital banking. Recent research has contributed significantly to this domain through three key strands: (i) the development and validation of an ISO/NIST-aligned framework for assessing confidentiality and privacy in bank security policies, (ii) a system atic review of IS policy risks, benefits, and emerging trends across U.S. and global banking sectors, and (iii) the proposal of an integrated cyber-risk management framework tailored for online banking environments [1-3]. Building on these foundations, this paper introduces a unified approach that bridges policy evaluation with technical risk assessment and treatment [4, 5]. The proposed model integrates multiple layers: policy conformance checks against ISO 27001 and NIST SP 800-series standards, threat modeling using STRIDE and TVRA methodologies, vulnerability classification aligned with OWASP and CWE taxonomies, and iterative risk scoring and treatment cycles. This holistic design addresses the persistent gap between “written policy” and operational security controls in digital channels. Empirical findings—such as variability in confidential ity and privacy readiness among banking institutions and the influence of regulatory and cultural factors on compliance—inform the model’s architecture and adoption strategies [6]. Implementation guidance includes structured steps, governance checkpoints, and measurement artifacts such as maturity indices and control cov erage maps. These tools enable banks to progress from policy alignment toward demonstrable control effec tiveness and, ultimately, from static compliance to continuous assurance. By linking governance frameworks with technical safeguards, this approach enhances resilience against evolving cyber threats while ensuring regulatory conformity and customer trust.
