A study on the information technology security review process in finance

Abstract

It is better to adapt IT security review in all the system development. However, it is almost impossible to do this because of the cost problem. In this paper, we sorted the system by its character such as the data and investment size. This sorting can be used as a standard for adapting IT security review. Though it is necessary to review the security functions and requirement from the analysis · design level, this process is ignored in most of the system development. In the important system, this security review has been compulsory in Korean finance. Especially Financial supervisory service in Korea announced that all of financial companies have to review the IT security task whenever they do the IT system development on the base of compliance named 'Electronic finance supervisory rule'. Is it necessary to adapt the strong review process in every IT system? In this paper, we show this standard. For this, we sorted the IT system in 4 models and made the review process. This standard can play a role in deciding whether the very system development should get the strong security review or not. This trial is expected to help other financial companies make decisions whether the process of IT security review should be strong or not. This can save the cost by adapting the strong security review only in the important system development. © 2015 Copyright held by the owner/author(s). Publication rights licensed to ACM.