MASTER OF BUSINESS ADMINISTRATION
INFORMATION TECHNOLOGY FOR MANAGERS ASSIGNMENT
TOPIC:

SOLUTION TO ENHANCE
SHINHANBANK’S INFORMATION SYSTEM SECURITY



INSTRUCTOR:

Dr. HUY NGUYEN

GROUP’S MEMBER: LE HUY HIEU
VO THI KIM HOANG
CLASS:

MBAOUM 0516 – K21C

HCMC – JUNE 2017


ACKNOWLEDGEMENTS

We would like to express our sincere gratitude to Dr. HUY NGUYEN who instructed, gave us
a chance and inspired us to do this project.
We also would like to express our thanks to Shinhanbank Vietnam for helpful information and
knowledge.
With kindest regards,

CONTENT TABLE
OBJECTIVES...............................................................................................................................1
I

DESCRIPTION ORGANISATION......................................................................................2
Introduction about Shinhanbank.........................................................................................2
Shinhanbank’s information system.....................................................................................4

II

GENERAL LITERATURE REVIEW ON INFORMATION SYSTEM SECURITY ……6
The concept of Information system.................................................................................... 6
The concept of Information security...................................................................................6
Overview of Information security in Shinhanbank.............................................................6
Purpose of Information Security.........................................................................................8

III

DESCRIPTION ABOUT SOME IT SECURITY ATTACKS..............................................7
Description..........................................................................................................................7
Impact.............................................................................................................................
10

Reason.............................................................................................................................
11
IV SOLUTION TO ENHANCE SHINHANBANK’S INFORMATION SYSTEM SECURITY
12
Training .............................................................................................................................. 12
Enhacing Awareness of Bnaker and Customer....................................................................12
3S Programme- Shinhan Security Solution……………………………………………….14

CONCLUSION

REFERENCES


OBJECTIVES

The world has changed over the last few years, especially within banking. It processes – from
retail transaction to market operation have been transformed by technology and continue to
evolve. Today’ organization increasingly rely on the third party systems in order to provide many
of their digital services. This opportunity has not escaped the attention of criminals, hackers and
even nation states.

This is problematic for the banking. Traditional approaches to risk management focused on a
single malicious agent or single points of attack. So enhancing the information technology system
security is very important and essential.

Based on the knowledge got from university and working time at Shinhanbank Vietnam, this is a
small research about this problem. We hope that this one will help us have a look at the
information technology system security of banking.

4


I.

DESCRIPTION ORGANISATION

Introduction about Shinhanbank
Shinhan Bank is a bank headquartered in Seoul, South Korea. Historically it was the first bank in

Korea, established under the name Hanseong Bank in 1897. The bank was reestablished in 1982.
It is part of the Shinhan Financial Group, along with Jeju Bank. Chohung Bank merged with
Shinhan Bank on April 1, 2006. Shinhanbank is a member of Shinhan Group- the first civiliancontrolled financial holding company in Korea. It has over 22,000 employess. Now, it is a
leading bank in South Korea and operates globally.

Image: Headquarter of Shinhanbank in Seoul, South Korea
In Vietnam, Shinhan Bank’s history can be traced back to 1993 when Shinhan Bank first opened
the representative office in Ho Chi Minh City and became one of the pioneers to promote the
formal diplomatic relations between Vietnam and Korea.
SHINHAN BANK VIETNAM is headquartered at Empress Tower (138 - 142 Hai Ba Trung, Da
Kao Ward, Dist.1 and Ho Chi Minh City). During the past 20 years of sustainable endeavor in
5


Vietnam, SHINHAN BANK VIETNAM has always been trusted and chosen by Vietnamese and
foreigners, domestic enterprises and foreign investors; including Korean community in Vietnam.
Up to now, Shinhan Bank Vietnam has 18 branches, transaction office in Ho Chi Minh City, Ha
Noi, Binh Duong, Dong Nai, Thai Nguyen, Vinh Phuc, Hai Phong and Bac Ninh. In near future,
Shinhan Bank Vietnam will continue expanding branch network to many provinces and cities in
Vietnam and constantly enhance service quality to best serve our dearest customers.
Business Principles:

Core Value

6


Vision:

Mission:


7


Shinhanbank’s Information System
Internet Banking and mobile banking are online internet banking allowing customers to
perform banking transactions anywhere, anytime via their computer or mobile devices with an
internet connection. You can inquiry and transact quickly and effectively.
Call centre offers the following services and supports to customers: account information
inquiry, card deactivation/ lost card report, credit card inquiry and PIN change, register
received card and inquiry branch information.
Online smart savings service and secured loan: Support customer auto money transfer to
Term Deposit account via Internet Banking or Mobile Banking and you can use your Time
Deposit at Shinhan Bank as collateral to receive your financialsupport immediately via Internet
Banking/ Mobile Banking.
Bill payment service and Topup service: Free signing up for Bill Payment service is the easiest
way to pay your bills: electric, telephone, cable, ADSL, air ticket, water and Top - up service
8


allows customer to directly top up on their mobile phone account or buying code card of some
telecoms companies and other supplier companies, the amount that customer request to top up of
buying code card will be debited from their bank account.
Card services: ATM, Debit card, Visa card for personal and corporate customer.

9


II. GENERAL LITERATURE REVIEW ON INFORMATION SYSTEM SECURITY
The concept of information system

According to Efraim Turban, Linda Volonino (2011), an information system (IS) collects,
processes, stores, analyses and distributes information for a specific purpose or objective. Basic
functions of an IS are input, processing, output and feedback. The collection of computing
systems used by an organization is termed information technology. IT refers to the technological
side of an information system and is used interchangeably with information system.
An IS uses computer technology and networks to perform some or all of its tasks. It can be as
small as a smartphone with a software app that can snag tags to load a Website. It may include
several thousand computers of various types, scanners,, printers and other devices connected to
databases via wired and wireless telecommunication networks.
The concept of information security
According to Efraim Turban, Linda Volonino (2011), Information security is about risk to data,
information systems, and network. These incidents create business and legal risks, such as when
operations are disrupted or privacy laws are violated. IT risk management includes securing
corporate systems while ensuring their availability; planning for disaters recovery and business
continuity; complying with government regulations and license agreements; maintaining interal
controls; and protecting the organization against an increasing array of threats such as viruses,
worms, spyware and other forms of malware. Managers have a fiduciary responsibility to
protectthe confidential data of the people and partners that they collect, store and share
Overview of Information Security in Shinhanbank

10


An administrative/ technical method or an action exercising such method in order to protect
information from being damaged, manipulated or leaked during collecting, processing, storing,
searching and transfering information.
Business controls, risk management and security governance: policies and objectives designed to
enable a business to drive its business objectives into IT security processes through an integrated,
umbrella IT security management system.
Security management, monitoring and auditing: enabling proactive sense and response to

vulnerabilities, threat events, forensic analysis of security breaches that do occur and auditing for
regulatory compliance and other business purposes.
A series of action to securely protect/manange information asset (all kinds of tangible/intangible
assets including information, IT devices and facilities of an organization that deserves any
protection) such as network, system (server, PC..), H/W and S/W, DB, communication and
facilities against any internal or external threats.

Information flow: most of employees inquire CIF info, and use it on their PC or other peripherals
in various way. Most of operational information including “Confidential” is stored in an
individual PC. As outsourcing activities increase in consulting/developments, the need of
11


cooperation with external companies and sharing of internal and external information via a file
server is growing.

Purpose of Information Security
What is the goal of Security ?

-

To create the most secure system?

T

To implement the safest IT environment?

o

What do we need to protect?

IT system?

m

PC?

a

Business operation?

n
a
g
e
a

12


II.

DESCRIPTION ABOUT SOME IT SECURITY ATTACKS

The first case
On 20 March 2013, Shinhanbank suffered from frozen computer terminals in a suspected act
of cyberwarfare. ATMs and mobile payments were also affected. The South Korean
communications watchdog raised their alert level on cyber-attacks to three on a scale of
five. North Korea has been blamed for similar attacks in 2009 and 2011 and was suspected of
launching this attack as well. South Korean officials linked the incident to a Chinese IP address,
which increased suspicion of North Korea as intelligence experts believe that North Korea

routinely uses Chinese computer addresses to hide its cyber-attacks.

Image: ATM system did not operate
Malware related to the attack is called "DarkSeoul" in the computer world and was first identified
in 2012. The Financial Services Commission of South Korea said that Shinhan Bank reported
13


that its Internet banking servers had been temporarily blocked and that Jeju Bank (100% capital
of Shinhanbank) reported that operations at some of their branches had been paralyzed after
computers were infected with viruses and their files erased.
Hackers temporarily shut down computer networks at banks in the biggest cyber attack on the
nation in two years, prompting a probe into possible links with North Korea. Government
administration set up a cyber crisis group to investigate whether North Korea is responsible.
Computer shutdowns hit companies including Shinhan Bank, Nonghyup Bank, Munhwa
Broadcasting Corp., YTN and Korea Broadcasting System. Cyber attacks are much easier
weapons for North Korea as they cost far less than missiles or nuclear tests, but they can send
more people into a real panic. Furthermore, they can do it at any time without worrying about
international sanctions.

Disruption to networks at Shinhan Bank and Cheju Bank began around 2.20pm. Malware code
was distributed through targeted organizations’ servers, destroying their computers’ ability to
boot. This is the biggest and most serious cyber attack in two years. There haven’t been
simultaneous attacks on more than one target since 2011.

All transactions at Shinhan Bank stalled 2 pm afternoon. Transactions through Internet and
mobile banking were affected a part.Operations at the bank were back to normal later in the
afternoon. South Korea blamed North Korea for an attack on about 40 websites in 2011. The
South also blamed the North for an attack on some banks a month later that kept almost 20
million clients from using automated teller machines and online banking services.


14


Image : The computers were frozen during the attacks

The second case
In August 2016, some emails with malicious code were sent to officer’s email in Shinhanbank
Vietnam. Information technology department of headquarter reminded officer not to open that
email. But some staffs did not note and opened email. The hackers used email attatchments to
attack the bank internal network. This one made some computers been infected malicious. IT
department closed banking software in 15 minutes to solve. Fortunately, transaction time of
Shinhanbank Vietnam starts from 8.30 am. This one did not affect to transaction of customers but
ATM system also did not operate in 15 minutes.
The third case

15


In January 2017, a customer of Shinhanbank Vietnam – Bien Hoa Branch reflect to the bank
about losing 5 millions VND in account suddently, although he had not made any transactions.
When banker checked statement, they saw a money tranfer by internetbanking. But this customer
insisted that he never made that transaction. He said that when the bank gave him a security card
with numbers to make internetbanking transaction. He used iphone to take a photograph of
security card and destroy this card. Internetbanking tranfer need to have username, password and
security numbers on the card. He often lend other his iphone to use. The bank cancelled the old
security card and supply for him a new one.

Image: Security card of Shinhanbank
Impact


16


Attacking to information technology system of a bank will affect so much to operation of that
bank and lose customer’s belief because a bank is an organization to trade special goods –
MONEY. The reputation and image of a bank are very important. These one are impacted by
public communication and social networks.

Attacks to Shinhanbank made staff’s computer shut down. ATM, mobile banking, internetbanking
was affected. All systems were paralysed although only in several hours. This one affected to
transactions of customers and partners. The bank will lose some customers to go another bank.
Shinhankbank is a global bank. Attack in 2013, South Korean stocks tumbled, with the Kospi
Index losing 1%, compared with a 0.1% drop in the MSCI Asia Pacific Excluding Japan Index.
The won slid 0.5% to 1,116.30 per dollar in Seoul, according to data compiled by Bloomberg. The
yield on South Korea’s 2.75% bonds due December 2015 rose one basis point to 2.60%,
according to prices from Korea Exchange Inc.
Reason
Information security management is crucial and vital in banking operations. In attacks to
Shinhanbank, malware and malicious codes are frequently used by hackers to attack computer
and software system of the bank. The central processing system of banking could not react timely
when be attacked. Additionly, the frequency upgrades Corebanking system is also a chance for
hackers to seize to attack. They make banking system be paralysed and not to operate in a short
time. Lacking of awareness or consideration of some staffs is one of the main reason for hackers
taking advantages of to attack to banking information technology system. Attackers usually send
attachments emails with malicious code or send linking lines and ask staffs/ customers to submit.
The quality level of staffs remains limitation. Therefore, they can not adapt or follow modern
technology.
17



Customers have not enough knowledge and skills to protect their information. So, they often are
easy to lose basic information to prevent risks. Hackers and criminal are very sophisticated to
attack internetbanking system or transaction manipulation of customers. Customers have to be
cautious to protect themselves.
IV. SOLUTION TO ENHANCE SHINHANBANK’S INFORMATION SYSTEM
SECURITY
Training
Training is one of the essential and importan solution to protec information technology system
security. The bank’s officer always have to learn by heart about keeping the information secret of
the bank and customers. They can not been disclosure.
Processing, removing all information in document or file related to customers have a closed
cycle. Information/ documents being printed from banking information system are not allowed to
go out the bank.
The bank should promulgate the moral standards the behavioral rules for staff to comply. If there
is any violations related to information technology system security, we need to have suitable
disciplines.
If there are any incidients to happen, staffs should contact to IT department to solve. When
specialists will prevent information leak to protect our banking system.
Enhancing Awarenss of Banker and Customer
Human element plays an important role in establishing and development of any organization. A
bank want to protect information technology system need to focus its staffs. Investing on
infrastructue, upgrading banking information system and applying technology advances are
general tendency today of banks. Howerver, they are only tools for human beings to use. So, to
implement an effective security programme is “there must be a balance between human factors,
18


policies, process and technology in the management of security in order to minimize the risks that
arise in the business environment the most effective way”.

For officers of Shinhanbank, we should frequently remind and send messages to them in order to
see the importance of information technology security. The bank always has prevention
measurements by messages or notes on the computer screensaver. To protect informatuon security
system is responsibility of everyone from staffs to Information technology Department. You
should note to the following basic problems to protect themselves.
For users
To open an email without checking its authenticity like sender information
Fail to install security patch of Windows and office
To dowload and use game or screensaver from untrustworthy sites.
Fail to make bakup and test what has been backed up.
To regard information security as a duty of IT dept only
To process sentitive matters using a common PC

For Senior Management
To blindly trust security solution
To assign a person less trained to a security position and not to provide necessary
education.
Fall to recognize how information security are business are co-related
To take technical measures and open a network without considering management and
operation factors.
Fail to understand value of information assets.
Repeated issues caused by short-term, temporary, patch-up solutions.
Delay in response

19


For IT Department
To connect online without strengthening security.
To connect a test machine using easy-to guess ID and PW to online

To delay patch update even when security weakness is found
To access to system or network using a unencrypted protocol lije Telnet
In spite of regular back up never conduct a recovery test on the backup
To turn on unnecessary services
roughly set
rules
for firewall
ForTocustomer,
theup
bank
should
has detail instruction for them to master, protect themselves when
Lack of providing security related training/education.
transactions. The customers always keep secret information about banking. When you get
problem due to clearing-knowing or find out any suspected transactions. They have to contact call
centre or a nearset branch to support. This one will help them tp prevent risk and loss.
3S Programme- Shinhan Security Solution
Data protection and disclosure control: policy-based processes and capabilities within the
computing infrastructure to control who can access particular data and for what reason.Secure
transactions: leveraging the identity infrastructure and access control policies to achieve an
appropriate level of confidentiality, integrity and authenticity for every level of transaction, from
interdepartmental connections to exchanges with institutions outside the enterprise.Secure
systems and networks: enterprise IT systems and networks with embedded security capabilities
required for an end-to-end solution.

With solutions ranging from assessments and design to implementation and management services
— and the ability to deliver industry-specific security solutions such as identity management, data
integrity, threat management and security governance. This has the skills and expertise to assist
enterprises making the shift from traditional security to security for the demand . Services include
analysis to pinpoint greatest risks of business damage; planning to focus on the logical next steps

20


for people, process and technology that can have the greatest benefit; implementing integrated,
closed-loop solutions to close gaps; managed services options; and auditing and continual
improvement. These services seek to both protect business value from threats and enhance
flexibility to take advantage of business opportunities.

Setting up Security-enabled software offers a strong security management portfolio that we can
use to provide proactive, integrated security management in your business, including security
event management, security policy and compliance management, identity management and
remediation. Solutions that help the bank: Integrate data and content, Optimize collaboration and
human interaction, Develop software and systems and Manage and integrate transactions
Setting up Security-rich hardware includes an array of security capabilities we can use to:
Facilitate identity authentication, including single sign-on, Maximize data security, both in
storage and in transit, Enforce and refine security policyand Identify and dynamically recover
from intrusion and data corruption.
Document security programme
This is optimal to secure a company’s digital information. It provides an integrated security to
schema as it secure the entire Life-Cycle of the electronic document from generation to
transmission and disposal, based on strong encryption and controlled access.
Document Security Uses (Authorized users) are contractors of third party entities that are
intended to use or interact with the information being shared. However, these users are not
employees of organization and do not have Document Security solution installed on their
computers.
Decrytion/ Encryption file

21



Dycryption changes an encrypted document to a regular document. This allows the document to
be opened by a third party (customer, other company…). Encrypted files can be opened only on
PSs within the bank. Simply opening a regular document does not trigger encryption but Save
after edit will trigger encryption. Encrypted documents can be open on PCs within the bank but
can not be opened by third party and therefore document decryption is required for external file
transmission
Terminal Administrator
Assigned to each department and take the overall responsibility and authority for terminal
operation and management within the assigned department
Conduct necessary tasks to fix defects, transfer devices and manage other devices.
Verify accessibility of a user trying to access to information processing system and make a user to
set up/use a login password and change PW every three month.
End user
Assign a password and run a screensaver to keep person other than himself from running
terminal.
Execute operation in accordance with this procedures.
Use a terminal as instructed and immidiately report any operation issue to a terminal
administrator.
Restriction on using Software and hardware
A head of each department must ensure that any illegal or unlicensed software is not used
A head of each department must ensure that any unauthorized hardware is not used
Terminal Protection
A head of each department should specify an end users to each terminal and let them use a PW
and screensaver to block any access from other than the assigned person.
22


Password must be longer than 8 digits with number, alphabetic and special characters and it must
be updated at least every three months.
In principle, every terminal is prohibited to access any wireless device.

Operation-specific terminal is designated. It can not be used for other than specified purposes nor
be imported or exported. Also mobile computing devices such as laptop can not be used.
You must not share your terminal with others nor save any important information on your
terminal.
Every terminal must be protected with security features such as logging for major operational
activities control, block of wireless communication.
On a terminal, a user can not access to additional storage device like USB.
Device Return or Collection
When returning a device, delete all information on the device after separately storing them and
the return it.
A terminal administrator makes sure that all data is unrecoverble when collecting a device.
Unmanned Device Protection
Install and regularly update vaccine software in unmanned devices. However, it may not apply for
any unmanned device that Windows OS is not installed.
Implement access control in an unmanned device that allows only necessary communications.
In principle, transfer of major data is encrypted in an unmanned device.
Use of software
An end user must not install or distribute unauthorized software for personal use (i.e game
hacking tools, remote access control)
An end user must not illegally replicate or install a unlicensed software.

23


An end user must not acquire

internal/external user information, unauthorized/unapproved

information in a way of hacking or scanning.
An end user must not delete or change security program installed on a terminal for the purpose of

detour.
Use of storage device
In priciple, you are not allowed to use external storage device such as USB, CD-RW..However,
when an external devices is required for business purpose, you can use it after getting an approval
from your department head.
An IT security administrator can exceptionally approve use of external storage in following cases:
continuous long term usage is required and an approve from a department head is not possible.

CONLUSION
In short, the scope of today’s security challenges and opportunities continues to grow. To
implement a security solution that can contribute to the success of banking, find solutions when
you protect your mission-critical systems is very important. .Hardware, software and services to
address your immediate security needs is essential.
Information system security play an important role in any organizations. It is the vital thing of
banking system. By this assignment, we hope that there is overview about banking system,
especially in Shinhanbank. Therefore, we have suitable solutions to maintain and protect the
banking system to operate safely and effectively. Hope that, the bank will update, upgrade and
apply new technology and deplying banking modernization.

24


25