IT Security Management Implementation Model in Iranian Bank Industry

Document Type: Research Paper


1 Ph.D. Candidate in IT, Allameh Tabatab’i University, Tehran, Iran

2 Associate Prof. in Industrial Management, Allameh Tabatab’i University, Tehran, Iran

3 Prof. in Industrial Management, Allameh Tabatab’i University, Tehran, Iran


According to the complexity and differences between Iranian banks and other developed countries the appropriate actions to implement effective security management of information technology have not been taken. The aim of this study was to create a powerful model by selecting the appropriate security controls to protect information assets in the bank. In this model, at first the principle set fort in ISO standard 27001, was extracted and then by further studies derived from best practices carried out in the world on the related subject from 2008 to 2016 using a qualitative descriptive method), points comply with information security management in the banking industry were added to it. With the study of Iranian banks in dealing with IT security management system and with help of action research tools, provisions which prevent the actual implementation of this standard was removed and finally a conceptual model with operating instructions and considering all the principles of information security management standard, as well as banking institutions focusing on the characteristics of Iran was proposed.


Main Subjects

آهنچیان، م. و آقایی، م. م. (1394). اقدام پژوهی از طراحی تا ارزیابی. تهران: انتشارات رشد.

ایزاک، ا.؛ ترجمه دلاوری. (1376). راهنمای تحقیق و بررسی. تهران: انتشارات ارسباران.

تاج‎فر، ا. ﻫ.؛ محمودی میمند، م.؛ رضا سلطانی، ف. و رضا سلطانی، پ. (1393). رتبه‎بندی موانع پیاده‎سازی سیستم مدیریت امنیت اطلاعات و بررسی میزان آمادگی مدیریت اکتشاف. نشریۀ مدیریت فناوری اطلاعات، 6(4)، 566- 551.

جراحی، م.؛ عظیمی، ع. و جراحی، ع. (۱۳۸۷). پیاده‎سازی امنیت اطلاعات در بانک‎ها. پنجمین کنفرانس بینالمللی مدیریت فناوری اطلاعات و ارتباطات. تهران، 30-29 بهمن.

شالی، ع. (1384). مدیریت سیستم‎های امنیت اطلاعات. مجلۀ الکترونیکی مرکز اطلاعات و مدارک علمی ایران، 4(4)، 3-2.

موسوی، پ.؛ یوسفی زنوز، ر. و حسن‎پور، ا. (1394). شناسایی ریسک‎های امنیت اطلاعات سازمانی با استفاده از روش دلفی فازی در صنعت بانکداری، نشریۀ مدیریت فناوری اطلاعات، 7(1)، 184- 163.

نادری خورشیدی، ع. و قاسمی نژاد، ی. (1393). بررسی شاخص‎های تأثیرگذار بر موفقیت راهکارهای خدمات بانکداری نوین از دید مدیران و نخبگان بانک انصار. نشریۀ مدیریت فناوری اطلاعات، 6 (3)، 504- 487.

وثوق، م.؛ تقوی فرد، م. ت. و البرزی، م. (1393). شناسایی تقلب در کارت‎های بانکی با استفاده از شبکۀ عصبی مصنوعی، نشریۀ مدیریت فناوری اطلاعات، 6(4)، 746-721.

Abbasi, P., Rajkamal, I., Jose luis, P. & Francese, R. (2016). Securities trading by banks and credit supply: micro evidence from the crisis. Journal of Financial Economics Elsevier, 121(3), 569–594.

Ahanchian, M. & Aghaee, M. (2013). Action research from design to assessment. Tehran: Roshd. (in Persian)

Amadeh, H. & Jafar Pour, M. (2010). Barriers and strategies for the development of electronic banking. Journal of Executive Mangement.

Brain, F. (2007). Banks claim share of credit card security cost is unfair. Computer world, 41 (26), 14-19.

Brenner, J. (2007). ISO 27001: Risk management and compliance. Risk Management, 54 (1), 24-30.

Bruno Britz, M. (2006). Corillian maps to ISO security standard companys certification to ISO 27001 standard to provide greater assurance to clients. Bank system & technology, 43 (8), 19-21.

Coa, J. & Song, W. (2016). Risk assessment of co creating value with costumers: a rough group analytic network process approach. Expert system with applications, 55 (15), 145-156.

Colin, W. (2000). Security is an essential ingredient. The banker, 150 (896), 132.

Green Meier, L. (2006). Follow the ISO path to security. Information week , 30(5), 69-70.

Hinson, G. (2007). The state of IT auditing in 2007. Taylor & Francis ,10(2), 13-31.

Isac, E. (1997). Research and investigation guide. Trans by Delavari, Tehran: Arasbaran. (in Persian)

Jarahi, M., Azimi, A. & Jarahi, A. R. (2000). Implementing information security in banks. Fifth International Conference on Information and Communication Technology Management, Tehran,17-18 Feb. (in Persian)

Karyda, M., Tsohou, A. & Kokolakis, S. (2015). Analyzing the role of cognitive and cultutal biases in the internalization of information security policies: recommendations for information security awareness programs. Computers & security, 52(3), 128-141.

Miller, S. (2016). Enterprise risk management, a common framework for the entire organization. procedia economics and finance Elsevier, 5(6), 141-149.

Modiri, N.,  Sheikhpour, R.  (2012). A best practice approach for integration of ITIL and ISO/IEC 27001 services for information security management. Indian journal of science and technology, 5(2), 70.

Moosavi, P., Zonooz, R. Y. & Hasanpour, A. (2015). Identify organizational information security risks in the banking industry using fuzzy Delphi. IT Management ,7 (1) 163-184. (in Persian)

Naderi khoorshidi, A. R. & Ghasemi Nezhad, Y. (2014). Check indicators affecting the success of an online banking solutions from the perspective of managers and elite Ansar Bank. IT Management, 6(3), 487-504. (in Persian)

Ostrowska, M. & Mazur, S. (2015). Risk in crisis situation. procedia economics and finance Elsevier, 23(10), 615-621.

Shali, A. A. (2005). Information security management systems. Electronic Journal of Information and Documentation Center of Iran, 4(4), 2-3. (in Persian)

Streff, K., & Rajagopalan, A. (2006). Adaptive bank transaction camouflaging system. ABC, 15(7), 10-12.

Tajfar, A. H., Meymand, M. M., Reza Soltani, F. & Reza Soltani, P. (2015). Ranking barriers to implementing information security management system and assess preparedness of exploration management. IT Management, 6(4), 551-566. (in Persian)

Tomal, D. (2010). Action research for educators. Rowman & little field education, 2 (20), 200-202.

Violino, B. (2006). Sorting The Standards. Computerworld, 5(3), 40-46.

Vosugh, M., Taghavi Fard, M. T. & Alborzi, M. (2014). Bank card fraud detection using artificial neural network. IT Mangement, 6(4), 721-746. (in Persian)

Wolden, M., Valverde, R. & Talla, M. (2015). The effectiveness of CObIT5 in information security framework for reducing cyber attacks on supply chain management system. IFAC papers online, 48(3), 3-48.