Bank of Moscow Implements an Information Security Violation Risk Management System

Informzaschita has completed a project to create an Information Security Violation Risk Management System (ISVRMS) for the Bank of Moscow. By using this system, the Bank will detect information security violation risks at different levels (by departments, bank products and automated systems), determine measures to minimize the risks and assess the efficiency of such measures.

The ISVRMS system was designed based on the Bank of Russia’s information security standard for organizations as a part of the bank system in the Russian Federation. Risk assessment procedures and methods determined by the regulating authority were adapted to meet the urgent needs of the Bank of Moscow and were supplemented with the best practices presented by ISO and ISACA.

Informzaschita’s experts collected the necessary information on the Bank’s information infrastructure as well as any information security-related accidents for the past five years. Vulnerability scanning made it possible to check all of the key components of the infrastructure. Over 100 branches of the Bank, 50 critical-to-business information systems and 1,000 types of file resources and paper-based carriers were examined.

It would have taken more than eighteen months to process such a great database in the manual mode. For this reason, Informzaschita’s experts developed a pilot model of an automated solution to analyze and structure the data within a short period of time. The pilot model was provided to the Bank for further updates on a regular basis.

Lev Fisenko, Director of Informzaschita’s Financial Organizations Department, reports: “As a result of these works, seven information systems with the maximum risk levels were revealed. Some risks underwent value appraisal. The Bank obtained information on the dependence of its branches on information resources, importance of its systems and security tools being in use. The Information Security Violation Risk Management System improved the security of the Bank’s information assets and optimized expenses on the development of the entire information security system.”

Vasily Okulessky, Head of the Bank of Moscow’s Information Security Department, comments on the project results: “The Bank of Moscow achieved substantial results enabling us to put into practice the risk-oriented approach to information security issues. The fact that the Bank of Moscow is now fully compliant with the requirements of the Bank of Russia’s information security standard (concerning information security violation risks) is one of the key indices confirming the quality of the works performed. The Bank of Moscow now has the highest 5th compliance level based on group indices such as M12, M13 and M14.”