17.02.2014

Development of the Information Security Risk Management System for the Bank of Moscow

Project completion date:

August 2013

The Customer:

The Bank of Moscow is one of the largest universal banks of Russia (one of the Top 5 banks) rendering a diversified range of financial services both to corporate clients and to private customers.

The VTB Group is the key shareholder of the Bank (95.53%). The Bank’s development strategy stipulates that the Bank of Moscow is to develop as an independent universal commercial bank within the VTB Group.

Today the Bank of Moscow provides services to over 100,000 corporate clients and over 9 million private customers. Major industrial enterprises as well as small and medium business entities belong to the Bank’s corporate clients.

Business needs:

The practice shows that information security management is not one of the key business activities for a large-scale bank with a great number of information assets. However, it is of high priority because it ensures such activities. Information security risk management is a fundamental process in information security management. In addition to improving the overall bank security level, the information security risk management system (ISRMS) also makes it possible to take strategic decisions on the development of an information security system.

The Bank of Moscow considered the implementation of the ISRMS as a solution to enable the Bank to solve three strategic problems at once. First, to reduce the current level of information security risks for the Bank. Second, to comply with the regulation authorities’ requirements concerning risk management. Finally, the ISRMS would optimize the Bank’s expenses related to the development of the information security assurance system.

To determine and assess information security risks, the Bank’s experts need to explore over 3,500 information assets. If performed in a manual mode, this would take over 18 months. Therefore, the Bank needed to implement an efficient automated tool to solve this problem.

Objective:

Experts from Informzaschita were to solve eight problems jointly with the Bank’s information security management experts to achieve success as a part of the project:

  • Development of regulatory documents for the ISRMS
  • Development of a prototype of the ISRMS automation tool
  • Inventory taking of the Bank’s information assets and description of the facilities of the information infrastructure
  • Identification of high-level and detailed information security threats
  • Analysis of the current security measures and vulnerabilities, and assessment of the probability of attacks and severity of their consequences
  • High-level and detailed assessment of information security risks
  • Development of a plan for handling intolerable information security risks
  • Training the Bank’s staff on methods for working with the ISRMS

 Solution:

The STO BR IBBS security standard adopted by the Bank of Moscow laid the basis for the ISRMS design. Approaches recommended by the Bank of Russia were selected as risk assessment procedures and methods. They were adapted to meet the Bank’s urgent needs and were supplemented with the best practices provided by ISO and ISACA.

Experts from Informzaschita collected all necessary information about the Bank’s information infrastructure and incidents related to information security for the past five years. Scanning for vulnerabilities made it possible to verify all key components of the infrastructure. Over 100 Bank departments, 50 business-critical information systems and 600 file resources with critical information were examined.

Informzaschita developed an automated solution for analyzing and structuring the resulting data.

Result:

As a result of the works, seven information systems with the highest risk level were identified. Value appraisal was applied to all revealed risks. The Bank received information on the dependence of its departments on information resources as well as criticality of its systems and security measures in use.

Today the ISRMS implemented in the Bank of Moscow identifies information security risks from different points of view (by departments, bank products and automated systems), defines measures to reduce such risks and evaluates the efficiency of planned measures.

In view of the unique nature of such developments, the Bank was provided with all source codes for the ISRMS prototype for its further development on a consistent basis.

The fact that the Bank of Moscow currently complies with all of the requirements set out in the Bank of Russia’s industry standard in the field of information security (concerning information security risk management) is one of the key results of the project. According to an independent audit opinion, the Bank received the highest (5th) level of compliance with group indices such as М12, М13 and М14.

Testimonial

“Based on the results of our joint efforts, the Bank of Moscow achieved visible results to put into practice a risk-oriented approach to information security issues”, commented Vasiliy Okulessky, the head of the Bank of Moscow Information Security Division.