| Customers: May Bank Financial services, investments and audit Contractors: ITglobal.com (Itglobalk Rus) Product: Projects of external audit of IT and security (in tch PCI DSS and SUIB)Project date: 2020/01 - 2020/06
|
2020: Evaluating compliance to Provision 382-P and penetration test
On July 3, 2020 the ITglobal.com company announced evaluating compliance to Provision 382-P and penetration test for Maysky bank (for external platforms). The bank showed compliance to requirements of Provision — results are sent to the regulator. According to the results of pentest auditors made detailed recommendations for elimination of the revealed vulnerabilities.
As well as any financial institution which is engaged in transfers the Maysky bank is obliged to carry out every two years conformity assessment to Provision No. 382-P, to fill a report form 0403202 and to send it to the Bank of Russia. For assessment the third-party auditing company with the license of FSTEC for activities for technical confidential information protection should be attracted.
Project Tasks:
- 382-P. Earlier the client carried out only a self-assessment on compliance to Provision of the Central Bank of the Russian Federation. For carrying out external assessment the Maysky bank looked for auditing company. One more condition: works needed to be performed in a short time.
- Pentest. Together with conformity assessment 382-P client decided to check the level of external security of information systems. For this purpose the bank in addition needed to organize testing for penetration (pentest) — simulation of the hacker attacks for detection of vulnerabilities in infrastructure.
Specialists in information security of ITGLOBAL.COM carried out conformity assessment No. 382-P in the stipulated terms. According to the results of auditors helped the client to make the report on a form of the Bank of Russia which was sent to the regulator. During assessment the bank showed enough good result of compliance to Provision No. 382-P.
As a result of external testing for penetration some vulnerabilities of the high and average level of criticality were detected. The client received recommendations about their elimination. As of July, 2020 the majority of vulnerabilities is already eliminated.
 | "We managed to be prepared for arrival of the auditor of ITGLOBAL.COM. Nevertheless, a number of noncritical discrepancies 382-P was revealed — they concerned generally documentation and a configuration of separate information systems. Pentest also was very useful: we at once eliminated some of the detected vulnerabilities, something else in process. Auditors understand, not only the information security facility settings, but also in unevident opportunities of operating systems. Their recommendations helped us to strengthen defense of perimeter", 'Rustam Nagatsuyev, the head of department of information security of Maysky bank noted' |  |
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |