Development of an end-to-end system of information security support for Smartbank

Smartbank performed providing a range of the banking services and transactions requiring providing measures of the information security (IS) of the IT systems involved in work at the level meeting existing rules of the legislation of the Russian Federation and requirements of the Bank of Russia. Operational processing of bank requires observance of regulations of federal laws on personal data No. 152-FZ and about national payment system No. 161-FZ, and all IT infrastructure should execute regulations of the standard of the Bank of Russia of BR IBBS "Information Security Support of the Organizations of a Banking System of the Russian Federation".

The contractor of the project of development of an end-to-end system of providing Information Security of bank for the purpose of its reduction in compliance to regulatory requirements on the basis of the held competition it was selected by "nuclear heating plant", having offered the best terms of project implementation and having completely fulfilled qualification requirements.

Project objective was all pool of the questions of ensuring data protection which are contained and processed by information systems of bank including the solution of the following tasks:

• Determination of a current status of cybersecurity and means of protecting at the time of the beginning of the project.
• Determination of the most effective measures allowing to provide the necessary level of security of an information system and its compliance to requirements of the federal legislation.
• Engineering design of an end-to-end system of personal data protection.
• Providing conclusion about results of monitoring procedure of compliance to requirements 152-FZ.
• Development of normative and administrative documentation in compliance with requirements 152-FZ and 161-FZ.

Implementation of project works covered all IT complex of bank, including the main banking information system and the connected subsystems, the server park, network infrastructure, all jobs, and works were performed at all offices of financial institution, including nowadays closed office in Ufa. The term of implementation was 7 months.

Within the project it was executed:

• Preliminary survey and collecting of initial data about an information system of the customer.
• Documentary analysis of security of external and internal perimeter of the local computer network (LCN) and development of recommendations about increase in security of network infrastructure.
• Calculation of initial conformity assessment of the current level of providing Information Security of information systems of bank to requirements of industry standards and federal legislation.
• Analysis of organizational and administrative documentation on providing the cybersecurity mode and development of recommendations about its improvement.
• Development of model of threats taking into account industry model of threats. Risk analysis, the security risks connected with implementation concerning resources of an information system of Bank on methodology of RS BR IBBS 2.2 2009,
• Development of recommendations about increase in system effectiveness of management of cybersecurity in Bank, processes and procedures of its providing.
• Technical project development on creation of a System of Personal data protection (SZPDN).
• Development of normative and administrative documentation according to requirements 152-FZ and 161-FZ.
• Implementation of means of protecting and cybersecurity procedures.

Sergienko Inna, Head of complex information security support of AST Ltd: "During the course of performance the project we needed attraction of complex examinations of several technology and industry directions of our company. Smartbank has not really big physical structure, but provides the developed financial services that is provided with the whole pool of IT solutions and information systems. All this pool required inspection and reduction on the level of information security in accurate compliance to requirements of the regulator and the legislation of Russia. We carry out very laborious work as a result of which it was fully succeeded to solve those tasks which were set for us".