NPF Safmar using Technoserv brought processes of cybersecurity into accord to new requirements of the Bank of Russia

2020: The project by assessment and reduction of information security systems of fund in compliance with provision of the Central Bank

On August 25, 2020 the Technoserv company and NPF Safmar (enters into Safmar industrial financial group) completed the project by assessment and reduction of information security systems of fund in compliance with provision of Bank of Russia No. 684-P.

Provision of Bank of Russia No. 684-P of April 17, 2019 is the key document for regulation of data protection in the financial sector. In addition to general requirements to an information security system in this document need of holding periodic actions for its check with attraction of third parties is specified. According to the results of the held tender Technoserv was selected by the contractor on this project.

Audit of IT infrastructure and business processes of fund became the first stage of joint work. More than 15 information systems were analyzed, a number of an interview with business divisions of fund for determination of area of assessment is held. On the next stage the company estimated compliance of the technical and organizational measures of protection of information taken in fund to requirements 684-P and GOST P 57580.1-2017. Then final conformity assessments in three directions of data protection were received: "technology measures", "security of the software" and "security of information infrastructure".

Based on the carried-out work detailed recommendations for gain of level of information security are prepared, the corresponding politicians and regulations of fund are updated, organizational and administrative documentation on data protection is developed and necessary supplementary procedures which guarantee security of financial information systems are described.

"Requirements to information security systems of non-credit financial institutions became complicated, their volume increased, and practice of implementation is still small. Separate organizational and technical measures of protection, and about 400 are stated in their GOST P 57580.1-2017, to implement in practice not easy as it is necessary to consider features of the existing IT solutions and organizational and regular structure. Specialists of Technoserv and NPF Safmar jointly handled key issues and offered the different options and methods of implementation which are not contradicting the set requirements", – the director of competence center of information security of Technoserv company Denis Shmyrev told.

For example, implementation of the requirement to organize accounting of the machine-readable mediums which are built in the PC and the server hardware was very labor-consuming. However the optimal solution was found: an opportunity according to the solution of financial institution to implement an organizational measure by application of a technical measure therefore it was offered to use the existing management tools for accomplishment of a measure IT infrastructure is provided in GOST P 57580.1-2017. It will allow to conform to the requirement, but will give the chance to optimize costs of NPF for accounting.

"The multi-layer system of data protection which is described in provision 684-P and GOST P 57580.1-2017 should be checked and improved constantly. We did the considerable volume of work and completed the first stage of the project on reduction of information security systems in compliance with requirements of new provisions of the regulator. The fund is ready to daily implementation of relevant measures of protection of information", – the head of Information Security Center of NPF Safmar Alexey Shobolov noted.