Rosbank, together with Jet Infosystems, introduced a sGRC system based on the RSA Archer platform

2021: Automate vulnerability management in sGRC

Rosbank, together with Jet Infosystems, has completed the automation of the vulnerability management process in sGRC. As part of the development of sGRC, Rosbank also implemented several integrations with scanning systems for vulnerabilities of infrastructure, code and libraries, even containers. This was reported on April 30, 2021 by Jet Infosystems.

The implementation of the GRC-class sGRC platform (Governance, Risk and Compliance) was envisaged by the strategy for the development of information security of Rosbank, within the framework of which a process model was created, and a sGRC solution based on RSA Archer was chosen as a tool for building, automation and measuring efficiency.

The ambitious goals of strategic information security at Rosbank can be realized thanks to the integration of systems and the reengineering of processes using sGRC. Such a multi-module platform will consolidate information from various IB processes in a single interface, thereby ensuring their visualization and transparency in order to quickly obtain information about the current state of information security. As of April 2021, thanks to sGRC, the IB risk register was formed, which serves as the basis for a risk-oriented approach to information security management in the bank. In addition, relationships between processes and automatic reporting in various areas of the IB have already been built, for example, the management of vulnerabilities and incidents of the IB, "said Mikhail Ivanov, director of the information security department of Rosbank.

The development of the sGRC is implemented by an agile team of the same name Archer. The team was expanded by additional analysts and developers from the Jet Infosystems.

The Agile Kanban format was not chosen according to the fashion trend, it was necessary to change fragile processes iteratively, first introducing a little changes and then delivering each process, each additional functionality in the system. As everywhere, at the start there was no detailed picture of the target process, and we could not afford to wait a long time for the waterfall project, while maintaining significant IB risks for the bank. Over time, we became really fast, result-oriented and flexible - developing and expanding. At the stage of the "throw march," it was necessary to quickly attract additional specialized experts, in which we were helped by partners, "said Alexander Kondratenko, Product Owner, head of risk management and development of Rosbank's information security processes.

Working in sprints, different team members simultaneously:

• analyzed current processes, describing them - business analysis;
• analyzed how they can be implemented in the system - system analysis;
• created minimum operating functional units in the system - development;
• tested in a separate environment in a bank, gave feedback on improvement and refinement;
• migrated to the production environment sGRC with a description of the new functionality and Demo for users.

{{quote 'To implement the planned changes and due to the format of the work, we needed a flexible system, a kind of designer that allows us to quickly make changes. The sGRC Archer system is best suited for our tasks. It allows you to work in the Agile format and independently make changes, automate all new and new bank processes, integrate data sources using the API, build dashboards, track KPI and KRI, build work in the system, perform a refusal to work by e-mail, saving the most important thing that each person has is time. As of April 2021, the following processes were implemented: exception management, asset management, IB risk management and incident management, "added Alexander Kondratenko. }}

With the help of the solution, we were also able to reduce the number of routine operations of Rosbank's first line SOC. Previously, when receiving reports of IB incidents, bank specialists had to manually fill out incident cards in the application processing system used. Now this activity is automated, and the time released by specialists can be directed to more priority tasks, "said Anna Bogdanova, head of the directions of the SOUNDand sGRC of the Information Security Center of the Jet Infosystems company.

The RSA Archer platform is used at Rosbank as a single tool for interaction on most IB issues. Every day, with its help, about 50 users from the information security side make various decisions, and in total about 700 bank employees are involved in the automated IB processes. The future plans of the credit institution are to increase the number of IB processes covered by the platform and scale it to adjacent IT and business processes.