Leta estimated compliance of IT infrastructure of "IAC bank" to requirements of the cybersecurity standards
Customers: IAC-Bank Financial services, investments and audit Contractors: Leta IT-company Product: Projects of external audit of IT and security (in tch PCI DSS and SUIB)Project date: 2011/03
|
The Leta company, the operator of the typified IT services, announced end in IAC-bank commercial bank of the project on complex conformity assessment of level of security of information infrastructure of bank and its processing center to requirements of fundamental standards in the field of cybersecurity: the Russian standard of service station of BR IBBS-1.0, the international standard of data security of the industry of payment cards (PCI DSS) and also the regulatory base on personal data protection.
Works in "IAC bank" were based on the complex approach to information security of financial credit institutions realized in special service of Leta "All cybersecurity standards. Banks". At the same time the original technique developed by specialists of Leta provides to bank accomplishment of all requirements of service station of BR IBBS-1.0, including also provisions on personal data protection, emphasized in Leta. Besides, as the bank performs processing of plastic cards, this technique provides also fulfillment of requirements of PCI DSS.
The project passing on the typified scheme consisted of three stages. The first was devoted actually to inspection of information systems. At the same time the area of the project included employees of the bank, technical and information systems and also the processing of these holders of payment cards, personal data implemented by them and information security support. The technique used for carrying out project works is based on long-term experience of experts of Leta and meets relevant requirements of standards and also domestic regulating documents in the field of data protection.
In general within the project in "IAC bank" the wide complex of works was executed. Are carried out: the analysis of infrastructure of bank, organizational and administrative documentation in the field of cybersecurity and adjacent areas, inspection and preparation of recommendations about correction of business processes within which data processing of payment cards and personal data is conducted. Also specialists of Leta prepared necessary reports on security of personal data; according to a technique of service station of BR IBBS carried out the assessment of fulfillment of requirements of the standard and prepared recommendations about reduction in compliance with them an information system of the customer.
Besides, according to the PCI DSS Security Audit Procedure procedure conformity assessment of information infrastructure to requirements of PCI DSS was carried out, the report on compliance (Report on Compliance) and the actions plan (Action Plan) and also an expert opinion with recommendations about reduction of infrastructure in compliance to requirements of PCI DSS are prepared.
On the next stage the analysis of collected information was carried out and reporting documentation is developed. To estimate compliance of bank to requirements of standards of service station of BR IBBS-1.0-2010 and PCI DSS v. 1.2.1 and also to define an order of processing of PDN using the automation equipment and without application of like those, experts of Leta studied the documents used in work of bank, held series of an interview with the staff of the divisions participating in personal data processing and these holders of payment cards and also the divisions which are responsible for service of IT infrastructure and ensuring information and general security.
For elimination of the revealed shortcomings at the final stage of the project specialists of Leta, relying on the received estimates, developed a set of documents with outputs on degree of compliance of the IC CB IAC-bank to above-mentioned standards and with specific recommendations about reduction of the cybersecurity system in compliance to requirements of standards of service station of BR IBBS-1.0-2010 and PCI DSS v. 1.2.1 and also the regulatory base on protection of PDN. Let's note that these recommendations covered the main IC of bank and information infrastructure of a processing center.
Further IAC-bank is going to continue, based on offers of Leta, work on reduction of the information systems in compliance to requirements of the IB above-mentioned standards, to carry out implementation of necessary technical and organizational means.
"This project is extremely important for our bank. Exact knowledge of all set of changes which need to be made in a system for the guaranteed observance of requirements of all fundamental standards cybersecurity is that base without which to start specific projects would be extremely risky — Solomonov Sergey, the head of department of automation of IAC-bank said. — Considering special complexity of this task, we also selected Leta company as the contractor".