GK "Intelligent Security" automated in "Sber" assessment of compliance with the requirements of IS-regulators

2021: Automate cybersecurity compliance assessment

On February 15, 2021, Intelligent Security Group announced that it had automated the processes for assessing compliance with cybersecurity standards and regulators in Sberbank using the Security Vision Security Governance, Risk Management and Compliance (Security Vision SGRC) system.

Security Vision SGRC, implemented on Sberbank's terms of reference, provided employees of the cyber compliance department with effective tools that allow you to see online the current status of compliance with all necessary standards in the field of cybersecurity and the connection of standards with each other, as well as have at your disposal the most up-to-date information on the procedures that need to be implemented to ensure compliance with each requirement.

Now, department employees can automatically evaluate compliance at the expense of:

• analysis of internal regulatory documents of the bank;
• recording of results of internal and external audits;
• execution of regular organizational and technical measures;
• automatic conformity assessment through integration with related systems.

In addition, Security Vision SGRC allows you to store the results of past audits, monitor the execution status of relevant tasks by adjacent departments, and its report designer dashbord visualizes and current compliance status with the ability to use any data and fine-tune the information presented.

"Security Vision SGRC is a useful product primarily because as a result of its implementation, thousands of requirements of international standards and regulatory documents begin to work smoothly and for the benefit of the Customer. By automating routine compliance operations, the Customer can carry out strategic planning and identify development vectors, set trends and best practices. Moreover, the presence of auto-SGRC technology will ensure automatic and constant compliance with the requirements of international standards and regulatory documents, "said Ruslan Rakhmetov, General Director of Intelligent Security Group.

"As a result of the implementation of Security Vision SGRC, we have an effective tool for monitoring and implementing compliance with the requirements of standards and regulators. At any point in time, department staff now have full knowledge of what standards need to be met, what the current status of compliance is, what the comments are, and who is responsible for addressing them, when the last inspection was carried out, when an activity is planned. The work of the department's employees was optimized - the total number of controlled requirements was reduced by 30% by identifying requirements duplicated in different standards. The next step will be the replication of Security Vision SGRC to other cybersecurity standards, "said Olga Maklashina, executive director - head of the cyber compliance department of Sberbank.

"Regulatory requirements are often the engine of development. information security In the case of the first bank of the country, the scale of compliance work is enormous and is only realized with the help of the most effective IT products, which certainly include systems on the Security Vision platform created by a resident of Skolkovo Intelligent Security Group of Companies. A separate advantage of the design approach implemented in the platform, I consider that it provides the solution with competitive advantages and great potential when scaling and expanding the application area. And the possibility of using mathematical models in Security Vision products machine learning allows the Customer to be sure that these IT products will be not only effective, but also fully adapted to its features, "said business processes Mikhail Stewgin, head of Information Security,. Information Technology Clusters Skolkovo Foundation

2019-2020: Building an integrated information security management system

The information security system of Sberbank PJSC is continuously developing and improving on the basis of the requirements of international and national information security standards, as well as the best world practices. Another step in this direction was the construction at the Bank of an integrated automated information security management system (SUIB), which allows you to quickly make management decisions based on objective data consolidated from many systems.

During the project, Security Vision implemented three modules on the Security Vision SGRC platform: Critical Information Infrastructure (CII), Compliance Control, Data Governance. As part of the implementation of each module, the following were implemented:

Critical Information Infrastructure (CII):

• Accounting of CII objects;
• Categorization process with automatic calculation of parameters and category;
• Procedure for drawing up a model of threats and audits for compliance with FSTEC orders (including formation and control of elimination tasks for elimination of inconsistencies);
• Visualization of all specified processes;
• Automatic generation of report forms according to the requirements of FSTEC orders;
• Jobs of manager and expert.

Compliance Management:

• Evaluation procedures for PCI DSS and ISO 27001, including creation and control of non-conformance elimination tasks;
• Automate the assessment of part of requirements through related systems;
• Visualize the specified processes.

Information Asset Management:

• Accounting of the Bank's business process and personal data processed;
• Audit of compliance of the Bank's business processes with the requirements for processing personal data and GDPR (including creation and control of elimination tasks for elimination of non-conformities);
• Threat modeling process;
• Visualize the specified processes.