DeviceLock in VTB 24

On October 28, 2013 the DeviceLock company announced acquisition by VTB 24 bank of the solution (DeviceLock) of the same name for minimization of information leak and prevention of implementation of destructive programs.

Project Progress

In Bank approach which allows to minimize the risks connected with violation of information security at all stages of lifecycle of an information system and at all levels of information exchange is applied.

"Ports and external devices of input-output of information are one of the main sources of threats of information leak and implementation of destructive programs in any information system. For minimization of the specified threats it is necessary to use a management tool and control of use of ports and devices of input-output. Before DeviceLock implementation control of unauthorized use of ports and devices of input-output required considerable efforts and was insufficiently effective, - - Dmitry Shponko, the head of department of data protection of UIB DB of VTB 24 Bank told. - At the time of acquisition of the DeviceLock system by Bank in the Russian market there were no alternative solutions with similar functionality. During operation of DeviceLock in Bank a system proved as the functional and reliable solution for centralized operation as access and control of use of external devices".

Assessment and status monitoring of information security and security of information systems of Bank is an integral part of the general process of control of functioning of an information system of Bank. When evaluating a status of information security the Bank is guided by provisions of national standards of the Russian Federation, standards of the Bank of Russia, international standards on information security support and also by requirements and recommendations about information security support of such federal bodies as FSB of the Russian Federation and FSTEC.

Annually within the general audit in Bank audit and assessment a status of information security by external auditing companies is booked.

Complex approach which allows to minimize the risks connected with violation of information security at all stages of lifecycle of an information system and at all levels of information exchange is applied to support up to standard of a status of information security in Bank.

"We use risko-focused and process focused approaches to functioning and improvement of a system of information security support in Bank. Ports and external devices of input-output of information are one of the main sources of threats of information leak and implementation of destructive programs in any information system. For minimization of the specified threats it is necessary to use a management tool and control of use of ports and devices of input-output. Before DeviceLock implementation blocking of a possibility of unauthorized use of ports and devices of input-output was performed by or physical shutdown of those or and other interfaces, or their blocking at the level of BIOS. Due to growth of the park of the computer equipment and their territorial remoteness and also in connection with emergence of the peripheral devices (printers, scanners, Webcams and other) having the USB interface to manage processes of connection and shutdown of devices by such methods it became impracticable. Respectively the relevance of the threats connected with information leak grew and sharply there was a question of need of introduction to the IC of Bank of a system of centralized operation, monitoring and control of external devices." - Andrey Gennadyevich Dolgovykh, the assistant department head of data protection of Management of cybersecurity of DB of VTB 24 Bank (public joint stock company) tells.

At a stage of the choice by Bank of the solution on management and control of use of ports and devices of input-output of an alternative to the DeviceLock system in the Russian market actually was not. The operating experience of DeviceLock in Bank showed that this product is rather functional and reliable. With DeviceLock implementation implementation of information security policy of Bank regarding management of ports and devices of input-output was significantly optimized, including a number of internal regulatory documents under this process was developed.