OREANDA-NEWS. Informzashchita company finalized the project aimed at creating the Bank of Moscow information risk management system (SURIB). Thanks to the system the Bank can identify information security risks by various categories (by department, by banking product and by automated system), it can determine risk reduction steps and evaluate their effectiveness.

SURIB system is based on the Bank of Russia security standard STO BR IBBS. Risk evaluation procedures and methods determined by the regulator were adapted to the Bank of Moscow current needs and were supplemented by the best practices offered by ISO and ISACA.

Informzashchita professionals collected all the required data on the bank's information infrastructure and on information security incidents for the last five years. Vulnerability scanning allowed to check all the key infrastructure components. Research covered over 100 divisions of the Bank, 50 information systems crucial to the business and 1000 types of file resources and paper documents.

A manual processing of such a big volume of data would take more than 1.5 years. In connection with this Informzashchita professionals developed a prototype of an automated solution that helped to analyse and structure the data within a short period of time. The prototype script was completely submitted to the Bank for its further development on a system basis.

"The work resulted in identifying seven information systems with a maximal risk factor", said Lev Fisenko, Informzashchita financial institutions department director. "Some risks were attributed a cost evaluation. The Bank received data on the divisions dependence of information resources, on the systems importance and on protection means. The implemented information security risk management system enhanced the level of the Bank's information assets protection and will now ensure an optimization of costs for the whole information security system development".

"The Bank of Moscow obtained visible results allowing to put in practice a risk-oriented approach to information protection issues", commented Vasily Okulessky, the Bank of Moscow information security division head. "One of the key indicators of the project quality is the fact that at present the Bank of Moscow fully complies with the Bank of Russia standard requirements applied to information security (in respect of information security risk management), the Bank was attributed the highest - 5th - level of compliance with group indicators М12, М13, М14 ".