Information security of the banking system is a system-forming factor that ensures the stability of the country's economy.
Threat model
Considering the model of threats that reduce the stability of the banking sector, one can see that external risks are recognized as more significant than insider risks.
In the banking risk management system, the main ones are:
- leakage of information related to the protected category - banking, commercial, official secrets, personal data of clients;
- the risk of breakdown or destruction of the information system associated with data loss;
- the risk of using incomplete or distorted information in making key decisions;
- the risk of unauthorized debiting of funds from customer accounts.
The implementation of each category of risk can lead to serious reputational and financial consequences for a credit institution. This must be taken into account when creating an information network architecture, the features of which will be:
- processing a large amount of information related to the business and financial transactions of clients;
- making transactions in various payment systems, both discrete, sending funds in several tranches or flights per day, and working in real time;
- the branching and complexity of the system connected to the network of ATMs and online terminals, with the need to protect the transmitted data from interception.
- The goal of attackers, both external and internal, is to gain access to information that will ensure control over other people's assets.
Taking into account the understanding of the threat model, the requirements for ensuring the information security of the banking system are formed:
- adequacy, creating worthy responses to internal and external threats;
- an integrated approach that requires attention to all elements of the banking system - from the fast payment service to the daily creation of a backup copy of databases;
- high performance - the system must instantly process huge amounts of data without creating an excessive load on the infrastructure;
- reliability, fault tolerance, the ability to recover from failures in the shortest possible time;
- availability of a wide range of monitoring tools capable of identifying all types of vulnerabilities in the information security system of banks.
Specific information security solutions, software and hardware are governed by the Bank of Russia standards, which are mandatory for application. The general principles were reflected in the Security Concept of a Commercial Bank, approved by the Council of the Association of Russian Banks (earlier - ARB, Association of Russian Banks, AROS). The main task of the organization is to lobby the interests of Russian credit companies, facilitate the adoption of the necessary bills and the development of other regulatory decisions.
IS system organization principles
In a commercial bank, building an information security system is based on the adoption of a strategy that determines the key parameters of the implemented solutions.
The construction of the system is based on the following principles:
- the security of system nodes and information resources should be ensured at all stages of the data life cycle, in any external and internal circumstances;
- information is ranked according to the degree of importance, confidentiality, attribution to protected resources according to state requirements;
- a mechanism for monitoring and promptly responding to all deviations from the standard operation of the system should be created, detecting external connections, code substitution, and the operation of malicious programs;
- all implemented solutions must comply with the requirements of the law.
The basis of IS in the bank is the ABS, an automated banking system that processes financial transactions and generates financial statements. According to the rules of the Bank of Russia, reporting is submitted to the regulator not only once a quarter, but also every day, all information about transactions on the accounts of clients and the credit institution itself gets into the ABS. Among the main ABS developers in Russia are Diasoft and R-Style. Previously, banks independently developed ABS, but after the release of the law on the protection of personal data, this opportunity disappeared. Now their suppliers must be licensed by the FSTEC and the FSB to develop security software, which is impossible for banks. Their license is exclusive and only deals with the financial markets.
ABS protection in any case will be installed in accordance with the safety classes provided for systems that process personal data. But additional security measures will be associated with ensuring leaks not only of personal data, but also of financial information. The degrees of protection will depend on the level of the module - functional, for example, management of deposit or credit operations, processing primary information and interacting with external communication channels, and providing, accounting or analytical, operating in the internal network and does not require external connections.
Functional modules are divided into groups:
- Front-Office. At this level, there are jobs that ensure the bank's operational activities, processing of payment orders, deposit operations, and the purchase of securities. Employees have the ability to directly interact with clients, information is collected and transmitted for processing to other offices;
- Back-Office. Here, on the basis of the information received, reports are drawn up, which are transmitted further to the Central Bank of the Russian Federation;
- Head-Office. The modules that provide analytics and data mining are concentrated here.
- All subsystems operate in separate environments separated from each other by firewalls. In addition to them, the following must be applied:
- anti-virus protection means;
- intrusion detection tools;
- cryptographic means (CIPF);
- trusted download facilities.
The choice of solutions depends on how much the computing power of the module allows you to install security measures.
Evaluation of information security efficiency
Ensuring information security of the banking system is not a static phenomenon, but a set of processes. The quality of their implementation should be continuously measured to assess their effectiveness. There are thousands of metrics to evaluate a process, and choosing from them can be a tricky decision.
An important criterion when choosing a metric is the ability to demonstrate the quality of a solution to specialists of different levels - from the head of the board of a credit institution to an invited auditor.
Among the evaluated parameters:
- the cost of building an information security system in terms of an employee or square meter of the area of a bank or branch;
- speed of transition of an information security incident from the first SOC support line to the second;
- the speed of system recovery after a failure;
- losses from ineffective account management;
- decrease in customer loyalty from ineffectively built information security processes.
The goals of developing and implementing a metrics system are complex:
- reducing the number of ineffective or improperly built processes;
- monitoring the performance of current business processes;
- analysis of the direction of development of IS concepts;
- checking for compliance with the requirements of the regulator;
- preparation of management reports with an analysis of investments made in information infrastructure.
Metrics are divided into groups:
- managing incidents so that the target dynamics show a decrease in their number;
- asset management - the metric should show the reduction in the number of network nodes that do not have an official owner;
- the effectiveness of the use of information security tools;
- management of vulnerabilities - target dynamics shows their reduction;
- Management of risks.
The introduction of metrics should be accompanied not only by their application, but also by revision, in order to reduce the number of indicators that are no longer relevant.
Bank of Russia policy
Information security issues in the banking sector are regulated by the Bank of Russia, and every year the degree of regulation becomes more and more. Previously, credit organizations could keep silent about ongoing information security incidents, now they are obliged to report them to FinCERT within three hours from the moment of occurrence. The exchange with the regulator's subdivision of data on the current state of the information system occurs online, from a dedicated workplace.
The main standards adopted to ensure information security of the banking system regulate:
- work with biometric personal data. Creating conditions for their storage and avoiding leaks are becoming the main tasks in the field of ensuring information security of the banking system. The sphere is regulated by the Methodological Recommendations approved by the Bank of Russia in April 2019. They consider banking security in general and the mechanism for transferring data to the Unified System of Interdepartmental Interaction (SMEV) using cryptographic protection means. Loss of biometric data will help attackers using these identifiers to gain unauthorized and unimpeded access to banking services and customer assets;
- the general principles of information protection in the banking sector are regulated by GOST R-57580.2, approved by Rosstandart in 2018;
- information security incident management is regulated by the Bank of Russia Standard, also approved in 2018. He draws attention to the need to inform the regulator about all identified incidents. In turn, the CBR is ready to notify banks about all similar situations that have occurred with other participants in the system;
- information security audit and methodology for assessing the quality of information process management.
One of the important aspects of maintaining information security in the field of finance is the organization of forums and conferences, where participants voice the topical problems of the field and share their experience. The annual forum "Information security of the financial sector" brings together representatives of the regulator, credit institutions, domestic and foreign suppliers of IT solutions. Topics are discussed related to the development of cooperation in the field of information security, ensuring the security of fintech, organizing the cyber stability of financial organizations, new legislative initiatives in the field of information security put forward by the Bank of Russia and the credit institutions themselves.
Safety standards
The main document of the regulator defining the norms in force in the field of banking information security is the Standard “Ensuring Information Security of Organizations of the Banking System of the Russian Federation. General Provisions ”STO BR IBBS-1.0. The Bank of Russia, which recommends scrupulous fulfillment of requirements to credit institutions, declared that the goals of adopting the regulatory document were:
- increasing public and business confidence in the country's banking system;
- increasing the stability of the functioning of credit institutions of the banking system of the Russian Federation and the system as a whole;
- achieving the adequacy of measures to protect against real threats to information security;
- prevention and (or) reduction of damage from information security incidents.
The Bank has provided for a phased implementation of measures aimed at eliminating the risks of unauthorized transfers of funds. The Central Bank of the Russian Federation will begin to fine for non-compliance with the requirements only from the summer of 2020. For a year and a half, all aspects of information security in a commercial bank must meet the requirements of GOST.
Information security risk when outsourcing services
A separate standard for the regulation of information security in the banking sector has become the standard that sets the criteria for information security in the outsourcing of IT services. The standard was introduced in 2018 by order No. 568. Credit organizations often, not trusting the competence of the IT service, instruct the involved specialists to build information security processes.
Outsourcing goals:
- improving the efficiency of business processes;
- savings and more rational allocation of resources;
- increasing the transparency and investment attractiveness of the bank's business when placing shares and bonds on the securities markets;
- reducing dependence on resource constraints.
But the invitation of external specialists often increases the risk of information leaks, both client and related to the system of organizing data security in a credit institution. This risk is multifaceted and consists of a number of factors:
- increased dependence of the bank's functioning on the activities of an external service provider, which is critical when managing online payment systems;
- failures in the operation of infrastructure facilities if they are within the control of the service provider;
- incorrect assessment of the quality of work of the outsourcer organization;
- inaccuracies in the contract for the supply of services that restrict the bank's activities, taking into account the requirements of information security.
- Systemically, these problems create critical threats:
- unauthorized access of external users to information arrays;
- access of third parties to the financial resources of the bank and clients;
- loss of control over business processes;
- non-compliance with the requirements of the law and the regulator.
The Central Bank of the Russian Federation warns banks that the implementation of threats can lead to information security incidents, the result of which will be the loss of significant amounts. At the same time, an organization - a service provider may not be able to compensate for it in full, the amount of the loss may be equal to the balance of funds on the correspondent account with the Central Bank of the Russian Federation, which is comparable to the size of the authorized capital.
To mitigate the risk, the Central Bank establishes mandatory requirements for contractors:
- adopt an internal regulatory document - Outsourcing Policy, which will determine the restrictions on the work of the service provider;
- outsourcing should be carried out according to an approved program providing for external and internal control;
- all outsourcing activities must comply with the regulatory requirements of the Central Bank of Russia;
- the service provider must have all the necessary licenses;
- the contract with him must stipulate liability associated with any type of risk named in the Standard;
- it is necessary to control all actions related to the cross-border transfer of information;
- all outsourced functions should be considered as part of the bank's activities and controlled by internal control services.
If these conditions are met, the risk of loss of information and assets is reduced, the stability of the banking system of the Russian Federation and the confidence of citizens in it increase.
Role of FinCERT
FinCERT plays a special role in the structure of the Bank of Russia - a unit responsible for monitoring and preventing critical information security incidents, whose employees specialize in information security.
The division of the regulator has developed and approved the basic principles for ensuring the information security of the banking system for 2019-2020:
- improvement of the legal regulation of the system, clarification of the existing normative acts;
- ensuring IS and cybersecurity of information infrastructure of banks;
- ensuring information security and cybersecurity of software used to protect information assets and personal data of clients;
- compliance with information security rules in the development and implementation of data processing technologies;
- improving the quality of financial technologies;
- increasing public confidence in the financial system as a whole;
- using the opportunities of the international community.
Over the three years of the division's work in these areas, the level of risks and the number of cybersecurity incidents have been reduced. The actions of the regulator and the banking community are aimed at structural and purposeful security in the banking system, which helps to guarantee the stability of the economy as a whole.
16.12.2020
