Examples of successful implementations of InfoWatch solutions

InfoWatch has already carried out a number of projects to enable top Russian companies to meet the requirements of several laws and industry regulations, including the Basel II agreement, the information security standard of the Central Bank of the Russian Federation, and the American SOX law. InfoWatch Implementation Department specialists have valuable experience helping some of the largest and most complex corporations in Russia to implement rigorous standards to comply with these regulations. Additionally, many government departments and agencies—such as the Ministry of Finance, the Ministry of Economic Development, the Customs Service, and others—are currently using the IWES solution.

Industry: Banking industry

Customer: “Vneshtorgbank”

Situation: Design efficient managing system to manage operational risks in accordance with the requirements of the Basel II agreement (the method of calculating AMA) and create an efficient information security system within the framework of the standard of the Bank of Russia.

Solution: The IWES solution enabled Vneshtorgbank to meet the basic requirements of the Basel II agreement (§§660, 664, 666, 732 and 734) and implement an operational risk management system to use with the calculation methods of AMA. The resulting information security system met all the requirements of the standard of the Bank of Russia. By doing this we achieved all the goals set for the project.

Solution Advantages: Thecustomer suggested its own management strategy to manage normative risks that reflect its day-to-day business objectives and plans for the future, as well as a unified universal platform to meet the standard requirements of the Central Bank of the Russian Federation in information security, the requirements of the Basel II agreement and the American SOX law. As a result of this effort, the customer saved money as it no longer needed to increase capital to manage operational risks, and it significantly improved its market profile.

Industry: Banking industry

Customer: “SDM-Bank”

Situation: SDM-Bank need an operational risks management system to meet the Basel II requirements for the advanced risk calculation technique (AMA). They also needed to build a manageable information security system in accordance with the standard of the Bank of Russia.

Solution: We designed an operational risks management system based on the IWES comprehensive solution according to the Basel II requirements for the AMA calculation technique (§§664, 666). In addition to this, the customer minimized reputation risks (§§732 and 734) using IWES. And the designed and implemented information security system met all requirements of the standard of the Bank of Russia.

Solution Advantages: Aside from the immediate project objectives, the customer created its own normative risk management strategy and received a unified universal platform. This enabled the bank to automatically meet the standard requirements of the Bank of Russia for information security, the Basel II agreement and the American SOX law. As a result of this effort, the customer saved money because it no longer needed to increase capital to manage operational risks. It also significantly improved its market profile.

Industry: Telecommunications

Customer: “VympelKom”

Situation: VympelKom needed an internal control system that would be compatible with the base principles of the British Code (Turnbull Guide) and the American SOX law (paragraph 404).

Solution: The implementation of the IWES comprehensive solution made it possible to meet the requirements of the Turnbull Guide. This included implementing an efficient means of internal control that would be subject to external and internal audit, creating a comprehensive risk management system, and fully addressing normative and operational risks). By doing this we achieved all goals set for the project.

Solution Advantages Thecustomer suggested its own management strategy to manage operational and normative risks that reflected its day-to-day business objectives and plans for the future.Likewise, it created from scratch a unified universal platform, allowing them to meet the requirements of the Turnbull Guide, and to save money on compliance with any other international, foreign, or Russian rules and regulations.

Industry: Power Production

Customer: “UK HydroOGK”

Situation: UK HydroOGK required an efficient internal control system that to comply with the provisions of the British Code (Turnbull Guide) and the American SOX law (paragraph 404).

Solution: Theimplementation of the IWES comprehensive solution made it possible to realize the required internal control mechanisms. It also provide for automation and access to internal and external auditing of information processes, and provided the management with the ability to guarantee a high level of efficiency while carrying out internal corporate control. By doing this we achieved all the goals set for this project.

Solution Advantages: The customer was given a comprehensive normative risks management system meeting its specific business objectives. In addition to the compatibility with the British Code, the unified universal platform made it possible for the customer meet the requirements of the ISO 17799 standard and build an efficient information security management system complying with the fourth development level of the COBIT standard.

«InfoWatch is not the best or the worst solution. InfoWatch is what really works!»

Vasily Andreevich Okulessky, Chairman of the Information Security Department for the “Bank of Moscow”

The Bank of Moscow is a major Russian bank providing a diversified range of financial services to companies and individuals. In the course of its operations, the Bank of Moscow has in its possession significant information assets, the majority of which are confidential.

Additionally, the operations of the Bank of Moscow, just as any other financial institution, are governed by various Russian and Western regulations and standards, for example, the standard for information security of the Bank of Russia, the Basel II agreement, the Code of Corporate Conduct of the Federal Service of Financial Markets, and others.

Before implementing the InfoWatch Traffic Monitor comprehensive solution, the Bank of Moscow had already successfully deployed and operated an external threats security system. However, the bank did not yet have proper protection against internal threats.

In order to provide information security at the Bank of Moscow, the Information Security Department had to solve several specific issues. Among them were the following important issues:

1. Control over outgoing e-mails to prevent eventual leaks of restricted information.
2. Limited control over incoming e-mails including spam filtering.
3. Archiving of e-mails including various restricted messages automatically generated by technical services.
4. Shadow copying, in full or in part, of documents—or portions thereof—while making copies to portable media or external devices connected via computer ports (such as USB, COM, IrDA, and others). They also needed the ability to take the appropriate response to this type of copying and perform content analysis.
5. Online content analysis of Web traffic.

Vasily Andreevich Okulessky, Chairman of the Information Security Department of the “Bank of Moscow”: “With large amounts of information that we have at our bank, we cannot solve the above-mentioned objectives by manual checks done at the Information Security Department, these objectives require automation and they have to be executed in one interface operated by information security officer.”

In 2008 components of InfoWatch Traffic Monitor were installed at servers and workstations at the Bank of Moscow. InfoWatch Implementation Department specialists in conjunction with the Company LETA-IT, a system integrator, helped deploy the system and provided consultations to information security department staff members.

“We tried a number of solutions and found out that each solution has advantages and disadvantages, but, in terms of functionality, they basically do the same job. However, we have to note that many solutions use ideas developed by InfoWatch quite a while ago. By cut and try method our bank found the solutions that make us feel comfortable; these solutions are good for us as they work for us. These solutions are the ones developed by InfoWatch”, said Vasily Andreevich Okulessky.

VTB (Vneshtorgbank) [Foreign Trade Bank] is the country's largest commercial bank in terms of its volume of authorized capital, valued at 52.1 billion rubles. The Government of the Russian Federation is the primary shareholder of the bank, owning 99.9%. According to figures in published reports, as of June 1, 2006, the Open JSC VTB had 118 billion rubles of its own funds, and it owned 752 billion rubles in stock. The Bank enjoys the highest rating among Russian banks from international rating agencies, such as Moody’s Investors Service, Standard & Poor’s, and Fitch. Russian ratings agencies traditionally place VTB in the highest reliability category.

Within the context of its development concept as a federal networked bank, VTB offers its clients services through its extensive branch networking, including more than 200 client service offices. The bank is represented by twelve branch offices, daughter and associated banks abroad.

Prior to installation

One of the reasons for VTB's success in it commercial activities is that VTB utilizes the latest achievements in high technology everywhere the bank operates. A computer organization network encompasses more than ten thousand jobs distributed throughout its service area, and all of the key business processes are integrated into the IT system. However, information technologies carry inherent, and their well known, share of risks, related both to the malevolent outside environment (viruses, spam, hacker attacks), as well as to threats from the inside, such as professional espionage, competitor intelligence, and other premeditated and careless actions by employees of the organization. Moreover, while Vneshtorgbank has been utilizing an entire arsenal of means to protect itself from external attacks against its IT infrastructure, the problems involving internal security defense have required immediate attention.

«Particular to work within the VTB network is that it involves the circulation of large quantities of data that represent commercial and bank secrets. Without necessary protection for this type of information offering quality services to clients is unthinkable, and the reputation of the organization is under a constant threat. It is namely for this reason, that it is a priority of the bank's information system development to install a reliable defense for confidential information,» reports Oleg Smoly, Chief Specialist of Security Assurance Management at the Open JSC «Vneshtorgbank».

With regard to the fact, that VTB offers services to physical entities, it even has at its disposal a bank of personal data on regular citizens. A breach of this information could levy a heavy blow to the company's reputation, lead to a client base reduction, and could undermine the trust of investors and partners. Moreover, already by then, the State Duma was discussing a bill «On Personal Data» (by the time of project installation, the bill had already become Federal Law). Hence a breach of citizens' private information could, in the foreseeable future, lead to a sequence of court cases and significant legal costs.

By adopting a solution to install a system of defense against internal threats, open JSC VTB specialists based their thinking on Bank of Russia IT security standards, as well as on provisions of the Basel II Accord, in terms of its plan to minimize operational risks. Each of these regulations requires an organization to get insiders under control and prevent a leak of classified information. First of all, Bank specialists turned their attention to e-mail resources, as this is the most vulnerable communication channel of all in terms of data leakages and abuse on the part of employees. As a result, the Open JSC VTB was faced with the following tasks:

- get the channel of electronic mail under control, in order to prevent a leak of confidential and personal data; - ensure archiving of all e-mail traffic to complete a subsequent retrospective analysis, for example, when investigating incidents; - satisfy the IT requirements of the Bank of Russia standards in terms of archiving electronic mail and protecting against insiders; - minimize the portion of the operational risk from a breach of classified information, and thereby address the requirements of the Basel II Accord.

Moreover, the customer posited the following purely technical requirements for the installation solution:

1. The product shall be sufficiently productive and failure-free, so as to process on average of 10 GB of e-mail traffic per 24-hour period, and to guarantee that the maximum delay time of one message does not exceed 1 second. 2. The confidential information filter should be able to process not just standard file formats, as stipulated by the developer, but should also be able to process internal customer formats. 3. The solution shall be sufficiently well programmed that it can filter additional data types and formats.

All of these requirements were formulated at the pre-project stage, after which the customer held an open bidding, by having published his technical and business requirements.

Choosing the solution

Open JSC VTB experts conducted a deep comparative analysis of the monitoring and electronic mail archiving products that are available on the Russian market. They paid particular attention to how the fulfilled such requirements, as the capability of building upon a product for an eventual comprehensive solution in order to cover all vulnerable communication channels in the organization (Internet, printers, work stations, etc.). Moreover, open JSC VTB specialists wanted to obtain a programmed solution that would make it possible to add a new functional to support additional file and data formats. To meet these goals, the Bank representatives tested out the operational characteristics of the solutions in a specially designed network test segment. Based on the results of this testing, the leadership of the open JSC VTB decided upon the following two products:

- InfoWatch Mail Monitor — a software product designed to prevent leaks of confidential information via the corporate e-mail system. It scans e-mail traffic (the text of e-mails and attached files) in real time and blocks the transmission of correspondence that contains or could contain confidential data. - InfoWatch Storage —a software product designed to archive electronic correspondence under the framework of the corporate e-mail system with the capability of conducting further analysis. The real time module compiles copies of electronic letters, places them into storage and makes it possible to conduct an analytic selection from it to investigate cases of data information leakages.

The capability of being able to expand the selection of products to include a comprehensive solution, such as InfoWatch Enterprise Solution to cover additional communication channels, was awarded the highest of praise by the customer. Moreover, open JSC VTB specialists separately noted the high productivity levels of traffic monitors and electronic mail storage. In its operational mode, the InfoWatch Storage system, working off only one dedicated server, is capable of processing 50 thousand letters, or 10 GB of traffic daily, and of supporting real correspondence archiving over a period of no fewer than three years. Moreover, the module completely satisfies the requirements for guaranteed maximum delay time per one message. Finally, InfoWatch technical specialists enabled its filter to support a specific internal file format for the open JSC VTB, as well as offer the capability of adding to the content base filtration new confidential data in that format. Hence, InfoWatch products were completely able to handle the organization's intense flow of information.

The following were also among the other arguments in favor of choosing the InfoWatch company solutions:

- a wide spectrum of accompanying and consulting services: not only a "turn-key" installation solution, but also full-fledged integration of the system to protect against insiders with the existing complex IT security system within the company; - its expertise in implementing projects of this scale in extremely large commercial and government organizations; - the capability of modernizing and updating a comprehensive solution as per the needs of the customer; - the innovative nature of the supplier company: InfoWatch architects and designers are always on the leading edge of the IT market. They are constantly perfecting mechanisms to protect against leakages and insiders, and they update their products and introduce elements of innovation into the customer's IT infrastructure. In so doing, all new versions of InfoWatch products are available to its customers at no cost as part of it technical support.

By having analyzed the advantages of InfoWatch company solutions, open JSC «Vneshtorgbank» specialists chose to remain with this particular supplier. Thus, the leader of the Russian financial sector affirmed the superlative characteristics of InfoWatch products.

After installation

Over the course of three months, the project to install InfoWatch Mail Monitor and InfoWatch Storage was completed in accordance with a step-by-step plan, set up jointly by both the customer specialists and the supplier. A cluster consisting of two nodes was created within the information infrastructure, upon which the InfoWatch Mail Monitor modules were installed under the management of Red Hat Linux. Every day this cluster filters the e-mail traffic in excess of 5 thousand users at the open JSC VTB's central office. This cluster ensures a balance between load capacity and durability against breakdowns. The maximum delay time of one e-mail message is guaranteed not to exceed one second. The centralized InfoWatch Storage archive has been extruded from the cluster bounds and is located on a separate server. As a result, the customer obtained an effective and productive system of e-mail channel protection against insiders and leakages. All project goals have been achieved.

Customer experts highly praised the InfoWatch Storage functionality and load stability. This module makes it possible not only to archive corporate correspondence, but also has powerful capabilities for subsequent retrospective analysis. As a result, the leader of the Russian financial sector had at its disposal an instrument to conduct effective investigations of internal IT security incidents, as well as one that offers many business objectives. Moreover, the InfoWatch Storage module met with outstanding success in handling the intense e-mail flow of theopen JSC «Vneshtorgbank», achieving on average 10 GB per 24-hour period.

Final analyses

Once InfoWatch Mail Monitor and InfoWatch Storage were installed, the customer acquired an effective and manageable system of e-mail channel protection against insiders and leakages. By using InfoWatch company products, the customer was able to achieve partial compatibility of its IT infrastructure with the Federal Law "On Personal Data," the Central Bank IT Standards, the Basel II Accord and the requirements under section 404 of the American SOX Act.

We should note that, as a result of installing InfoWatch company products, the customer not only resolved the issue of internal threats, but also saved significant amounts of money on implementing its regulatory strategy. The bank was able to fulfill a portion of requirements of three regulatory acts all in one fell swoop, with the assistance of one single IT security solution. In so doing, open JSC «Vneshtorgbank» acquired the capability of adding the installed product to the comprehensive InfoWatch Enterprise Solution. These promising events make it possible to create a maximally effective system of protection against leakages and insiders, as well as ensure compliance with the requirements of all listed regulatory acts in the sphere of internal threats.

«We remain satisfied with the installation. Now, whenever necessary, our bank can sufficiently swiftly add installed products to the InfoWatch Enterprise Solution and thereby create a full-fledged system of protection against leaks and insiders. In the process, we have already become convinced that InfoWatch products are highly productive and maximally breakdown-free. In addition, InfoWatch technical specialists have enabled support through its filter of our internal file formats, which has made it possible to quite successfully incorporate the new solution into our IT infrastructure. Quickly and without losing transparency,» — was the conclusion drawn by Oleg Smoly, Chief Specialist of Security Assurance Management at the Open JSC «Veshtorgbank».

Hence, the leader of the Russian financial market can work effectively with personal client data and with corporate confidential information, without fearing that this information will be «leaked» via electronic mail.

«GidroOGK » protects itself against leakages

In terms of its installed capacity, the open JSC «GidroOGK» is one of the largest hydropower generation companies in the world. At the completion stage of its formation, the company will have under its wings about 50 Hydroelectric Power Plants with a total installed capacity of 23.3 GW. Hence, it is difficult to overestimate the significance of this company's business for Russia's economy.

Meanwhile, from the standpoint of technology and the heterogenic nature of its work, this is one of the most complex information systems around. The open JSC «GidroOGK» IT infrastructure encompasses the central office local area network (about 800 work stations and 45 servers), and distributed networks including about 50 hydroelectric plants (about 200 work stations and 7 servers). In other words, the computer network of this federal power generating company amounts to about 10.5 thousand work stations and 350 servers.

In addition, while the work stations and file servers operate under Microsoft Windows, the e-mail servers use both Microsoft Exchange, and Linux Sendmail. Hence, the IT infrastructure of the open JSC «GidroOGK» is, to an extremely great extent, both far flung and heterogeneous.

Today, information systems play a critically important role in the company's activities. Confidentiality and integrity of classified data, accessibility to IT resources, and the ability to operate business processes without interruption are all factors upon which the business success of this energy giant relies.

Prior to installation

The development of the energy resources market, coupled with the constant growth of The open JSC «GidroOGK» has pushed IT security to the forefront. Prior to installing the comprehensive InfoWatch Enterprise Solution, the company already had in place a system for protecting against external threats. However, the problem of insiders and leakages remained a puzzle. Meanwhile, the qualities of the internal environmental of the organization bore witness to the fact that it was critically vulnerable to internal attacks. More than 10 thousand computerized work stations, hundreds of servers and various communication channels were all resources placed at the disposal of insiders, and which, at any point in time, could be used to steal confidential information. Hence, the open JSC «GidroOGK» held a tender to design and install systems of protection against insiders and leakages that was expected to meet the following requirements:

- the information security [IS] system being created shall effectively protect against internal threats (leaks, distortions, destruction of confidential information, and violation of the uninterrupted flow of business processes by insiders) and shall incorporate mechanisms of internal control is accordance with the requirements in section 404 of the SOX Act; - the solution being installed to protect against internal threats shall be comprehensive in nature and shall cover all paths through which confidential information can flow out of the organization (electronic mail and Internet, printers and removable storage devices at work stations, wireless networks and mobile devices); - the internal IS system shall be as transparent as absolutely possible, in other words, it shall not complicate access to information or slow down the customer's business processes in those cases, in which insider actions match the security policy; - the solution to protection against insiders and leakages shall be completely controllable and shall be capable of be integrated into the corporate IS system; - the corporate IS management process shall comply with European standard ISO 17799.

«The power industry is something very serious. The lights should not go out, therefore it is extremely important to have a completely controllable and effective IT security system that will protect against both external and internal threats, as well as comply with international standards (ISO 17799) and legislative acts (SOX).One of the most complex requirements which we have identified for our system to protect against leaks and insiders is that it be comprehensive. It is obvious that in order to ensure effective protection against internal threats, it is necessary to shut down all possible channels against leaks, and get under control all sites at which classified information is processed. In the meanwhile, at the stage at which we determined our objectives, we were not even sure whether or not sufficiently effective and comprehensive solutions even existed on the market. However, as it turned out later, such solutions were already represented on the Russian market», — commented Garаld Bandurin, IT Technologies Director for Open JSC «GidroOGK».

System selection

Over the course of several months, specialists from the open JSC «GidroOGK» thoroughly studied and analyzed the market for systems protecting against insiders and leakages. Experts reviewed not only the technical function capabilities of the products and the degree of their maturity for use in a company of this magnitude, such as the open JSC «GidroOGK», but they also reviewed the range of accompanying services being offered by various suppliers. After a detailed analysis of the various options the choice was made in favor of a comprehensive solution, namely InfoWatch Enterprise Solution, supplied by the Russian company InfoWatch.

The solution selected addresses the entire spectrum of internal threats (leaks, distortions, destruction, sabotage, and the like) and it covers all of the channels of communication that are used in the company. The following were the most germane arguments in favor of choosing the InfoWatch Enterprise Solution:

- InfoWatch specializes specifically in protecting against leakages and insiders, and it has experience in implementing projects in very large corporations and government agencies; - the InfoWatch Enterprise Solution is the only one on the Russian market that offers a sufficient degree of complexity: it covers electronic mail and Internet channels, all possible work station ports (USB, COM, LPT, FireWire, IrDA, Bluetooth, etc.), and it protects against leakages through printers and the like; - moreover, as part of a comprehensive solution the InfoWatch Storage module includes a component that compiles and archives absolutely all of the corporate correspondence and all network traffic. An outstanding feature of this product is also its capability to conduct powerful retrospective analysis. This module is integrated into the system of protection against leakages and has no other analogous competitors.

InfoWatch Enterprise Solution components work at a sufficiently high rate of productivity, which makes it possible to effectively control gigantic volumes of traffic within the customer's IT infrastructure. Solution modules are stable under high loads and make it possible to verify traffic in real time and block leaks, as well store correspondence and web data in a centralized archive.

In addition to active functionality, the product has extensive passive capabilities as well: absolutely all operations performed by employees with confidential information are written up in a protocol and are stored in an event journal, and then in a data base. In this way, it is possible to conduct a detailed retrospective analysis of the actions completed.

The distribution of roles used in the InfoWatch solution makes it possible to avoid the problem of the super-user and ensures «control over the controller». Thus, the human factor problem is minimized, as are ill intended actions by insiders who have an elevated sense of power.

The comprehensive solution offered by InfoWatch Enterprise Solution is completely centralized and controllable. Authorized individuals can program various solution components from a single console, and this significantly reduces administrative solution costs.

InfoWatch company supplies a wide range of accompanying and consulting services both in the realm of ensuring compliance with regulatory acts, and in the area of building an effective system of protection against insiders and leakages. InfoWatch experts install "turn-key" solutions and provide the customer with expansive technical support in the way of a personal manager.

Having summed up all these factors, the leadership of the open JSC «GidroOGK» figured that there are no analogous options on the Russian market to the comprehensive InfoWatch Enterprise Solution, and that InfoWatch Enterprise Solution fully satisfies expected requirements. Hence, the decision to go with this supplier was unequivocal.

Pre-project

InfoWatch company was faced with the task of designing and installing an information security system for open JSC «GidroOGK», a huge, widely geographically dispersed company with a large set of varying information systems, including manufacturing.

At the time work began, the customer's IS management processes were at the infant stages of the maturity model in terms of compliance with the COBIT maturity model standard. In other words, the company had already documented evidence indicating that the organization was conscious of the fact that it was having IS security problems. However, the management processes being used were not standardized and they were applied episodically and not systematically. There was no common management approach to information security.

By conducting a detailed analysis of the IS in the open JSC «GidroOGK», InfoWatch specialists drew up a schedule for carrying out work to meet the requirements and desires of the customer, as listed in Table 30.1.

Table 30.1. InfoWatch company work plan to create in open JSC «GidroOGK» systems of confidential information protection against leakages and insiders.

Step No. Description of step Execution time frame 1 IT audit of customer system out of compliance with IT security management standard ISO 17799 conducted. As a result of the audit, InfoWatch experts get a general picture of the state of IT systems, the degree of their impact on the organizations business processes, the state of IT-security management processes. 1.5 - 2 months 2 Develop general principles and approaches to securing IT-security and memorialize it in a special document called "IT-Security Policy". The Policy created should take into consideration the specifics of the customer and the results of the audit. The life cycle of the Policy should include mechanisms for making decisions and constant realization of the provisions in the documents. Moreover, the Policy should pertain to all subdivisions of the customer without exception. 3-4 months 3 Design a Protection Plan, a document necessary for actualizing the IT-Security Policy. The protections in the Plan go step-by-step, adhering to the "top-down" principle, and benchmarks should be defined to integrate the Policy into the customer's management and business processes. By adhering to the Protection Plan and in close cooperation with the customer's corresponding services, develop documents such as the Regulations on Confidential Information, the Policy on Reacting to IT-Security Incidents, a Policy on Working with Mobile Computers, and more than 10 other documents. 4-5 months 4 Where necessary, acquire several new software products that meet industry requirements for the customer and which are necessary for installation 4-5 months

A result of implementing the work plan, it was determined that a system should be built that protects against internal threats, as should a system of IT-Security management that satisfies the requirements of regulatory acts.

Post installation

The project started in 2005 and was completed already in 2006. All of the goals of the project were met. Harold Bandurin, IT Technologies Director for Open JSC «GidroOGK» comments on the achieved results as follows:

«We highly value the quality and precision of the work completed by InfoWatch company. All of the work was done as planned, and the system of protection from insiders and leakages that ensued satisfied all of the requirements laid out».

The IS management system that was built (Figure 30.1) was evaluated as a «level-four maturity model» (in accordance with COBIT maturity model standards). In other words, the customer is ensured monitoring and evaluation compliance in organizational processes; in the process of indentifying low efficacy in IS management processes, they become optimized; management processes are placed in a mode of uninterrupted perfecting, and IS management automation means are used.

The system of protection against insiders and leakages that was built fully takes into consideration the specifics of open JSC «GidroOGK» operations. Actual operation of various components of the InfoWatch Enterprise Solution within the customer's IT infrastructure still at the installation stage have made it possible to identify a whole host of illegal insider activities in violation of the IT-Security Policy. All of these operations were blocked in real time mode, and were correspondingly reported immediately to the IT security officer. Although it was determined that all identified and blocked actions of insiders were not committed with evil intent, but were due to carelessness, the result could have been just as deplorable. Hence, by using InfoWatch's comprehensive solution, we have been able to minimize the most dangerous risk, namely violating confidential information.

Conclusions

As per the results of the project, the open JSC «GidroOGK» leadership made the decision to collaborate strategically with InfoWatch company.

«Overall, we are interested in the further development of our own IT security system. Moreover, it is very important to our company to constantly augment the efficacy of the system of protection against internal threats. Despite the fact the all the goals of the project were achieved, we still made a decision to establish strategic partnership relations with InfoWatch. This will enable us to order modifications of individual solution components and additional modules as per our specific requirements. We will also be able to conduct effective investigations of internal IT security incidents», — stated Harold Bandurin, IT Technologies Director for open JSC «GidroOGK».

Thus, one of the largest hydropower generating companies in the world has already today built an effective, reliable and completely controllable IT security system. Unlike many similar projects, the installed solution is not only in compliance with ISO 17799, section 404 of the SOX Act, and the system requirements «of a level-four maturity model» of the COBIT maturity model standard. It also addresses one of the most dangerous groups of risks in IT security: confidential information leakages, financial reporting distortions, sabotage and other insider threats.

Yuriy Lysenko:

I know many banks where information security earns a direct profit

Yuriy Lysenko, the Head of the Informational Security of "RosEuroBank" answers questions for "CNews Analytics".

CNews: In your opinion, how much of the bank business is dependent on IT and information security systems?

Yuriy Lysenko: Any bank, even a small one, is highly dependent on information systems and technologies used in its daily operations. In the first place IT has an impact on the whole process of maintaining business, on the speed of rendering services by a bank to its customers. According to RBC experts, our bank's call-center has entered the top five Russian banks! This suggests that our call center not only has competent personnel, but also a well developed technological base. It helps us to quickly find all the information a client requires. Without using IT technologies it would be impossible to achieve such a result!

In addition, according to the study "Customer Experience Index - 2008: Who is the leader in the retail banking business in Russia?" conducted by the "PricewaterhouseCoopers", audit company and Senteo, marketing company, «RosEuroBank» has entered the Top 20 the most customer-oriented banks in Russia. Naturally, we would not get such flattering reviews on our service from our customers without well developed IT technologies.

With regards to the informational security systems, these should be present at every bank. And their main intended purpose should be to manage the risks of information losses and thus to reduce the likelihood of temporary downtimes associated with equipment malfunctions as a result of incidents in the IS field. Well then, of course informational security products are needed to protect the confidential data of our customers from a leak, and safe from sometimes unfair competitors of the bank. They also protect the bank's secrets and personal data of the banking staff.

CNews: In your opinion do financial regulators exaggerate the role and importance of IS?

Yuriy Lysenko: In my opinion, it is not only unexaggerated, but I can even say it is underestimated - because banks hold the most massive amounts of confidential information, leakage of which threatens serious consequences for the bank itself, and for its clients.

This is not just about the need to protect the personal data of customers, but also information constituting bank privacy (payments, posting, the movement of funds on an account). Accordingly, such an incident would lead to a loss of a bank's reputation, the outflow of clients and financial losses for the bank.

CNews: Can we say that a bank IS is more an expense item rather than something bringing in profits?

Yuriy Lysenko: It is different for each bank. I know many banks where information security earns a direct profit, but this is due to the fact that some aspects of working with clients is assigned to the IS department. For example, there is the generation of keys for the clients of the "Client-Bank" system. This is a paid, it is necessary to pay money for it. Accordingly, when an information security service does this the operation, it makes a direct profit. In other cases, it is usually considered to be part of the expenses. But this is only partially true.

In fact, expenses for IS lead to lower risks of confidential information losses and financial risks, and consequently it reduces the bank's losses related to possible incidents in IS field.

CNews: What are the most pressing problems which security services have to deal with in financial institutions?

Yuriy Lysenko: The most pressing problem is the protection of confidential customer data. This is the most soft spot of banks, which can result in the greatest financial losses.

The second problem is the maintenance of efficiency of technical systems of the bank, so that the entire IT infrastructure works smoothly and does not hinder its business processes.

CNews: Do you feel it is justified to establish a system of mandatory disclosure of information leakages in Russia?

Yuriy Lysenko: In Russian conditions I consider that starting such a practice is somewhat premature, if judging by the maturity level of Russian business. To date, the development process of business has not reached yet a stage where the mandatory disclosure of information leaks could incur a benefit both to companies and their customers.

Rather it would be better for Russia to follow the example of the West - the practice of notifying customers about any discovered leakages of their confidential information. The customer has the right to know that his confidential information can be at risk, and it needs to be protected.

And in fact informing customers about the incident does not necessarily threaten the image of the bank, even to the contrary, the fact of notification, if done the right way, may be a demonstration of a client-oriented direction of a bank. And also it can indicate that a bank has made every effort to protect the compromised information. The customer will come to understand that people are thinking about him and taking care of him!

CNews: Do you feel the changes in the nature and quantity of informational threats?

Yuriy Lysenko: Changes in the nature of threats is not so great, but the number of threats continues to grow with each passing year, especially with the development of new IT technologies. In the last couple of years internal leaks of confidential information were the most common. They were many times greater than external threats (hacker attacks, viruses, spam attacks).

This leakage of information, initiated by insiders, brings the greatest losses to financial institutions. In this regard, I was genuinely surprised that Russian insurance companies have still not seriously thought about the problem of IS internal threats, even though internal threats would lead to direct monetary damages for them.

Unscrupulous competitors using the extracted confidential information can easily take away customers from an insurance company or bank by simply offering more favorable terms of insurance or credit. Russian banks in this respect are more advanced.

CNews: What criteria do IS Services use when selecting a new solution? Do they use risk management methods?

Yuriy Lysenko: When we speak on internal threats to informational security, then the basic requirement is to find an integrated solution. It should allow for monitoring all possible channels of leaks - the Internet, e-mail, removable media, and printers - that is, all those areas where information can leave the perimeter of the informational borders of the company.

This is also economically profitable, since most of the cost-based part is for the initial expenses for installation and implementation: as further investments are not so great. It is this criterion we used when we selected a solution to use against internal IS threats - from the InfoWatch Company.

At the same time, it was necessary to cover all the departments, because leakage could occur from any part of the corporate network. The objectives of the implementation have been achieved in general; but in the process of project implementation we discovered an incompatibility of InfoWatch solutions with our software and hardware systems. Therefore, the product has been adapted to work with our company's equipment.

Of course, elements of risk management were also used to a certain extent in this process. In general, the grounds for the implementation of a certain solution in the field of IS is a “presentation” of real examples of leakages and modeling of incidents that really occurred in the market. As well as the modeling of the consequences of leakage (including the calculation of how much the bank may loose in monetary terms as a result of a leakage).

CNews: How would you evaluate the ratio of technical and organizational costs of IS?

Yuriy Lysenko: Organizational costs are very important, because an essential point is the training of users. A financial institution should maintain a general atmosphere of informational security so that employees know the basics of IS: starting with such banal things as locking a computer before leaving the workplace.

For example, when leaving home we lock the door of our apartment, right? At the same time for some reason most of the office personnel consider it to be normal to leave a computer unlocked, when leaving the workplace. But damage to the bank may in this case be ten times greater than the losses to the owner of an apartment who leaves the front door unlocked. We work against this actively!

There are also a number of other organizational measures that may be applied to financial institutions. Our Bank has recently held a contest among employees of “RosEvroBank” for the best information security slogan. 132 versions were sent in. As a result of intrabank voting winners were selected and awards were handed out.

The contest was held in order to ensure that employees feel the importance and the need for providing IS in the bank, that they develop a sense of responsibility for confidential information they work with.

Currently we are preparing posters with the 10 best slogans; screen-servers will be made. All this is done to remind employees that they have a great responsibility, and must not violate the requirements of IS.

At the same time the ratio of technical and organizational measures in financial institutions must be of equal proportions. Of course, we trust our employees, but the task of the IS service is monitoring of their compliance with the requirements of IS!

CNews: Are you satisfied with the quality of the applied solutions? Are there any plans for further modernization of the IT and IS systems?

Yuriy Lysenko: As I mentioned earlier, one of the main risks facing the banking industry institutions is the risk of leakage of confidential data - information being the bank secrets and personal data of the bank's clients.

For protection against these type of IS threats, our bank is currently being implementing a solution from the Russian company InfoWatch. It is one of the leaders of the domestic market of protection against internal threats systems, which supplies integrated solutions for information security.

Already implemented is one of the information transfer control modules. At the stage of implementation is the control module for flow of information to the Internet, including Web mails, forums and chats, as well as a module controlling work of the user with removable storage devices and data conveyed on a printer.

In parallel, updating and improvement of embedded InfoWatch solutions are in progress, because the company itself is constantly working to develop its protection systems, taking into account the wishes of our customers.

Our effective co-operation began in 2006. The company's solutions are fully satisfactory to us, allowing “RosEuroBank” cut off all possible channels of information leakage. And the decisive factor in selecting new InfoWatch software became the complexity of protection and excellent customer support. But, of course, we are also working with other vendors in other segments of security.

CNews: How is the process of training of responsible personnel being arranged in your bank?

Yuriy Lysenko: First, each new staff member employed by “RosEuroBank” is trained by a specialist from the Information Security Office. The newcomer is informed about the current bank regulations which apply to IS (rules for working with the computer, e-mail, the Internet). As well as on what kind of information is considered a commercial or a bank secret - this is a minimum one hour course in IS basics.

In the event that any external or internal threat to IS occurs, the Information Security Office sends out newsletters. Also, a periodic audit of the security system, including the control checks of staff using the social engineering methods, is performed. After this all the staff members are informed on the results of this test. In the end, we can say that we are actively using the system of distance learning of IS basics and specifics in banking sector enterprises.

CNews: Thank you.

Source