Creating and Modernising Information Security Management Systems

An Information Security Management System (ISMS) consists of a system of organisational and technical measures to ensure information security, as well as an information security management system which ensures the continuous operation of the ISMS as a system of managing information security.

FBK offers services in creating and modernising your ISMS based on Russian and international standards and best practices, including on the basis of the ISO/IEC 2700x group of international standards, which includes Russian analogues.

For banking organisations, the ISMS can be created by implementing the provisions of the Bank of Russia’s Standard on Information Security Management Systems (ISMS) in the Banking System of The Russian Federation 1.0 2010, taking into account both the standards mentioned above, and the specifics of the Russian banking system, in particular, the provisions of Federal Law No. 152 FL “On Personal Data”.

Irrespective of the standard selected, however, creating or upgrading ISMS includes the following types (stages) of work:

1. Preliminary assessment of the current state of information security
Before starting work on implementing an ISMS, we propose carrying out a rapid assessment of the organisation’s Information Security Management System in comparison with the standard that has been selected to create the system. The assessment is carried out in accordance with the standards ISO/IEC 27002:2005 and the National Government Standard (GOST) R ISO/IEC 17799 according to our methodology. For banking organisations, this rapid assessment can be carried out based on the relevant provisions of the Bank of Russia’s Standard on ISMS in the Banking System.
This will give you an idea of the current level of maturity of the information security management processes, and also identify ways in which to implement ISMS.

2. Developing an action plan to implement the ISMS
According to the results of the rapid assessment, a detailed action plan is developed to implement the ISMS.

3. Developing internal documents on information security
At this stage, based on the analysis of the organisation’s information systems, we develop the basic provisions of the general and private information security policies, provisions, regulations, instructions and other internal documents which organise the functioning of the ISMS.
The organisational and administrative documents thus developed increase the qualitative level of the ISMS and are in compliance with the recommendations of global best practice.

4. Identifying information assets
The process of analysing information security risk is based on defining a list of what has to be protected, and from whom and how.
In determining protective measures, the assets that need to be protected, as well as their associated infrastructure, are identified. Some assets and infrastructure elements (for example, hardware, software and facilities) are clearly identified, but some assets, facilities and resources, such as experts and supplies, are often overlooked. Information assets, that is valuable information, are even less obvious. When identifying assets, intangible values must also be taken into account which are subject to breaches and violations in the information security regime, such as company reputation and staff morale etc.

FBK is ready to provide services for the development and implementation of the system to identify and audit information assets, taking into account procedures to:
  • identify information assets;
  • classify information assets in terms of their criticality to operational business processes and the severity of the consequences suffered when they lose important properties vital to information security - confidentiality, integrity or availability and access;
  • define the mutual relationships and influences between information assets and infrastructure elements;
  • identify the vulnerabilities of information assets.

The identification of information assets by FBK’s experts will meet the requirements set down by the National Government Standard (GOST) R ISO/IEC 27001 / National Government Standard (GOST) R ISO/IEC 27005, which will provide the basis for creating an effective ISMS and an information security risk management system, as well as ensure the optimal allocation resources while ensuring information security.

5. Creating an ISMS and assessing the risk of information security breaches and violations
The use of a risk-based approach when building a ISMS is a vital step in the transition to a new qualitative level of corporate governance. In addition, this approach lies at the heart of most modern domestic and international standards, including National Government Standard (GOST) R ISO/IEC 27001, National Government Standard (GOST) R ISO/IEC 27005 and the Bank of Russia’s Standard on Information Security Management Systems (ISMS) in the Banking System of the Russian Federation etc.
FBK is ready to provide services in developing and implementing risk management in information security, which consists of the following groups of processes:
  • Selecting the method (approach) which will be used to conduct a risk assessment.
  • Identifying of area of risk assessment (the context).
  • Risk assessment (measuring the degree of probability that the threat will occur and the severity of the consequences arising from threats to information security, risk assessment and ranking).
  • Risk processing (selecting and implementing measures aimed at reducing the risk to an acceptable level).
  • Monitoring and controling the information security risk management system.
  • Information security.
  • Improving the information security risk management system.
The system of information security risk management, created with the participation of FBK’s experts, will meet the requirements of National Government Standard (GOST) R ISO/IEC 27005, the recommendations of the Bank of Russia’s Standard on ISMS in the Banking System of the Russian Federation 2.2 2009 “Method of Assessing Risks of Breaches and Violations in Information Security”, as well as international best practice.
FBK experts can perform the information security risk assessment procedure, for example, to launch the risk management ISMS itself or run it as part of your regular procedure.
FBK experts have developed and propose to introduce an original methodology based on mathematical methods of fuzzy calculations in order to assess information security risk. This approach allows us to obtain a quantitative estimate of the total possible risks of violations and breaches in information security on the basis of qualitative or interval estimates of the private risks to information security.

6. Developing a plan to ensure the continuity of operations and disaster recovery (CO&DR Plan)
On the one hand, regulating and monitoring agencies have already made the presence of a CO&DR Plan a mandatory requirement in many sectors.
On the other, the presence of a working CO&DR Plan ensures the sustainability of business activity and minimises the potential financial losses from an interruption in the organisation’s operations.
A CO&DR Plan requires continuous updating, so the CO&DR system should therefore include in its structure:
  • a test program for CO&DR Plans;
  • detailed procedures which staff should undertake when abnormal and emergency situations arise;
  • templates for audit documents when experiments and tests carried out;
  • a development strategy for CO&DR Plans.
The CO&DR system created with the participation of FBK’s experts and taking into account the recommendations of the international standard BS 25999 (National Government Standard GOST 53647), Parts 1 and 2, as well as best practices for information systems, ensures compliance with the requirements of Regulation 242 P “On The Organisation Of Internal Control In Credit Institutions and Banking Groups”, increases confidence in the relationship with clients and other organisations, and enables them to assess their ability in terms of the CO&DR plan using agreed and recognised methods.

7. Introducing a management system for information security incidents
Typical policies or information security safeguards cannot fully guarantee the protection and integrity of information, information systems, services and networks. After implementing any protective measures, weak points always remain which limit the effectiveness of information security. In addition, new, previously unidentified threats will arise in the future. Emerging information security incidents are potential threats with a direct or indirect impact on business processes, as well as information about the current state of the ISMS and its future development.
The structured and systemic approach to incident management created and put forward for implementation by FBK, includes:
  • the detection and notification of information security incidents and their evaluation;
  • a response to an information security incident, including activation of the appropriate protective measures for the prevention and mitigation of and/or recovery from negative effects (as laid down, for example, in the CO&DR Plan);
  • drawing lessons from information security incidents, introducing preventive protective measures and making qualitative improvements in managing information security incidents.
The system for managing information security incidents is built with the participation of FBK experts, taking into account the recommendations of the standard National Government Standard (GOST) R ISO/IEC 18044 and best practices in information management systems. This provides an objective fixation and evaluation of events and incidents of IT and information security, which is the basis for creating a functioning system for managing information security.

8. Developing a role model for access to information assets
When working with the user in the information system (IS), it is essential to ensure the functional operations and access to the system’s resources on the part of the user, while at the same time protecting these operations and resources from unauthorised access.
Allocating each user individual settings for access rights to functions and data information is fraught with error, i.e. the provision of either excess or insufficient rights to the IS, which in turn either reflect the possibility of taking independent and uncontrollable actions that are critical to the organisation, or to the account becoming inoperable.
Managing role-based access is provided through a centrally managed object - a functional role obviously means a set of permissions for access to a given set of data and functions of the information system. The functional role is assigned to the user upon registration in the information system for the performance of specific job functions.
When creating a management system for role-based access, it is necessary to:
  • make an account of existing business processes and the staff positions involved therein;
  • make an account of information systems used and their functional possibilities;
  • define a set of functional roles of access, which include only the functions and rules of access to the information assets necessary for the operation of existing business processes;
  • compile a description of the functional roles in an access matrix;
  • adhere to the separation of powers principle when creating roles, including prohibiting the inclusion in one role of an aggregation of powers unacceptable for inclusion in one role;
  • adhere to the separation of powers principle when assigning roles, including in defining a prohibition on the employee’s authorisation for roles that are inadmissible for assignment to one employee;
  • organise change management in the access matrix by identifying the owners of the functional roles (as one of the types of information assets).
The management system for controling access to information assets, based on the functional roles and built with the participation of FBK’s specialists, enables rules to be defined for demarcating access which are clear and comprehensible to users of the computer system. Differentiating role-based access allows for flexible access rules, with the ability to upgrade the rules during the operation of the information system without violating the principles of information security.

9. Training and increasing awareness of information security
Responsible compliance with the requirements of information security entails ensuring that the organisation’s employees are aware of the measures it has taken in this area and undergo periodic training and instruction in information security.
FBK’s experts offer seminars and lectures at FBK’s Economics and Law School, develop instruction programs and offer training by relevant departments at the client, as well as systems to certify the implementation of training programs and increase awareness of the need to audit information security.

Carrying out the procedures outlined above will create a system in the organisation which ensures information security in compliance with current standards and best practices.

Our LJ-account carries a series of articles on creating Information Security Management Systems on the basis of the standards ISO 27001/27002, which are conducted by FBK’s experts. The articles explain the general principles involved in creating an ISMS and which are proposed in the standards. They will help you to make a conscious decision to conduct the appropriate measures, including with involvement of FBK’s experts.

Alexey Terekhov, FBK Partner and Vice-President for Auditing and Consulting Services to Financial Institutions, is always ready to tell you more about our services in information security and personal data protection for financial institutions.
E-mail - bank@fbk.ru

FBK’s services in information security:


Back to the section
Send request
E-mail*
Contact information
Who are you? How can we contact you? (phone, Skype, other)
Question*
Please type in the symbols shown in the image below*
* - Required fields