What banking systems can be given out to outsourcing

posted in: Company news | 0

This article is a continuation of the series of publications about the possibility of informational systems transfer to the professional provider of cloud services and of existing restrictions. Today we will talk about the restrictions set by the 161-FL “On the national payment system”, as well as about the protection of banking secrecy.

From the definition of 161-FL, the National Payment System (NPS) is a set of organizations that interact according to the rules of the payment system in order to implement cash transfer, including the payment system operator, payment infrastructure services operators and payment system participants, of which at least three organizations are remittance operators.


Participants of National Payment System  

As it follows from the definition, National payment system has several important members. They are payment system operators – legal entities that determine the rules of the payment system in accordance with requirements of the legislation. An operator of the payment system may not only be a credit institution, but also any legal entity that meets the requirements set out in 161-FL.

Another participant is a remittance operator. This role is usually taken by credit institutions that interact with clients and are following the requirements of 161-FL and other laws, including the provision 382-P of Bank of Russia.

As an example of the NPS participants, several institutions can be named like banks, owners of payment terminals (Qiwi, Eleksnet, CyberPlat, etc), companies that allow to perform cash transfers (Unistream, Golden Crown, etc.), companies that offer deployment of payment infrastructure services (Western Union). At the same time, any bank is at least a participant of Bank of Russia payment system, and has to follow all the requirements of the Russian legislation in the field of information security in the implementation of cash transfers.


NPS Security Requirements

 Key regulators in the field of information security in the payment system, in accordance with Art. 27 of the Federal Law dated 27.06.2011 N 161-FZ “On the national payment system” are the Bank of Russia, FSTEC of Russia and FSB of Russia. FSB of Russia and FSTEC of Russia monitor over the fulfillment of information security methods requirements. The Bank of Russia takes normative acts to regulate relations in the national payment system, monitors compliance with information security requirements at the implementation of remittances.

161-FL “On the National Payment System” has several regulations, most of which are the documents of the Bank of Russia. Among them, exists the decree of the Russian Federation government on the June 13, 2012 N 584 “On Approval of the Regulations on the Protection of the information in the payment system”, which establishes general requirements for information security in the NPS, and the position of the Bank of Russia № 382-P, dated June 9, 2012, concretizing them. Also, additional requirements impose rules, established by the payment system operator, joined by the bank.

An important point of the first document is the ability of participants of NPS to attract third-party organizations that have the necessary licenses to work on the informational security. IBS DataFort Company has the license issued by the FSTEC to perform the protection of confidential information


Informational Security Requirements and IBS DataFort Services

Requirement Services, offered by IBS DataFort to fulfill the requirement
1. Distribution of roles and responsibility
Defines the requirements for the registration of persons, who have different levels of access to the secure information and secure information processing environment objects, requirements for the control and activities registration for such persons • Virtual machines and data backup
• Information encryption in storage and transmission
• Assured destruction of information, including physical storage devices
• Infrastructure monitoring
• Information security monitoring and events logging, including by the use of certified means
• Data leak control and prevention (DLP)
2. Ensuring information security on the automated systems’ life cycle
Defines the requirements for ensuring the protection of information on the automated systems’ life cycle and to ensure the implementation of the data protection requirements (development of product requirements, software development, testing, operation, introduction of changes, backup protection, restoration of data protection in case of failures, decommissioning, information destruction) • Virtual machines and data backup
• Information encryption in storage and transmission
• Assured destruction of information, including physical storage devices
• Infrastructure monitoring
• Information security monitoring and events logging, including by the use of certified means
• Control and data leak prevention (DLP)
3. Management and access control
Defines the requirements for the management and the control over access to the confidential information and to the objects of the processing of such information by the use of complex organizational and technological measures (identification, authentication, events logging, etc.) • Certified methods of visualization protection, embedded in the computing power platform
• Information protection from the unauthorized access (including certified means) by the use of multifactor authentication
4. Antivirus security
Defines the requirements for the security from the malicious software (including using technical means to protect data from the malicious code impact) as well as the necessity of taking measures aimed at preventing the spread of malicious software and to eliminate the effects of exposure to such code Antivirus security (including certified means)

5. Control over internet usage

Sets organizational technical requirements for data protection in the interaction with the Internet (firewall protection from unauthorized access, etc.)

• Certified virtualization, embedded in the platform of computing power protection, including a certified firewall

• Protection of the information against unauthorized access (including certified facilities)

• Intrusion Detection and Prevention (IPS / IDS)

• Protection against DDoS attacks

• Scan of virtual machines, operating systems and network devices for vulnerabilities

Source: IBS DataFort, 2016

The second document, position P-382, sets out the requirements for data protection in the implementation of cash transfers. A substantial part of these requirements can be covered by the services of IBS DataFort portfolio of information security services. Many of these requirements overlap with the requirements, of the earlier considered the PCI DSS standard.


Bank Secrecy Guarantees

161-FZ for the first time establishes that not only banks, but also all the NPS subjects must guarantee banking secrecy and must protect the information about the methods used to ensure information security and protection of personal data and other information defined by law. Information protection requirements are set by the Government of the Russian Federation.

Article 26 of the Federal Law number 395-1 “On banks and banking activity” determines the bank secrecy as a “secret of operations, accounts and deposits of its clients and correspondents.” In the law there are no restrictions regarding the transfer of such IT functions to the outside provider of IT services. One of the main factors impeding this process is the conviction of representatives of the financial sector entities in the inability of the provider to meet the requirements of regulatory bodies. There is a perception that IT service providers do not understand the specifics of the financial institutions in terms of information security.

IBS DataFort offers to implement all the necessary organizational and technical measures to protect the banking secrecy on their platform. Among them, management and access control based on role models, control of network traffic (firewalls, intrusion detection tools, analysis of network packets protection from attacks), the use of encryption during transmission and storage of data, virus protection, backup, event monitoring and management of information security incidents, as well as services for the creation of regulatory documents and conformity assessment.

One advantage of IBS DataFort is that many remedies are already included in offers regarding provision of computing resources, data storage resources and data services. Thus the client and financial institution is not required to allocate additional budget to ensure compliance. Also, the time for connection to the services and implementation of information systems deployment projects, taking into account the information security requirements, are reduced by 2-3 times.

Confirmation that IT outsourcing services are possible in the financial sector, is a successful and long-term cooperation of IBS DataFort with the financial sector companies.