At a conference in July you said that some of the regulations governing the activities of banks associated with the functioning of systems, remote service accounts (RSA) and information security management system (ISMS), must follow the modern requirements. What's the problem with them?
Lukyanov: In modern conditions of development of information technologies, obviously, the document approved in 2004, cannot meet the challenges in the field of information security. Therefore, approaches to regulate issues of the remote service accounts (RSA), set by the information security instructions from 21.01.2004 №22 "About clearing settlements in the national currencyin Ukraine", do not not meet the needs of modern systems of "client - bank" that exist in the world today.
These approaches need to be modernized. That is why we have included this issue to the strategic development program of the information security of the National Bank of Ukraine (NBU) and the banking system of Ukraine until 2020.
112.ua: What is already done to correct these gaps in the legislation?
Lukyanov: During this time, we began to communicate with banks and gathered suggestions for improvement requirements and minimizing information security risks when using RSA. We have also received information about the vision of the issue from the banks. The results were discussed in terms of Independent Association of Ukrainian Banks in July 2015.
We concluded that practical experience of Ukrainian banks should be taken into consieration to solve the issue of RSA. It is important to follow the new trends and developments of the "client - bank" automation systems.
It should be noted that we plan to create a thematic area with the involvement of bank professionals, RSA software developers. This is to ensure information security, and it's convenience for the consumer.
112.ua: At what stage is the process of building ISMS?
Lukyanov: Question of ISMS is not new for the Ukrainian banks. We rather need to talk bout the further development and improvement of ISMS based on the learned lessons. The NBU Department of Information Security in July 2015 established a Working Group on ISMS. Today it is the only "communication platform" for information security issues between the regulator and banks. Working Group allows us to consider and develop appropriate initiatives/projects documents on-line.
Today there are more than 40 banks in the Working Group on ISMS and more than 50 experts - representatives of the Ukrainian banks and associations. The participants identified five areas of work. Also, thematic sub-groups to work out other issues.
Working Group deals with the application of the new version of line ISO/IEC standards 2700: 2013, an analysis of current approaches of ISMS audits, the question of the possibility and feasibility of using other international standards. After receiving the results, the subgroups will hold the second extended meeting.