Event Recording

Roman Chaplygin - Developing a Strategy for Business-Aligned Information Security


Log in and watch the full video!

Keynote at the European Identity & Cloud Conference 2014

May 13-16, 2014 at Munich, Germany

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
Good morning, ladies and gentlemen, sorry for, we are a little bit late, but traditionally EIC day, the first full day is starting very early. So I think we will manage to get the time back. I would like to introduce you to Roman, sorry, who joined us from Delta bank in Moscow. And he will talk to you now about implementing a security strategy at his bank. Okay. Thank you Roman. Thank
You everybody. Good morning. I'm glad to see you so morning and how I can start. Okay, great. Okay. I want to share with you my experience, which I got recently when at Delta credit bank and this experience about development, information, security strategy, business oriented security strategy. Why do we need information security strategy? What does it give to us as any strategy, information, security strategy? Give us clear vision what, when and when we should to do to get better security, sorry. And when our strategy is focused on our company business, it's also simplifies a dialogue with business and give us centered effect
And how we can understand that we need information security strategy. If some of these topics may be applicable to us. For example, we made a lot of security tasks, but our business don't think that we doing something useful. It may be when we don't know what our business needs or our business doesn't know what security activities give to him. Also, it may be expressed if security agreements are not made or security tools don't used. And the world case is when information security requirements not allow the business grow or block its in Interac. Let's see what we need to avoid such situations
In Delta credit. We thought that for this, we need systematic approach and we can start from development of business oriented information, security strategy for such strategy to be close and understand understandable for business and the same time to reflect information, security, interest and goals. We just making it taken into account business strategy and goals, applicable risk and threats company and business specific and culture. And of course, strategy development process should be consistent and include generation generation a base of information, security elements for implementation, determining directions of information, security development, setting goals and objectives, identifying metrics, obtain procure resources. And then our strategy give us coordinations of information security and business actions, efficient use of resources and increase data protection level and benefits from information security activities.
So when we clearly understand of what we need and what to develop our and want to develop our own information security strategy, we can make it by follow following steps. First of all, we should collect as much as possible information about current situation and use this information like a base for the strategy. Then we should analyze our business and it situation and select from the base that point, which may be useful for them. Also, we have to remember about main information security goals, and finally we shoot group selected information, security activities into directions for development, provide clear relationships between these directions and business and submit it as a strategy. Maybe seems easy, but let's see how it is. In fact, on the first step for the best preparation we can do the problem gather and consolidate information about existing security measures and means analyze information, security standards and best practices, verify compliance with internal and external requirements access.
We call it information security, social status within the company, analyze threats and risks to my external and internal information development trends and said the impact of concerned parties on information security in Delta created as a base of information elements, we looked and fixed rail situation, security process and tools which we have already had. And we use Russian central bank information security, standard standard as a list of requirements, which must be implemented for your business. You can use and fix your own situation and security requirements, which applicable directly to you. For example, PCI S or some resource standards, etcetera, for understanding, for understanding our compliance level, we hold self assessment and fixed which requirements we don't meet. And mark in the base relevant elements as a critical for implementation for understanding employee's attitude to information security. We hold this away and get feedback from our colleagues to identify areas that we need that need fulfill clarification and popularization, and also check them in the base concerned parties. When we try to understand interests of externals, external parties, and they impact on information security and thought how we can use their interests for our benefits.
Also, we didn't forgot look at external factors and suggested how they affected us and how we can handle them. For example, we see a strength of social through the internet socialization, sorry. And when we are hiring young employees, we have to take into account their interests. We can't completely restrict the access to the internet without violating their rights and freedoms and to resolve this problem, we could provide full access to the internet for them, but maybe for in specific time, for example, for one hour at the lunch or after work day and control their activities by LP. And as you can guess, we included this task, this elements for making internet access quarters and DLP to the hour base risk and threats on, on this slide, you can see that we analyzed information, security, risks, and included measures for risk immunization and threats handling into the base of information, security elements for this. You can use internal risk assessment results or incidence statistic if you have such or external information risks away. Okay, for all the second step, as you can understand that the first step we made huge base of information, security elements, which we need for defined reasons. And now we, now we need to select the most important elements for implementation group them into directions for development and make relation between information security, activities and business needs.
There is an example of this huge base. You can see that we added some elements from previous steps into our first set of basic information, security elements. And then we provide correlation of business and security activities. We looked at business development areas. We can get them from business strategy or business plans and change measures and technologies for supporting business activities. From our base. For example, our business want to increase quality of offer services and information security can support it by monitoring and analyzing users actions and prevent wrong actions or our business want to increase the risk management. And we can support it by implementing information security, risk management system and processes in general, correlation of business and security activities looks like shown on this slide slide. We take businesses and it strategies allocate areas that can be supported by information security based on this and taken into account business development, trans areas. We form directions of information, security development, and include in these directions elements from our base for each directions of information, security development, we set goals and objectives to control goals, implementation to control goals and implementation. We develop metrics and the most important in this to use smart approach for goals and objective settings.
There is an example of strategic correlation business set, implement implementation of competitive conditions as a strategic goal. It is ready to support it by increasing the speed of data processing and information security can support it by providing real security without sacrificing performance, real security without sacrificing performance is goal of information security strategy. This goal can be, can achieve through the through development of the fallen areas, move protection to the network level. For example, guarantee continuity of security tools and measures for this. We can use network security solutions, maybe network antivirus and up solutions for security tools and recovery plan. And we thought that these security activities can provide business benefits like minimization on security tools, impact on performance at the user level. It help for our users and support the company's reputations by ensuring business continuity. And of course we need resources, resources to implement our strategy. And when we know our goals and objectives, we can define which resources we need to the achievement. So for resources planning, we shoot check existing resources, of course, track additional resources directly for our goals and take into account changing dynamic in case of increasing territorial coverage and stuff growing.
And finally, when we have a draft of information security strategy, we have to approve it by business for this, we should formalize our strategy and discuss it at special meetings with business representatives and top management from one side such meetings, we can improve information security rentals in general. And so for our business, what we will do for next one, three or five years after approval, we need to share information security strategy with all employees and make individual plans for security guys based on strategy, goals, and objectives. After that, we need only control these plans, realization and mentoring strategy implementation. And of course, I'm sure you understand that there are a lot of different approach to information, security, strategy development, and the most important. It, no matter which approach you will choose to create your strategy, but you must be sure that your strategy corresponded to your business and you can implement it. That's all. Thank you.
So thank you very much, Roman, for your comprehensive description of your security strategy. Yeah. Thank
You. There was a lot of pictures, but I hope everyone can see it
After. Yeah. And you are still here. So if anybody has questions, they will join and find you. Thank you very much. Thank you. So.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00