On 14 May 2015 a round table discussion was held on "National Bank of Ukraine standards for information security management in the banking system of Ukraine. Analysis of the current status and operation of Information Security Management System".
The National Bank of Ukraine organized an event for employees of banks which are responsible for the development, implementation and operation of information security management system (hereinafter - the ISMS). The purpose of the meeting is to discuss the experience of ISMS implementation and operation with experts who are directly responsible for this area in banks, and arrange a dialogue between the regulator and Ukrainian banks to form comprehensive measures for further development of the ISMS in the banking system of Ukraine.
"Our engagement is to give impulse to banks to form a balanced approach to the information security management , which will improve the quality and efficiency of the banking system on the whole", said Deputy Governor of the National Bank of Ukraine Yakiv Smolii when opening the round table.
He expressed the confidence that arranging such discussion fora is not only the exchange of experience between banks, but also the possibility to get a feedback from banks about the practical application of the NBU standards.
Dmytro Lukianov, Director of Information Security of the National Bank of Ukraine, said: "We all understand that information security is the basis of any bank viability and it affects the possibility to ensure the profitability, competitiveness and business reputation. Therefore, ensuring its proper level today is not possible without the support and involvement of top management. "Heads of banks should be aware that the use of information technologies is an important factor that determines the competitiveness of the bank in the current conditions, but along with such advantages as increasing the speed and quality of client servicing, availability of banking services, reduction of costs, the use of information technologies entails new significant risks. Underestimating such risks may lead to large-scale system failure, and even stopping of bank operation and great financial losses respectively.
Dmytro Lukianov also expressed his opinion on the indicators that have an undeniable impact on the ISMS of banks. He noted that among the functions of IT Security Department is to participate in Ukrainian banks’ inspections to verify the implementation of ISMS and the enforcement measures are provided for those banks that do not fulfill the requirements and lead to a reduction of information security level and increase of risks as part of the bank's operational risks.
In addition, during the round table the participants discussed the possible and necessary indicators for the top management of the bank, which will contribute to further development and improvement of quality (maturity) of ISMS in Ukrainian banks, which is impossible in the absence of a balanced approach to making management and IT solutions and understanding that ISMS is a responsible IT risk management and an important component of overall bank management system.
With a view to further development of the ISMS in the banking system of Ukraine and its effective building, during the discussion it was agreed to create a working group for efficient elaboration of relevant initiatives/draft documents etc. The representatives of the regulator, banks of Ukraine, banking associations (unions) and other participants - ISMS experts will be invited to participate in this group.
However, the regulator should intensify its work on the analysis of legal acts on ISMS what concerns their appropriateness and relevance in order to update existing or develop new legal acts, including on improving the IT risk assessment methods, ISMS stress testing, development of ISMS quality/maturity criteria and rating of banks in terms of ISMS quality/maturity, implementation of ISO 27000-27011 standards (current editions) etc.
It was also decided to direct efforts to explain ISMS to heads of the Ukrainian banks in order to improve responsible IT risk management.
In addition, they discussed the possible implementation of the joint project of the regulator and the banks “Safe information space" that will help to build a common IT security culture in Ukraine and certainly will increase awareness in information security of all participants of the financial system.
All the participants noted the relevance of dialogue between regulators and banks in this format, and expressed the hope that the exchange ideas will continue to form approaches to the further development of the ISMS in the banking system of Ukraine.