The bankers and the regulator continue to engage in a dialogue in an effort to shape a balanced approach to information security management in the Ukrainian banking system.

On October 8, 2015, the second meeting of the Working Group on the Information Security Management System (hereinafter – ISMS) was held at the National Bank of Ukraine. The meeting was attended by 50 representatives from Ukraine's banks, the National Bank of Ukraine and banking associations.

In his opening speech to the participants in the second meeting of the Working Group, Director of the NBU Information Security Department Dmytro Lukyanov said: “The increase in the number of the Working Group members and their direct involvement in addressing the issues proves out that this dialogue represents a step forward toward creating the  prerequisites necessary for achieving a uniform understanding of the information security objectives and tasks and their subsequent implementation in Ukraine’s banking system”.

At the second meeting, the participants reviewed the progress made in undertaking  follow-up joint activities activities in the focus areas of the ISMS established at the previous meeting of the Working Group. In paricular,  the participants discussed the documents that have been elaborated and presented to them with regard to  the following:

• the appropriateness and advantages of shifting to a new version of the ISO/IEC 2700*:2013 family of standards.
• enhancing the quality and  maximizing the   outreach of the inspection findings in terms of  providing insight into the current information security situation in Ukraine’s banks;
• the core principles governing further operation of the Working Group on ISMS;
• the identification of the main areas of focus in the ISMS.

With regard to the first issue, the meeting participants pointed out that the adoption of unmodified international standards in the area of information security would bring significant benefits to the banking institutions, and contribute to ensuring the alignment of the national policy in the area of standardization and information security requirements with international standards, narrow the discrepancies in interpretations and secure a prompter response of the banking system to changes in ISO/IEC standards. In this context, strong emphasis was placed on the need to coordinate intra-agency interests in connection with harmonization of a new version of  of international standards. In view of the above, the Working Group concurred on  the need to elaborate a document containing requirements on Ukraine’s banks as to the adoption of the ISO 27001:2013 international standard.

With regard to the second issue, the participants put forward 66 proposals regarding the existing methodology for evaluating the ISMS. 20 proposals have been accepted by the meeting participants. In addition, with a view to improving the internal controls, and ensuring the ISMS quality in Ukraine’s banks, the Working Group decided to develop the methodology for self-assessment of ISMS implementation in Ukraine’s banks.

As to the second issue, the meeting participants reviewed and upheld the main objectives and the core principles governing the functioning and working procedures of the Working Group on ISMS.

The participants in the Working Group Meeting also reviewed the prepared documents with regard to the identification of the main areas of focus in the ISMS. Following the discussion that took place during the meeting, the participants upheld the need to embark on efforts in the new areas of focus: 

• develop recommendations on ways to improve  information security risk assessment frameworks;
• formulate a list of changes to applicable regulations or methodological documents on information security in case of revelation of weaknesses, mismatches or inconsistencies.

The date for the next meeting of the Working Group will be set subject to the follow-up work to be done to finalize the tasks set forth and will be communicated to the members  in due course.