Home > About us > Information Security and Outsourcing
CFT functions as part of it outsourcing 
  • Business functions: Automation of business processes connected with main activities, modification, development, customization of IT products to meet the Bank’s requirements
  • ИТ-functions: Administration of hardware-software complex, user support services, operation, support and development
  • Security protection: Implementation of a complex of measures aimed at physical, fire, and information security, etc.
Outsourcing models
All IT infrastructure is at CFT side
with only user PCs at the Bank side.
Outsourcer is responsible for all the technicalities of the DPC and additional security arrangements (FW, IDS/IPS, vulnerability scanners, SIEM, AV, equipment to build a protected channel to communicate with the Bank), etc.
IT infrastructure is located in the Bank DPC with user and administrator PCs being at CFT side
       This model is chosen by large banks
       The Bank is responsible for all the technicalities of the DPC and additional security arrangements.
CFT infrastructure to provide outsourcing services
  • DPC 1 (main)
  • DPC 2 (backup)
  • Outsourced DPC (tested using Rostelecom DPC as an example)
  • CFT has developed the infrastructure of its own DPCs based on the TIA-942 standard Tier 3 security level 

A basic level of security protection is mandatory

1. DPC physical security (security and access control are provided by a special security unit)
2. DPC access control system: individual cards
3. Perimeter video surveillance system both inside and outside the DPC
4. Backups to protected libraries
5. Backup (redundant) DPC to provide the continuity of operations
6. CFT own DPCs are based on the TIA-942 standard Tier 3 security level. Four backbone providers (ROSTELECOM, TTK, AVANTEL, RTCOMM-SIBIR) are connected to each site
7. Secure links are used to communicate with Banks (core and redundant) based on cryptography certified by the Federal Security Service

Information security, CFT tasks
1. Performance of work in accordance with the internal regulatory environment, including orders, policies, regulations
2. Allocated network perimeter for outsourcing services with each bank located separately in its own security perimeter  Specialized software to protect the perimeter, such as: FW, IDS/IPS, vulnerabilities scanners, SIEM, AV, HSM3. SOC-center4.Periodic audits:
3. SOC-center
4. Periodic audits:
  • internal to check conformity with information security requirements
  • external to check conformity with the requirements of ISAE 3402 standard (external auditor is PWC Company) 

5. Periodic scanning inside the infrastructure to identify any vulnerabilities
6. Periodic penetration testing to eliminate the possibility of hacking attacks
7. Using such tools as Oracle AS (DBs encrypting), Oracle Data Vault (user access control rules, including administrator rights)
8. User support and modifications are implemented in copies of the Operating Configuration (no access to critical data). Data is changed
9. Limited access of CFT professionals to critical data at various levels, including network, application levels in accordance with bank policies

Information security, Bank tasks: 

1. User management (or this function can be controlled at the outsourcer side)
2. Own audits and additional Controls as required by regulatory authorities
3. Introduction of own monitoring and response tools
4. More flexible control of access rights
5. Vulnerability analysis
6. Code analysis
7. Etc.

There is an additional agreement between CFT and a Bank describing the obligations of each of the parties in terms of security. 
Information Security and Outsourcing