Ensuring Comprehensive Security of Information

Systems of Large Financial Organizations

2022 Conference of Russian Young Researchers in Electrical and Electronic Engineering (ElConRus) | 978-1-6654-0993-3/22/$31.00 ©2022 IEEE | DOI: 10.1109/ElConRus54750.2022.9755715

Marina V. Tokareva Anton O. Kublitskii Natalia A. Telyatnikova

Department of Economics, organization Quality Management Department Quality Management Department
of production and management Russian University of Transport Russian University of Transport
Russian University of Transport Moscow, Russia Moscow, Russia
Moscow, Russia anton1495@gmail.com sharklike@mail.ru
tokarewa.marina@yandex.ru

Anatoly A. Rogov Ilya S. Shkolnik

Quality Management Department Department of the chief engineer
Russian University of Transport "Moscow Metro" State Unitary Enterprise
Moscow, Russia Moscow, Russia
rogov_a@rambler.ru shkolnik Ilya@mail.ru

Abstract— The article deals with the issues of improving the
quality of corporate information systems functioning and
ensuring the information security of financial organizations
that have a complex structure and serve a significant number
of customers. The formation of the company's informational
system and its integrated information security system is
studied based on the process approach, methods of risk
management and quality management. The risks and threats to
the security of the informational system functioning and the
quality of information support for customer service of a
financial organization are analyzed. The methods and tools for
improving the quality of information services and ensuring
information security are considered on the example of an
organization for social insurance. Recommendations are being
developed to improve the quality of the informational system
functioning in a large financial company.
Keywords— information security, organization informational
system, quality management, risk analysis, process approach
I. ANALYSIS OF THE PROBLEM OF
INFORMATION PROTECTION IN LARGE FINANCIAL
INSTITUTIONS
The role of information and information technology in
today's world is increasing more and more due to major
factors such as:
• technology development,
• growth of consumer requirements to the quality and
functionality of products and services,
• communications development,
• growing need for big data analysis;
• increasing demand for process management
automation and intellectualization,
• growing need for globalization of systems in all areas
of society,
• Other.
The growth of the complexity and size of any man-made
systems is accompanied by an avalanche increase in the
number of variations of the system states, which creates
additional threats and risks for the system itself, the people
and the environment [1,2,3]. The introduction of new
technologies contributes to the emergence of new, difficult to
predict types of threats and requires in-depth analysis,
modeling and forecasting of risks in the information
environment of the technosphere [4,5]. The development of
comprehensive information security is designed to protect
the external environment and the systems operating in it from
harmful information influences.
Since information is a universal component of
communication, threats directed from the external
environment to information and threats directed from
information into the external environment have a significant
impact on such basic areas of society as: technical,
economic, political and socio-cultural ones [6,7].
Material and reputational damage arising from
inconsistencies and problems in the field of information
protection is most significant for large organizations in the
financial and economic sphere of activity that provide
services to a large number of customers [8,9].
As a rule, modern financial organizations have a number
of functioning features that create an increased risk of
external information attacks and unauthorized interventions,
namely [10]:
• high level and volume of remote information
interaction with clients;
• confidential financial and proprietary information
about customers, which is valuable for interested third
parties;
• potential unauthorized third party influence on
financial transactions;
• possibility of internal influence of unscrupulous
employees on functioning of the information system
in order to achieve personal benefits;
• Other
Let us take the example of the Russian Pension Fund
(RPF), whose clients include more than 80 million
pensioners and 20 million beneficiaries. The RPF structure
includes more than 80 regional offices and 2,500 client

978-1-6654-0993-3/22/$31.00 ©2022 IEEE 1756

Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on April 02,2024 at 05:04:12 UTC from IEEE Xplore. Restrictions apply.
services, and the organization has more than 100,000 The analysis shows that special threats are aimed at
employees. cryptographic interconnection service hardware and
software.
The information system that supports the organization's
business processes and interacts with clients with the support Fig. 2 shows the scheme for protecting the RPF
of the state services portal and other state social sphere information system against malware.
platforms is represented by the automated management
system RPF AMS.
II. QUALITY ASSURANCE AND DEVELOPMENT
OF THE INFORMATION SECURITY SYSTEM FOR THE
RPF
Let us consider inconsistencies in the quality of IT
services in the RPF. The statistics of discrepancies by type
are presented as a checklist in Table 1.

TABLE I. CHECKLIST OF IT SERVICE QUALITY

DISCREPANCIES IN THE RPF FOR JANUARY 2021

Name of inconsistencies in the Quantity Per cent Total

quality of IT services in the RPF percentage Fig.2. Scheme for protecting the RPF information system against
malware.
1. Failures in electronic services 252 48,4 48,4%
%
All detected inconsistencies of RPF remote interaction
2. Local area network access error 115 22,1 70,4% with clients in the information environment are IT incidents
% and they undergo processing, Fig. 3. In the event of an
3. Error of access to the local area 84 16,1 86,6%
incident, the following response processes are initiated,
network % supported by best information practices based on the IT
Infrastructure Library [11]:
4. Failure of automated 28 5,4% 91,9%
workstations • Incident Management. IM is carried out with the help
5. Network equipment defects 24 4,6% 96,5%
of SLA service assurance agreement, which allows
you to effectively deal with the negative
6. Physical equipment defects 8 1,5% 98,1% consequences of incidents in the information
7. Inaccessibility of RPF AMS 4 0,8% 98,8%
environment.
services
• Problem Management.
8. Server hardware failure 2 0,4% 99,2%
• Change Management. Responsible for changes in the
9. Server hardware failure 1 0,2% 99,4% information system, aimed at eliminating the causes
of the problem. It is carried out in parallel with the
10. Other 3 1% 100%
development of corrective actions according to the
quality management methodology
The main discrepancy is "Failures in electronic services", • Release management.
let us consider them in more detail, Fig. 1.
• Configuration management.

Fig.3. Structure of business information processes to respond to

electronic service failures and other IT incidents.

Let us take a closer look at the problem and error control

process (Fig. 4), which includes:
• Monitoring and controlling problems:
Fig.1. Types of failures in electronic services.

1757

Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on April 02,2024 at 05:04:12 UTC from IEEE Xplore. Restrictions apply.
 o Problem identification and registration,
o Problem classification,
o Problem investigation and diagnostics.
o Solution and closing.
• Monitoring and controlling errors:
Consider the development of an ISMS for the RPF based
on the PDCA cycle:
• Plan:
Developing risk management and information security
policies, objectives, and processes that are consistent with
the organization's policies and objectives

o Error identification and registration, • Do:

o Verification, Implementing information security policy, management

structure and ISMS processes
o Solution.
• Check:
Evaluating the effectiveness of processes defined by
policy, security objectives, and the functioning of the ISMS.
Informing the company's management of the results of
monitoring for further analysis.
• Act:
Implementing preventive and corrective actions
developed based on the internal audit report and management
recommendations to improve the ISMS.
The scheme of the process of the ISMS design and
development is shown in Fig. 5.

Fig.4. Diagram of the process of ISMS design and development.

Based on the construction of the cause tree, the following

main causes of discrepancies in the work of RPF IT services
were identified:
• Load balancing violations
• Insufficient performance of technical means
• Deficiencies in processing incidents of IT service
failures
• Weaknesses in system software for information
protection
• Deficiencies in data storage and provisioning
• Server attacks.
Let us note the following main consequences of
inconsistencies in the work of RPF IT services:
• Distortion of information,
• Loss of information, Fig.5. Scheme of the process of the ISMS design and development.

• Traffic disruption, Let us consider the process of working with risks as part
of the developing the ISMS for the RPF, Fig. 6.
• Information access disruption,
• Disruption of security threat identification
Quality assurance of remote work with clients in the RPF
AMS is best ensured as part of the organization's quality
management system (QMS). At the same time improvement
of security of the organization`s IT-environment, over and
above the documented external mandatory requirements at
the level of federal laws and orders of relevant ministries, is
provided in the best way based on the development and
implementation of information security management system
(ISMS) [12].

1758

Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on April 02,2024 at 05:04:12 UTC from IEEE Xplore. Restrictions apply.

Fig.6. Scheme of working with risks in the ISMS.
Construction and development of an organization's ISMS
is most effective in conditions of creation of an integrated
management system (IMS) based on the QMS, which
ensures high quality of service provision to customers while
supporting and increasing the level of information protection
based on the synergistic effect of the interaction of
management systems [13,14].
Fig. 7 shows the proposed IMS structure for the RPF,
including: ISMS, QMS, occupational safety management
system, risk management system.
Fig.7. Структура ИСМ, включающая СМИБ и другие системы
менеджмента.
CONCLUSION
To ensure and improve the functioning of the integrated
security of the financial organization`s information system,
the following is recommended:
• Analyzing the quality of remote customer service
in the organization`s information environment. It is
recommended to apply tools and methods of quality
management, including:
o Statistical quality tools. (checklist, Pareto chart,
Schuchart chart, stratigraphic analysis, and
others);
o Matrix analysis methods (including Quality
House, correlation matrix analysis,
responsibility matrices, and others);
o Structural methods of logical
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on April 02,2024 at 05:04:12 UTC from IEEE Xplore. Restrictions apply.
(Ishikawa diagram, "five why" based cause
tree, "bow tie" cause and effect tree, and
others);
o Method of corrective and preventive actions;
o Modeling and forecasting (econometric
modeling, simulation modeling, dynamic
modeling, and others);
o Methods and models of the process approach
and system analysis.
• Handling incidents and problems based on IT
Infrastructure Library methods and practices.
• Applying process and systems analysis methods
and models.
It is recommended to create an "Information Resource
Control Center" with the following structure, Figure 8, in
order to improve the efficiency of information security:
• Attack detection system;
• Information analysis system;
• System for monitoring access to resources;
• Virus activity system;
• Security testing system.
Fig.8. Structure of the "Information Resource Control Center".
The proposed methods of analysis and development of
comprehensive information security system based on the
creation of integrated systems of quality management,
information security, risk management, are recommended
for the organization and improve information security of the
organization with extensive functions of remote interaction
with customers.
REFERENCES
[1] Ryabchik T.A., Smirnova E.E., Lukashova M.I., Haydar H.
Manufacturing processes quality control as a main factor of
performance enhancement in industrial management. Proceedings of
the 2019 IEEE Conference of Russian Young Researchers in
Electrical and Electronic Engineering, ElConRus 2019this link is
disabled, 2019, стр. 1463–1466.Emelyanov A.I., Savchuk R.R.
Automated Control System for Lighting Devices. Proceedings of the
2021 IEEE Conference of Russian Young Researchers in Electrical
and Electronic Engineering, ElConRus 2021this link is disabled,
2021, pp. 870–873.
[2] Narusova E.Yu., Struchalin V.G., Stepanov A.N. Determination of
the required personal qualities of a leader for ensuring safe work of
analysis
1759
 the employees. Bezopasnost' Truda v Promyshlennostithis link is
disabled, 2021, 2021(8), pp. 91–95.
[3] Ryabchik T.A., Sidrakov A.A., Grechishnikov V.A., Smirnova E.E.,
Shevlugin M.V. The emergence of electrical burning of insulated rail
joints in the moscow metro. Proceedings of the 2020 IEEE
Conference of Russian Young Researchers in Electrical and
Electronic Engineering, EIConRus 2020this link is disabled, 2020, pp.
1667–1669.
[4] MacHeret P.D., Savchuk R.R. Automated design systems based on
the use of three-dimensioal object modeling techniques. Proceedings
of the 2021 IEEE Conference of Russian Young Researchers in
Electrical and Electronic Engineering, ElConRus 2021. 2021. pp.
1004-1008.
[5] Telyatnikova N.A., Spiridonov. E.S, Boyarinov D. Innovation,
informatization and digitalization of the infrastructure facilities
design and construction of high-speed railway in Russia and Eurasian
Union Transport Means. Proceedings of the International Conference,
2018, 2018-October, р. 1161-1166.
[6] Narusova E.Yu., Struchalin V.G., Strelnikova E.N., Paruleva I.V.,
Reducing the occupaitional burnout level on the basis characteristics
of personal at working group organizing. Bezopasnost' Truda v
Promyshlennosti, 2021, 2021(9), pp.45–49.
[7] Voronkova O.Y., Logvina E.V., Glubokova N.Y., Akhmadeev R.G.,
Bykanova O.A. Economical and ecological risks of the creation of
clusters in the agricultural sector: case study for education process.
Talent Development and Excellence. 2020. Т. 12. № SpecialIssue3.
pp. 677-686.
[8] Agarkov M.A., Guskova M.F., Korzhin S.N. An innovative method
of procurement management in the electronics industry. Proceedings
of the 2021 IEEE Conference of Russian Young Researchers in
Electrical and Electronic Engineering, ElConRus 2021this link is
disabled, 2021, pp. 1870–1873.
[9] Savchuk R.R. Development of automation systems for the unified
duty dispatch service 'system-112' in order to increase efficiency
1760
Authorized licensed use limited to: Universiti Kuala Lumpur. Downloaded on April 02,2024 at 05:04:12 UTC from IEEE Xplore. Restrictions apply.
activities in the field of protection of the population and territories. В
сборнике: Proceedings of the 2020 IEEE International Conference
"Quality Management, Transport and Information Security,
Information Technologies", IT and QM and IS 2020. 2020. С. 286-
289.
[10] Guskova M.F., Nemtsov Y.V. Study of the effect of repeated requests
for quality of customer service in digital radio communication
networks of railway transport. Proceedings of the 2021 IEEE
Conference of Russian Young Researchers in Electrical and
Electronic Engineering, ElConRus 2021this link is disabled, 2021, pp.
2118–2123.
[11] Telyatnikova N.A , Paliy R.V., Spiridonov E.S., Cerniauskaite L.
The logical structure of the software file archive formation as a part of
industrial management, Proceedings of the 2019 IEEE conference of
Russian Young Researchers in Electrical and Electronic Engineering,
ElConRus 2019, р. 1435-1439, 8657021
[12] Shmeleva A.G., Ladynin A.I., Smirnova E.E., Ryabchik T.A.
Transport logistics management information system. Proceedings of
the 2019 IEEE Conference of Russian Young Researchers in
Electrical and Electronic Engineering, ElConRus 2019this link is
disabled, 2019, pp. 1471–1473.
[13] Guskova M.F., Pashina A.S. Choice modelling of a power supply
system for level crossings. Proceedings of the 2021 IEEE Conference
of Russian Young Researchers in Electrical and Electronic
Engineering, ElConRus 2021this link is disabled, 2021, pp. 1890–
1894.
[14] Leifer B.K., Savchuk R.R. comparative analysis of automated control
and information systems for the technical operation of railway
crossings. Proceedings of the 2021 IEEE Conference of Russian
Young Researchers in Electrical and Electronic Engineering,
ElConRus 2021this link is disabled, 2021, pp. 994–999.