VKF_FRAE_2017

87 VakıfBank Annual Report 2017 For the year 2017, compliance certificate was obtained for the services within scope, after the PCI DSS compliance audit. » » Research and testing continued to acquire new technologies and products for the Bank. There was infrastructure work on the Corporate video broadcast system and electronic fax system. » » In network management; IP Management and DNS security, NetFlow Package analysis products, new load balancing features were put to use, and mobile field sales secure access infrastructure was set up. »» IT SECURITY ACTIVITIES » » The IT Risk Analysis structure was revised. After the completion of the Annual Business Effect Analysis, based on the results of this study, an upgrade was made to issue automatic reports for damages and breakdowns, and efforts were made to match Device-Platform, App-Service- Platform and to measure service criticalness level. The related processes were updated and the results were provided an input to the Emergency Tests. The Emergency Plan was revised in consideration of the current structure. » » In the scope of KVKK Adaptation Efforts, a working group has been created across the Bank, and the Information Security IT Compliance Department has been assigned presidential and secretarial duties for the working group. Informing texts were provided via SMS and e-mail to all customers whose contact data is available, and upgrades were made in the mobile and internet channels for purposes of notification and receiving consent. In the scope of compliance efforts, the previously lacking package application data modelling was completed, and identificatory personal data was added to the information tracked through the Power Designer app. There was work to encourage business departments to appropriate the VIT, Non-VIT and Package applications, and to determine the principles related to appropriation. Business departments were organized for Personal Data Processing Inventory started to work. » » There was capacity increase in the SIEM log management system and a VIVEM/VAVEM backup structure was also installed for the SIEM system within the scope of these efforts. » » In order to detect any weakness or security baseline incompatibility in the systems, the Nexpose software was procured and fully integrated. » » For the year 2017, compliance certificate was obtained for the services within scope, after the PCI DSS compliance audit. » » In 2017, the License Audit activities performed by KPMG on behalf of IBM were coordinated, and significant improvements were made as regards the assessments of inappropriate license usage mentioned in the draft report. » » The Bank collaborated with data holders to organize the universe authorizations on the SAP BO system, and ensured that all universe authorization demands are communicated by entering a demand over ITSM, with the approval of the data holder. » » Process performance started being monitored over the DURUM portal. Metrics started being collected automatically from the systems with which integration has been installed. In determined periods, the processes’ target attainment success and annual performance levels were monitored via dashboards, and action follow-up and process improvements were realized for those below the alarm values. In the Self- Assessment processes, the relevant metrics were reviewed together with the process holders and the necessary improvements/ updates were performed. IT Risk Analysis structure was revised. After the completion of the Annual Business Effect Analysis, based on the results of this study, an upgrade was made to issue automatic reports for damages and breakdowns.