VKF_FRAE_2018_uyg11

86 Section I: Introduction Information Security and Compliance Activities • ISO 27001 – Information Security Management System certification was obtained for the Bank’s information systems processes. • Bank Information Security Policy and Central User Authorization and Password Policy documents were revised during the year. • As part of process management activities, the Bank improved its IT process documents, carried out process self- assessment studies and conducted periodic measurement of process performance metrics. VakıfBank also performed benchmark studies in consideration of other Bank IT processes. • VakıfBank executed coordination efforts to ensure audit and legal compliance; as a result, the Bank became fully compliant with Swift Customer Framework standards. • Under the SIEM Log Management System, the Bank collects approximately 600 million logs daily from about 4,000 log sources. These logs are monitored and reported instantly. • The Bank started using a vulnerability screening tool as part of its vulnerability management efforts. As a result, the vulnerabilities of the Bank’s systems were periodically scanned and reported. Regular online leak tests were conducted for web applications, including the intranet. • VakıfBank released a Database Activity Monitoring product to monitor changes in databases. • The Bank created content for information security training in relation to End User, Authorized User, SOME team and Application Developers. A Security Bulletin Training was held on a monthly basis and announced to the entire Bank. • As part of IT Security Self-Assessment activities, the Bank conducted efforts for security baseline, firewall rule self-assessment, SSL VPN user self-assessment study, authorized user self-assessment study, Active Directory user self-assessment study, external link inventory self-assessment study, task separation matrix update and self-assessment study. • VakıfBank conducted business impact analyses to determine critical processes, maximum sustainable downtime and targeted rescue times. ODP tests were performed according to the service criticality results. • Under the data leakage prevention program, the Bank enriched scenarios and rules and created daily alarm mechanisms. • The Bank aligned its personal data inventory with the Law on the Protection of Personal Data. System Management and Information Technology infrastructure activities • VakıfBank continued monitoring and improvement activities related to Head Office and field technology infrastructure; the Bank completed plans to increase the level of renewal, maintenance, update, backup and security under configuration, capacity and change management efforts. • The Bank completed investment in and installation of new EMC Datadomain, Isılon, AFA and Oracle ZFS products, resulting in renewal of the storage and backup infrastructure and capacity increases. • VakıfBank activated new DDOS attack prevention devices during the year. • The Bank renewed and complete the Video Conference System, installed at 50 locations across the organization. • VakıfBank set up a new video conferencing system and released it for the Bank’s commercial branches. • Sound, security and communication systems infrastructures were established at Akyaka Head Office service buildings. • The Bank renewed and released New Allot internet usage prioritization devices. • The set-up of new Wi-Fi communication infrastructure and Wi-Fi in house telephone installation was completed in the Bank’s Head Office buildings. • The new Oracle Exadata X7-2 was put into service after the renewal of data warehouse and database infrastructure. VakıfBank is on your side by integrating business processes with advanced information technologies... VakıfBank completed coordination efforts for audits and legal compliance that achieved full harmony with Swift Customer Framework standards. REVIEW OF OPERATIONS IN 2018