CEC Bank: Bringing Governance to IT Risk Management

The largest commercial bank in Romania needed to find a way to centrally manage the vulnerabilities associated with its IT infrastructure.

With more than 1,200 branches throughout the country, CEC Bank S.A. is the largest commercial bank in Romania. The bank provides consumer loans, checking and saving accounts, and real estate and agricultural loan services, along with credit restructuring, Internet banking, and money transfer services. Founded in 1864, CEC Bank is based in Bucharest, Romania.

While the bank’s people are its most valued asset, its core banking IT applications and infrastructure are just as crucial to the bank’s success. And these assets, due to threat of criminal attack, enhancements, and system changes, as well as industry and government regulations, need to be continuously protected and maintained, explains Razvan Cosmin Grigorescu, chief information security officer. Running the bank’s 1,200 locations, Grigorescu states there are hundreds of servers in two data centers (main and disaster recovery) and tenth of applications central to the bank’s IT infrastructure.

Time for a Centralized Risk Management Program

Keeping those systems secure is no small challenge. As application and system settings change, or new patches are released, system flaws with security implications are bound to occur. If not remedied, these flaws can make systems vulnerable to attack or fall out of regulatory compliance. That's why, some time ago, it was important for CEC bank to put into place a centrally administered vulnerability management program, says Grigorescu. "We had no global strategy and no concentrated efforts related to the vulnerability management inside our company. Vulnerabilities were treated on a case-by-case basis, or as part of application or vendor requirements," says Grigorescu.

To introduce a broad IT risk management effort, as well as initiate a centralized vulnerability management initiative, the bank created a chief information security officer position to oversee the program. The security program, in addition to putting the proper people and processes in place, also included the right technological defenses: anti-malware, security policy management, measures to protect the network, log management, database activity monitoring and event correlation. “I also can’t stress enough how important the support and guidance provided by our top management was to these efforts,” says Grigorescu. “I have friends and partners working inside other financial institutions in similar positions who are grasping for just a little attention and a few figures in their budgets,” he says.

An essential aspect of CEC Bank’s IT security program was the need to put in place an automated vulnerability management program that could be administered centrally for each of its 1,200 locations in Romania. For that, Grigorescu turned to Qualys Vulnerability Management (VM).

Vulnerability Management That’s Easy To Deploy, Integrate, and Use

“At first, I was skeptical to use this new [at the time] Qualys ‘service’ when most of the industry was buying on-premise software solutions,” explains Grigorescu. “But I loved the approach.” As part of the Qualys Suite, Qualys VM automates the vulnerability management life cycle for organizations of all sizes. Through its Software-as-a-Service (SaaS) delivery model, Qualys provides CEC Bank with detailed network discovery and mapping, asset prioritization, vulnerability assessment reporting, and remediation tracking according to business risk. Powered by the most comprehensive vulnerability knowledge base in the industry, Qualys VM spots and helps to remedy the software flaws and system misconfigurations that make many exploits and attacks successful. As an on demand solution, Qualys did not require any additional infrastructure for CEC Bank to deploy or manage at any of its locations.

CEC Bank chose Qualys because it appeared easy to deploy, integrate, and use. “There is no need for special arrangements to conduct external scanning, and there is nothing complex that we have to do to perform internal network scans,” Grigorescu says. He attributed that to Qualys VM’s on demand architecture. “Within the appliance is all of the power that resides somewhere else, and with it come no migraines or worries as even the upgrades are done automatically,” he says.

CEC Bank tested its initial Qualys deployment with its externally facing systems. Following that success, Grigorescu moved Qualys onto its internal network. “We have used Qualys in order to comply with the existing regulations of the Ministry of Communications and Informational Society and National Bank of Romania, and also with the existing international standards such as ISO 27001 and information security best practices,” he says.

Initially, Qualys VM filled CEC Bank’s need for an automated, accurate, and structured way to approach vulnerability management. “Now it is part of a complex information security system, designed to monitor, control, and assess the compliance level inside the main operational data center, disaster recovery data center, and our remote branches,” he says. Grigorescu also is leveraging Qualys VM with other security applications to achieve more with its investment, such as better evaluation of the real-world risks of database vulnerabilities.

“Qualys has helped us to bring a higher level of governance to our risk management program. And we plan to extend our use of Qualys to our disaster recovery data center and integrate Qualys still more deeply into our global information security strategy for many more years,” he says.