|
Data security in the system is ensured through the employment of a comprehensive and all-round approach to data protection against unauthorized access which protection is achieved with the aids of various types of access right distribution, the audit (logging) of system users' activity, operation authorization, etc. In particular, there should be marked out such basis aspects of security assurance as follows:-
1 Access right distribution
- The distribution of the rights of access to tasks by user group;
- The distribution of the rights of access to the performance of operations with entries in tasks (ABS B2 forms) by user group;
- The distribution of the rights of access to the preparation of certain reports by user group;
- The distribution of the rights of access to the application of certain filters to the data of accessible tasks by user group;
- The distribution of the rights of access to accounts and documents by user group;
- The distribution of the rights of access to certain types of transactions and operations thereunder by user group;
- The distribution of the rights of access to operations (of Operations subsystem) by user group;
- The distribution of the rights of access to counteragent types, counteragent categories of a given type by user group;
- The distribution of the rights of access to the files of statistical reports to the National Bank of Ukraine by user group;
- The distribution of the rights of access to the types of ties between business partners by user group.
2 User activity journaling
- User activity audit (journaling):
- Logging logins;
- Logging changes in principal operating tables (documents, accounts, counteragents) with saving the user name, the time of change, the type of change, values inputted;
- Logging changes in administrative (access regulating) tables;
- Logging operations under transactions;
- Logging (access blocking where required) login intruder attempts;
- Journaling certain events in the system;
- Employing the functions of checking data entry correctness both at a workstation and by DBMS means (checking data integrity, ensuring key data uniqueness, etc.) this making it possible to ensure a basic protection against both user intentional activity and unskilled use of the system;
- Other functions (by DBMS means with the ability to tune them from ABS B2):
- DBMS password term limitation;
- The limitation of a possible repeated use of the same password;
- Blocking user login both in the system and DBMS (separately);
- Giving the ability of look through current activity and the actions performed by various users; and
- Working user disabling.
3 System Monitoring
This subsystem makes it possible to track the state of various ABS B2 subsystems through analyzing data contained in DBMS.
This subsystem is designed to keep and calculate the indicators which make it possible to detect a critical state of subsystems, to warn about existing problems or a possible appearance of problems. This makes it possible to notify the users of necessity to perform certain actions.
In calculations, these indicators using SQL requests to DBMS evaluate data state and put down an evaluation result criticality level. Indicator tuning makes it possible to detail the results of analysis, to go to the appropriate tasks to visualize "problem" data, as well as to notify the relevant responsible users of subsystem monitoring results.
4 Message Scanner
This subsystem is designed to mail messages of certain categories to ABS B2 users:
Category EFTS messages inform ABS B2 users about the state of file sets in certain directories, as well as about failures occurred when receiving/sending EFTS files;
Messages concerning documents to be processed in accordance with "the templates of documents for special processing";
Messages concerning applications received for foreign currency purchase;
A message to the EFTS operator and other users from an ABS B2 user;
A message upon receipt of files from other systems;
Tracking rejected outcoming EFTS documents; and
Messages concerning documents received from iFOBS (Customer-Bank system).
5 Documents for Special Processing
This subsystem is designed to perform automatically standardized operations (crediting a transit account, notifying users of the appearance of documents corresponding to the template, posting prohibition) with documents whose data correspond to the terms of special templates.
6 Document Import from External Systems
This subsystem is designed to download counteragents, accounts, documents from files from other systems wherein a filename has a fixed length of 12 characters (including a filename extension and point before the extension). Each successfully processed file must have a unique filename within one trading day. The basic structure of these file is a File A cut format which may be added with additional parameters. The file contains no headline. The full structure of this file is shown in documentation for ABS B2.
7 Peripheral Systems
The following interfaces are provided for in ABS B2:
- File API (customers, accounts, documents, transactions);
- On-line API (customers, accounts, documents, transactions);
- Card system interfaces (IS Card, Profile, Transmaster).
8 Expanded Security System
This is implemented in ABS B2 through Two-Phase Administration Mode (or Administration with Authorization), an ABS B2 administration subsystem operation mode wherein any change in the parameters of system itself made by the system administrator, occur not immediately but only after these actions have been authorized by another person - "authorizer" - who may authorize or reject such change. User parameters, their rights of tasks and analytical accounts, as well as change in any major parameters of counteragents and analytical account parameters (account state, account limit, the description of account, responsible operator, the date of "Open for State Tax Administration" should be authorized.
|
