Ru CFT Group

Outsourcing of CFT System


As a vendor of solutions for the financial sector, CFT suggests to the banks transmitting their banking business processes to complex CFT Banking systems and Processing services with their transfer to CFT outsourcing. 

With outsourcing, the bank gets a comprehensive Solution on ready IT infrastructure in the CFT DPC for Banking systems + a large-scale frontal infrastructure for development of retail business and mobile development of bank products: 

Banking systems:

  • CFT-Bank (Platform 1)
  • CFT-Bank (Platform 2МСА)
  • CFT-Retail Bank

Processing services:

  • Internet banking
  • CardStandard PC
  • Golden Crown
  • National Gorod System

Basic Services of CFT-Outsourcing:

  • Provision to the bank of ready IT infrastructure for CFT Banking Systems  
  • Support of CFT Banking Systems in accordance with the requirements of Regulatory Authorities and CBR
  • Support of all Bank Users working in CFT Banking Systems
  • Performance of works on modification and development of CFT Banking Systems according to the Bank business requirements
  • Additional services

Benefits of outsourcing for the Bank:

  • Reduction of the cost of ownership of Bank own IT infrastructure:
    • Hardware
    • System software and its technical support
    • Security systems
    • Human resources
  • Quick result at the launch of a new Financial Product or business solution
  • Transparent and forecasted budget for required services
  • High level of security
  • Single "access point" for all services
  • Quick change of the content and scope of services rendered

CFT IT Infrastructure for Rendering of CFT-Outsourcing Services

  • Two own data processing centers (main and backup) with necessary hardware.
  • Own independent fiber optic ring between the DPC's to which four backbone providers connect: TTC, ROSTELECOM, AVANTEL, RTCOMM-SIBIR.
  • Backup independent energy sources.
  • Own control and security services.

Safety Provision

  • Physical security of DPC by a special security service.
  • DPC access control system using personified cards.
  • Video surveillance system.
  • Limited data access on the network and application level.
  • Backup of all data.
  • Redundant (backup) DPC for service continuity.
  • Banks are connected to the HSS in the DPC by an Internet provider via protected telecommunication channels (main and backup) using encryption certified in the FSB. Necessary capacity of the main and backup channels is secured by Internet providers with which the Bank has concluded respective agreements.
  • Organizational safety measures are the regulatory part (regulations, orders, access lists, instructions, work performance requirements).
  • Regular audit:
    • internal – for conformity to IS requirements;
    • external – for conformity to ISAE 3402 requirements (external auditor – PWC).

Regulatory compliance in information security

1. CFT is a licensee of the Federal Security Service (FSB of Russia) and has the following Licenses:

  • No.0024058, Reg.No.10747P from 06.06.2011, for development and production of encryption (cryptographic) means protected with encryption (cryptographic) means of information and telecommunication systems.
  • No.0005806, Reg.No.0245N from 24.01.13, for development, production and distribution of encryption (cryptographic) devices, information systems and telecommunication systems protected with encryption (cryptographic) means, performance works and services in the field of data encryption, maintenance of encryption (cryptographic) devices, information systems and telecommunication systems protected with encryption (cryptographic) means (except if the maintenance of encryption (cryptographic) devices, information systems and telecommunication systems protected with encryption (cryptographic) means is performed for the needs of a legal entity or individual entrepreneur).  

2. CFT is a licensee of the Federal Service for Technical and Export Control (FSTEK Russia) has the following License:

  • for implementation of technical protection of confidential information: Reg.No.1437 from 18.04.2011.
  • for implementation of development and (or) production of protection means of confidential information: Reg.No.0837 from 18.04.2011.  

3. In accordance with the STO BR IBBS -1.0 -2010 (Standard of the Bank Russia for information security of the banking system of the Russian Federation) CFT bank information systems are supplied with full technical documentation. The agreement of development or delivery of information systems and their components to financial institutions may include provisions for maintenance of delivered products for their entire service life. The STO BR IBBS -1.0- 2010 does not have any requirements restricting the transfer of information systems to outsourcing.

4. From 2013, PricewaterhouseCoopers conducts a yearly audit of the internal control systems of the SYSTEM IT outsourcing services provided by CFT to customer banks for compliance with ISAE 3402 * (type II), which also covers the IT control section during IFRS audit of the customer Banks.

* Standard ISAE 3402 (International Standard on Assurance Engagements, ISAE 3402 «Assurance Reports on Controls at a Service Organization») is the accepted standard, which provides guarantees to customers and their auditors in relation to the effective internal control mechanisms at a service organization. Standard ISAE 3402 regulates the inspection of the internal control system (service organization) in terms of services that the company provides to its customers and which are relevant to the financial reporting of the company customers. 

CFT licenses in information security:
License for development and (or) production of confidential information protection means
License for technical protection of confidential information
License for development and production of encryption (cryptographic) devices
License for development, production and distribution of encryption (cryptographic) devices, information systems and telecommunication systems