Our website uses cookies to provide its users with maximum convenience as well as to collect statistical and marketing data - in accordance with Cookies policy.
You can change the settings and terms of storing cookies in your web browser at any time.

What Should Financial Institutions Consider When Choosing a Data Center in Compliance with Recommendation D?

The competitive position of financial institutions depends to an ever increasing extent on secure data collection and processing. Nearly 90 per cent of Poles receive their salaries via bank transfer, 77 per cent hold a savings and checking account, and 66 per cent have a payment card1 . Mobile banking is becoming more popular and Big Data analysis allows financial institutions to better tailor their services to individual customers. What would happen, however, if access to data was interrupted even for a brief moment?

Warsaw, 19 August 2014. To understand the scale of risk involved, it is enough to recall the recurring reports of failures of Internet banking services and loss of customer data. The threat grows as more and more information is collected and processed as electronic files. The increasing threat of data loss (or unauthorized access to it) has been also noticed by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego KNF), which produced a timeframe for financial institutions to comply with Recommendation D by the end of 2014.

Financial Institutions Choose Their Data Centers

The purpose of Recommendation D is to induce financial institutions to assure stability and security for their information technology. Both of these along with the optimization of the IT infrastructure maintenance costs are offered by the increasingly common colocation, hosting and cloud computing services provided by data centers. This is reflected in the customer structure of the ATMAN Data Center, the largest facility of this type in Poland.

Our major customers include banks, insurers, and investment funds. This has been acknowledged by a long-term contract concluded recently with a leading financial institution to make available 25 per cent of the space in the newly opened F4 colocation facility, which is part of the ATMAN Data Center said Maciej Krzyżanowski, President of the Management Board (CEO) of ATM S.A. Mr Krzyżanowski added We expect Recommendation D to encourage other financial organizations to transfer their resources to data centers that meet the highest standards of security.

How do you verify these standards and what do you focus on to be sure that a provider of colocation, hosting or cloud computing services collects and processes data in compliance with KNFs recommendations?

First Consideration: Legal Safety

It follows from Recommendation D that banks should have formal rules in place for cooperation with external IT service providers that guarantee data security as well as a properly functioning ICT environment2.

This means that each bank which intends to transfer its resources to a data center should enter into a SLA (Service Level Agreement) with the provider of data center services which must identify, among other things, the areas of responsibility of the provider and the user and raise the quality and security level on the basis of best practices. At the same time, it should be verified if the location of the data center where colocation, hosting or cloud computing services are to be provided complies with the Polish and EU legislation on personal data protection said Stanisław Dałek, Product Manager with ATM S.A.s Telecommunications Services Development Section.

Second Consideration: Technical and Technological Security

The KNF stresses that power capacity adequate for the banks needs is equally important. Only then will the ICT infrastructure, both in terms of its architecture and individual components, be capable of providing proper support for the bank operations and guarantee the security of processed data 3.

To this end, it should be verified whether the data center has at least two independent power supply routes from the grid, an auxiliary emergency power generator, and also two independent internal power supply routes backed up by a UPS. No less crucial are redundant air-conditioning and fault-free access to broadband Internet. This makes data transfer stable and efficient. High processing performance is to be ensured by servers with powerful processors and SSD memories, plus network mass storage systems added Stanisław Dałek.

Third Consideration: Physical Security

Safety in its legal and technological aspects should be supported by mechanisms that allow for the proper control of access to data and information, and control of physical access to key elements of the ICT infrastructure 4.

To ensure compliance with the recommendation formulated in this way, it is necessary to provide not only a 24/7 security and an access control system, including CCTV monitoring, but also to maintain a fire extinguishing system, carrier and maintenance support, and to guarantee replacement of any components or a damaged server at short notice explained Stanisław Dałek.

* * *

Only data centers that are designed in this way, such as ATMAN Data Center, are capable of offering safe colocation, hosting and cloud computing services, thus making it possible for financial institutions to focus on their own business, without the need to worry about the stability of the technical aspect of their operations concluded Stanisław Dałek.

1. Based on the National Bank of Polands data contained in the report Zwyczaje płatnicze Polaków (Poles Payment Habits), May 2013.
2. Recommendation No. 10 (forming part of Recommendation D) provides that the bank should have formal rules in place for cooperation with external IT service providers that guarantee data security as well as a properly functioning ICT environment, to include services rendered by the banks group companies.
3. In Recommendation No. 9, which is a part of Recommendation D, we read that the bank should have formal rules in place for ICT infrastructure management, including its architecture, individual components, performance and capacity, and documentation, ensuring proper support for the banks operations and data processing security.
4. Recommendation No. 11, which deals on the other hand with physical security, states that the bank should have formal rules and technical mechanisms in place allowing for the proper level of logical control of access to data and information, and control of physical access to key elements of the ICT infrastructure.

Files to download:
pdfATM_Rekomendacja DPDF (111.78 KB)

go topgo top