Published on 17 Oct 2012
"IBM Security zSecure benefited Itaú Unibanco risk areas by reducing the IT risks that could have a direct impact on the bank’s operational risk. The IBM tools meet several requirements we must comply with as a financial institution in the areas of information and compliance, such as SOX, Basiléia II, and BACEN-3380 regulations." - —Ineida Moura, Information Security Manager, Itaú Unibanco.
Security: Governance, Risk and Compliance
The largest private institution in Brazil, Itaú Unibanco is always looking for new ways to make its operations faster and safer, which, ultimately, are an important factor for maintaining its leadership in the Brazilian market. The bank selected IBM Security zSecure software to lower the IT risks that could have a direct impact on operations. In the compliance area, IBM Security zSecure software met several requirements that the bank must comply with as a financial institution, such as SOX (Sarbanes–Oxley Act), Basiléia II, and BACEN-3380 regulations.
Finding a substitute for the RACF® management and auditing tools used and for other solutions developed in-house that have shown little flexibility and require high maintenance.
IBM was chosen due to its ability to substitute the original solution with a solution that covers a variety of management, auditing, compliance, and monitoring security aspects in the z/OS® system. Moreover, IBM provides excellent support services with specialists based in Brazil.
Financial and strategic benefits: IBM Security zSecure software lowers the IT risks that could have a direct impact on the bank’s operations. In the compliance area, the tools meet several requirements that the bank must comply with as a financial institution, such as SOX (Sarbanes–Oxley Act), Basiléia II, and BACEN-3380 regulations.
● Improvement in efficiency and productivity in the security management area ● Detailed reports that assist the auditing and compliance areas ● Ability to respond quickly in case of security incidents
With a presence in more than 1,000 Brazilian cities, as well as agencies and offices in 19 countries and two territories, Itaú Unibanco offers products and services customized to the needs of the client’s profile. On December 31, 2011, Itaú Unibanco ranked as the eighth largest bank in the world according to the market value criteria (BRL152.8 billion), according to the Bloomberg ranking. The bank decided to adopt IBM® Security zSecure™ suite software to simplify and strengthen the processes of security management.
The largest private institution in Brazil, Itaú Unibanco is always looking for new ways to make its operations faster and safer, which, ultimately, are an important factor for maintaining its leadership in the Brazilian market.
As part of this initiative, the bank started looking for a substitute for the RACF management and auditing tool being used and for other solutions developed in-house that are high-maintenance and have shown little flexibility in their use.
Among the resources that the financial institution wished to have in order to rigorously apply the security policies and automate the management and auditing, were functionalities to establish the use of standard commands, the segregation of functions of a large number of special users, and auditing tools for the security software used in the credit cards area.
Itaú Unibanco found in IBM Security zSecure software the best solution for the institution’s demands.
“IBM was chosen for its ability to substitute the original solution with a solution that covers a variety of management, auditing, compliance, and monitoring security aspects in the z/OS system,” says Raphael Mello, security support coordinator of Itaú Unibanco’s mainframe. “Moreover, IBM provides excellent support services with specialists based in Brazil.”
After the choice was made, several workshops were offered so that the auditing, corporation security, compliance, and development support areas of Itaú Unibanco could be trained to take the greatest advantage of the investment.
The results were impressive. With the zSecure Admin software, the bank can now easily perform the RACF management through a friendly interface that replaced the commands that required frequent searches in the user guides and complex panels that would take a long time to navigate. Another advantage of zSecure software is the granular and comprehensive information that facilitates security management.
zSecure Audit for RACF software also allowed Itaú Unibanco to implement best practices in mainframe security, besides substituting processes containing information from the previous day with real-time data.
Use of the zSecure Command Verifier made it possible, for example, to designate the user’s creation functions, password attribution, and access for the customer service area. The commands that the auditing department considered risky or unnecessary were blocked, according to internal policies. Likewise, critical commands that could generate impacts in the infrastructure or business areas were blocked. Therefore, the bank managed to decrease the number of special users, now with limited functions.
Itaú Unibanco is also evaluating the possibility of investing in zSecure Alert for RACF software to allow faster responses to all RACF events with real-time alerts. This solution may help the institution to fulfill the demands imposed by environments that are becoming increasingly heterogeneous, including the conformity with stricter security policies, processes, and regulations.
The IBM Security zSecure tools allowed for an important improvement in the efficiency and productivity in security management. And they eliminated eventual operational errors that could cause impacts, such as system unavailability or vulnerability. Furthermore, the IT department became more agile in its responses to eventual security incidents.
The security area reports are today more efficient and comprehensive, as well as helpful to establish priorities to strengthen the security efforts with more detailed and proactive audits. The security information contained in the reports can also be used by other internal areas in the bank, such as conformity and support, to perfect the processes.
“IBM Security zSecure benefited Itaú Unibanco risk areas by reducing the IT risks that could have a direct impact on the bank’s operational risk. Especially in the areas of information security and compliance, these IBM tools meet several requirements we must comply with as a financial institution, such as SOX, Basiléia II, and BACEN-3380 regulations,” says Ineida Moura, information security manager at Itaú Unibanco
● IBM® Security zSecure™
For more information
IBM products and services that were used in this case study.
Tivoli zSecure Suite
© Copyright IBM Corporation 2012 IBM Corporation Software Group Route 100 Somers, NY 10589 Produced in the United States of America October 2012 IBM, the IBM logo, ibm.com, zSecure, RACF, and z/OS are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml The content in this document (including currency OR pricing references which exclude applicable taxes) is current as of the initial date of publication and may be changed by IBM at any time. The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. It is the user’s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that systems and products are immune from the malicious or illegal conduct of any party. WGC12346-USEN-00