erisk supports risk management in ZUS

Quick generation of statements and analyses.
Access to huge amounts of data from different locations.

ZUS

The Social Insurance Institution (ZUS – Zakład Ubezpieczeń Społecznych) is a state organizational unit with legal personality. It was established on 24 October 1934 under the ordinance of the President of the Republic of Poland, Ignacy Mościcki. Since then, it has been the most important institution of the Polish social insurance system. In its present shape, the Institution operates on the basis of the Act of 13 October 1998 on the social insurance system. The activities of the Institution are managed by the President of the Institution, appointed by the Prime Minister. The President of the Institution represents the institution outside. The minister responsible for social security is responsible for the supervision of the Institution’s activities.

Full name
Full name

Zakład Ubezpieczeń Społecznych

Website
Website

www.zus.pl

Employment
Employment

43 284 (2020r.)

Industry
Industry

Public finance sector

Locations
Locations

(countries/branches that use erisk): Poland, ZUS Headquarters and 42 Local Units

Language versions
Language versions

Polish

Modules used
Modules used
  • Risk management
  • Analytics and Reporting
Number of system users (total)
Number of system users (total)
  • erisk risk module – 222 perpetual licenses
  • erisk operational events module – 1 perpetual license
  • erisk reports module – 20  perpetual licenses
Number of system users (according to individual implemented modules)
Number of system users (according to individual implemented modules)
  • Risk 222 perpetual licenses
  • Reports 20 perpetual licenses

Expectations

ZUS was looking for a partner who would update and computerize the methodology of information security risk management. The software supplier had to meet high requirements, including documented experience from implementations in large organizations with similar specificity. The tool was to enable the implementation of methodologies in accordance with the requirements of ISO 27001, ISO 27005 and ISO 31000. The key requirements included: collecting and comparing data from all headquarters departments and territorial units (80 locations in total), as well as analytics and reporting. Moreover, it was important to ensure access to data at any time and from anywhere. The tool was supposed to be flexible, easy to use and ready for further development and modification depending on the needs. The erisk software we offered fully meets these needs and complies with international standards.

Solution

The project started in January 2020 and lasted until the end of the year. It is worth noting that it was implemented quickly and successfully despite the size of the organization, its dispersed structure and the ongoing COVID-19 pandemic.

We developed the technical documentation

The first step was a thorough analysis of the requirements. For this purpose, we looked at the functioning model of information security risk management in the context of business requirements, needs, directions and opportunities for its improvement. The results of the analysis were used to develop the concept of the risk management model, database design and system documentation.

We delivered the tool

We provided a license for erisk. The tool consisted of three modules: Risk, Operational Events and Reports. Depending on the modules, we granted appropriate licenses, including 222 perpetual licenses for the Risk module alone.

We configured and customized erisk

We properly prepared the tool so that it can be used in the future in other management areas, i.e. business continuity, operational risk and GDPR. We implemented an information security risk management methodology and established the target structure and hierarchy of forms. The biggest challenge here was to create a fully managed risk register in such a huge organization as the Social Insurance Institution. However, also here erisk passed the test, because it is fully flexible and allows you to use, among others, local libraries, the risk owner’s individual analysis and assessment or risk reference lists at the central and local level.

We conducted workshops

One of the requirements of the project was to train and prepare the users of the tool for identifying, analyzing, assessing and estimating risks and building plans for dealing with unacceptable risks. We conducted practical workshops on how to use the tool. The workshop participants were selected employees, including risk owners and a content administrator. Together with them, we built a knowledge base on risks in the erisk tool, which was one of the key elements of the project and the optimized information security risk management process. The workshops were held online due to the pandemic, but this did not reduce their substantive value.

We provided technical and content support

ZUS could count on the support of our consultants, who were at its disposal at all times, also after the completion of the project. As part of technical assistance, we helped in the operation and optimization of the tool, including introducing appropriate modifications to the database and new options.

Methodology

Information Security Risk Management ISO/IEC 27005

Risk management ISO 31000 and the requirements of ISO/IEC 27001

What did the client gain?

  • Automating the information security risk management process.
  • Shortening the time of preparing reports and limiting their defectiveness.
  • Optimizing the information security risk register and increasing the value of the data transferred.
  • Access to always up-to-date and consistent data at any time and compilation, as well as the ability to analyze and assess risk in individual local organizational units.
  • Increasing employees’ awareness of information security risk management.

erisk implementation project was one of the most demanding in terms of technology and time, an additional difficulty was the announced coronavirus pandemic. Nevertheless, it was completed successfully and on time, which proves the high commitment, experience and specialization of our partner. The implemented erisk tool fully meets our needs and automated the areas of risk management in the area of personal data protection and information security. A great advantage here was the possibility of further development and expansion of the software, which is crucial for ZUS in its pursuit of modernity and compliance with the law and international standards not only for image reasons, but especially for security.

Agnieszka Gębicka,
Data Protection Inspector,
Social Insurance Institution