Meet the Experts Behind RealPort: Tomasz Sałaciński on Ensuring IT Security and How RealPort is Guarding Data

RealPort’s Senior Security Engineer, Tomasz Sałaciński

RealPort’s Senior Security Engineer, Tomasz Sałaciński has more than 10 years of experience as an IT Security specialist. He has worked as an expert in a variety of government and corporate IT security emergency response teams. At RealPort, Tomasz is responsible for implementing risk treatment plans and overseeing IT security operations.

Can you tell us about your background and your professional journey so far?

In terms of education, I finished IT at the Military University of Technology in Warsaw (the civilian path) and obtained my Master’s degree there. As for my professional experience, I started as a reverse engineer at an antivirus company. I dealt with very low-level issues, analysing malware samples and devising ways of detecting and neutralising them.

After that I moved to Computer Emergency Response Team (CERT) Polska which was at the time the major Polish CERT unit. The unit was responsible for executing and/or coordinating responses to major IT security incidents reported from mirror units abroad (now this unit has evolved into one of the three national pillars of the Polish National Cybersecurity System). I continued dealing with engineering tasks on a low level; specifically, parts of projects that supported government and international efforts to combating cybercrime in various places across the world.

Following this, I moved into the corporate field. I worked in CERT unit of Orange Polska (the biggest internet service provider in the country) and the Polish Banks Association (PBA). As a Chief Cybersecurity Specialist at PBA and a secretary of the inter-banking Threat Intelligence Forum, I had an incredible opportunity to learn and understand various high-level business requirements that security units are facing and how to fulfil those requirements. Out of the many valuable experiences I have had, I would particularly single out the coordination of the largest cybersecurity exercises in the Polish banking sector to date as one of the most important.

Finally, in 2020 I came to RealPort, excited by the opportunity to work on emerging technologies and financial instruments.

How is RealPort ensuring that investments made on the platform are secure?

At RealPort we take the security around all aspects of our service very seriously. Our Risk Management Team works tirelessly to identify any potential risks that could result in damages to our clients or our company. These risks are evaluated, prioritised, and mitigated using several levels of security controls. We have low-level security controls, such as widely deployed MFA or VPN-only access, as well as high-level controls, such as internal and external compliance audits or security tests.

The work that we do in this regard is never really finished. Risk management is an operational topic and we are constantly searching for areas of improvement, considering various approaches and evaluating our current position.

What is the role of IT security in RealPort’s general risk management?

When dealing with IT services and emerging technologies, it’s unavoidable that IT security risks will make up a large portion of the overall risk. We recognised this fact from an early stage of our platform development, and that’s why we decided to establish a continuous IT threat intelligence process.

During this process we analyse the IT threat landscape and how it’s evolving, closely monitoring the most recent reports on existing cybercrime groups and activities. In order to respond to these digital threats, we established a specialised unit that is tasked with building, maintaining, and improving our security system (ISMS — Information Security Management System).

How does this Information Security Management System (ISMS) work?

There are three pillars to the architecture of our ISMS:

1. IT threat intelligence

  • The goal of this pillar is to identify all the relevant threat actors (i.e., cybercrime groups) and their TTP (Tools, Tactics and Procedures).

2. IT risk management

  • The collected information on threats is then handed over to the IT risk management process, during which we analyse what risk scenarios can materialise, what would be the result of their materialising, and how damaging it would be to the platform. This process allows us to create a priority list of IT risks that we need to mitigate and how exactly to do that, using available defensive technologies.

3. IT security operations

  • We execute our IT security strategies designed in the previous step. We implement these strategies by operating security controls, analysing and monitoring data, backing up data sets, and responding to identified incidents — to name a few.

What is RealPort doing to ensure it meets the industry standards in terms of these ISMS practices?

Industry standards are formulated as corporate or regulatory norms and standards. When organisations reach compliance with selected standards, they request a certification by authorised bodies in order to provide the proof of compliance to their customers and partners.

Our Governance Risk & Compliance (GRC) department identifies the standards and norms that are relevant for our company and hands over the implementation to responsible units. In case of the IT security — to myself. Implementing compliance is often a demanding process, which involves fulfilling a long list of detailed requirements and multiple verifications and audits along the way.

In order to obtain certification of compliance and maintain it, we need to undergo this process every year. As a result, we are able demonstrate to our customers that we approach security topics seriously and they can trust us. That is entirely worth the effort.

What audits are RealPort working towards at the moment?

We are maintaining compliance with the following standards and norms:

  • ISO 27001 standard
  • BAIT recommendation
  • GDPR directive

Currently, we are undergoing ISO 27001 certification audit conducted by TÜV SÜD and we will obtain a certificate of compliance in the coming weeks.

What is RealPort doing to ensure risk management within the organisation and externally with the partners you have chosen to work with?

Internally, the differences between risk management and security processes and the other various processes happening within RealPort, is their need to “penetrate” all other departments within the organisation. It’s not sufficient to have nice looking policies. The company needs to embed them into the day-to-day work.

At all levels of organisation employees have different responsibilities. The Risk Management Team is of course the “heart” of the process. They coordinate the work and provide the necessary competence; however, processes go far beyond that.

For example, my colleagues from the Development Team and the Product Management Team need to provide us with information on critical assets, evaluate potential impacts, and understand the dependencies. High-level management ensures sufficient resources for implementing IT security strategies. On top of that, all employees are responsible for reporting suspected or confirmed risks via our internal Help Center.

Externally we cooperate closely with verified and licensed partners, such as Solarisbank (our banking services provider), Netfonds (a licensed broker ensuring our ongoing compliance with relevant regulations in this area) or Intelliant (a recognised company of IT security and compliance specialists). All of the above partners have the necessary experience and an exceptional track record of working in the regulated service sector.

Risk management rules also apply to the process of selecting service providers. Before we decide on purchasing a product or a service, we look closely at exposure to additional risks and whether those risks are being properly mitigated. Basically, if a company is to access our digital assets, it needs to prove that it maintains an adequate security system, either by demonstrating certification or providing us with a security concept that we can look into.

How does RealPort ensure that the personal data of customers is always secure?

RealPort takes a multitude of necessary precautions to ensure that the personal data of our customers is appropriately protected. For example, we have established a Data Protection Officer (DPO); an independently functioning entity, whose sole responsibility is to ensure that we are fulfilling the requirements of GDPR directives and that we have all the sufficient security measures in place. Additionally, we maintain a register of all personal data sets and any activities that may be performed on them. Based on this register, we are strictly regulating and auditing access to personal data sets by our employees. All access is granted according to the “need-to-know” rule, which basically means that access is given only if an employee has a legitimate business purpose for accessing that information. All this, combined with appropriate policies and trainings for our team are a part of our extensive Data Protection Framework.

RealPort is an Investment Brokerage Platform for Sustainable Real Assets