RESOLUTION OF BOARD OF NATIONAL BANK OF THE REPUBLIC OF KAZAKHSTAN

of March 27, 2018 No. 48

About approval of Requirements to ensuring information security of the banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types of banking activities, Rules and terms of provision of information on incidents of information security including data on violations, failures in information systems

According to Item 7 of article 61-5 of the Law of the Republic of Kazakhstan "About banks and banking activity in the Republic of Kazakhstan" the Board of National Bank of the Republic of Kazakhstan DECIDES:

1. Approve:

1) Requirements to ensuring information security of banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types of banking activities according to appendix 1 to this resolution;

2) Rules and terms of provision of information on incidents of information security, including data on violations, failures in information systems, according to appendix 2 to this resolution.

2. Declare invalid the resolution of Board of National Bank of the Republic of Kazakhstan of March 31, 2001 No. 80 "About approval of Rules on safety of information systems of banks of the second level and the organizations performing separate types of banking activities (registered in the Register of state registration of regulatory legal acts at No. 1517).

3. To management of information threats and cyberprotection (Perminov R. V.) in the procedure established by the legislation of the Republic of Kazakhstan to provide:

1) together with Legal department (Sarsenov N. V.) state registration of this resolution in the Ministry of Justice of the Republic of Kazakhstan;

2) within ten calendar days from the date of state registration of this resolution the direction it the copy in paper and electronic type in the Kazakh and Russian languages in the Republican state company on the right of economic maintaining "The republican center of legal information" for official publication and inclusion in Reference control bank of regulatory legal acts of the Republic of Kazakhstan;

3) placement of this resolution on official Internet resource of National Bank of the Republic of Kazakhstan after its official publication;

4) within ten working days after state registration of this resolution submission to Legal department of data on execution of the actions provided by subitems 2), 3) of this Item and item 4 of this resolution.

4. To management on consumer protection of financial services and external communications (Terentyev A. L.) provide within ten calendar days after state registration of this resolution the direction it to the copy on official publication in periodic printing editions.

5. To impose control of execution of this resolution on the vice-chairman of National Bank of the Republic of Kazakhstan Smolyakov O. A.

6. This resolution becomes effective after ten calendar days after day of its first official publication, except for the subitem 1) of Item 1 and Item 2 of this resolution which become effective since December 1, 2018.

Appendix 1

to the Resolution of Board of National Bank of the Republic of Kazakhstan of March 27, 2018 No. 48

Requirements to ensuring information security of banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types of banking activities

Chapter 1. General provisions

1. These Requirements to ensuring information security of the banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types bank transactions (further – Requirements), are developed according to Item 7 of article 61-5 of the Law of the Republic of Kazakhstan "About banks and banking activity in the Republic of Kazakhstan" and establish requirements to ensuring information security of banks, branches of nonresident banks of the Republic of Kazakhstan (further – bank) and the organizations performing separate types of banking activities (further – the organization).

2. In Requirements the concepts provided by the Law of the Republic of Kazakhstan "About informatization" and also the following concepts are used:

1) information security in the field of informatization (further – information security) – condition of security of electronic information resources, information systems and information and communication infrastructure from external and internal threats;

2) the regular data carrier – the data carrier which is component of object of information and communication infrastructure and connected to it on permanent basis;

3) data asset – set of information and the object of information and communication infrastructure used for its storage and (or) processing;

4) IT manager of information system / asset – the worker or division (workers or divisions) bank, the organization responsible for maintenance of information system / asset in the condition conforming to requirements of the business owner of information system / asset;

5) the business owner of information system or subsystem – the division (worker) of bank, the organization which is (being) the owner of the main business process which is automated by information system or subsystem;

6) information and communication infrastructure (further – information infrastructure) – set of the objects of information and communication infrastructure intended for ensuring functioning of the technological circle for the purpose of forming of electronic information resources and provision of access to them;

7) perimeter of protection of information and communication infrastructure – set of the software and hardware separating information and communication infrastructure of bank, organization external information networks and realizing protection against threats of information security;

8) threat of information security – set of the conditions and factors creating premises to emergence of incident of information security;

9) risk of information security - probable emergence of damage owing to violation of confidentiality, deliberate violation of integrity or availability of data assets of bank, the organization;

10) ensuring information security – the process directed to maintenance of condition of confidentiality, integrity and availability of data assets of bank, organization;

11) information on incidents of information security – information about separately or serially arising failures in work of information and communication infrastructure or its separate objects creating threat to their proper functioning and (or) conditions for illegal obtaining, copying, distribution, modification, destruction or blocking of electronic information resources;

12) incident of information security – separately or serially arising failures in work of information and communication infrastructure or its separate objects creating threat to their proper functioning and (or) conditions for illegal obtaining, copying, distribution, modification, destruction or blocking of electronic information resources;

13) the preset accounting records – the accounting records of information systems established by their producers;

14) exclusive accounting record – the accounting record in information system having privileges of creation, removal and change of access rights of accounting records;

15) the console of administration and monitoring – the workstation allowing to exercise remote control of information system;

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info