of April 29, 2022 No. 30
About modification of some regulatory legal acts of the Republic of Kazakhstan concerning regulation of information security in the financial market
Board of the Agency of the Republic of Kazakhstan on regulation and development of the DECIDES: financial market
1. Approve the List of regulatory legal acts of the Republic of Kazakhstan concerning regulation of information security in the financial market to which changes, according to appendix to this resolution are made.
2. To provide to management of cyber security in the procedure established by the legislation of the Republic of Kazakhstan:
1) together with Legal department state registration of this resolution in the Ministry of Justice of the Republic of Kazakhstan;
2) placement of this resolution on official Internet resource of the Agency of the Republic of Kazakhstan on regulation and development of the financial market after its official publication;
3) within ten working days after state registration of this resolution submission to Legal department of data on execution of the action provided by the subitem 2) of this Item.
3. To impose control of execution of this resolution on the supervising vice-chairman of the Agency of the Republic of Kazakhstan on regulation and development of the financial market.
4. This resolution becomes effective after ten calendar days after day of its first official publication.
The chairman of the Agency of the Republic of Kazakhstan on regulation and development of the financial market
M. Abylkasymova
|
It is approved National Bank of the Republic of Kazakhstan |
|
Appendix
to the Resolution of Board of the Agency of the Republic of Kazakhstan on regulation and development of the financial market of April 29, 2022 No. 30
1. Bring in the resolution of Board of National Bank of the Republic of Kazakhstan of March 27, 2018 No. 48 "About approval of Requirements to ensuring information security of the banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types of banking activities, Rules and terms of provision of information on incidents of information security including data on violations, failures in information systems" (it is registered in the Register of state registration of regulatory legal acts at No. 16772) the following changes:
Requirements to ensuring information security of banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types of banking activities to state in edition according to appendix 1 to this List of regulatory legal acts of the Republic of Kazakhstan concerning regulation of information security in the financial market to which changes are made (further – the List);
To state rules and terms of provision of information on incidents of information security, including data on violations, failures in information systems, in edition according to appendix 2 to this List.
2. Bring in the resolution of Board of the Agency of the Republic of Kazakhstan on regulation and development of the financial market of September 21, 2020 No. 90 "About approval of Requirements to services of response to incidents of information security, to conducting internal investigations of incidents of information security" (the following change is registered in the Register of state registration of regulatory legal acts at No. 21274):
in Requirements to services of response to incidents of information security, conducting internal investigations of the incidents of information security approved by the specified resolution:
state Item 2 in the following edition:
"2. In Requirements the concepts provided by the Law of the Republic of Kazakhstan "About informatization", the resolution of Board of National Bank of the Republic of Kazakhstan of March 27, 2018 No. 48 "About approval of Requirements to ensuring information security of the banks, branches of nonresident banks of the Republic of Kazakhstan and the organizations performing separate types of banking activities, Rules and terms of provision of information on incidents of information security, including data on violations, failures in information systems", registered in the Register of state registration of regulatory legal acts at No. 16772, and also the following concepts are used:
1) the retrospective analysis of events of information security – the analysis of data set, the events of information security received during monitoring for certain period for the purpose of identification of incidents of information security undetected earlier;
2) internal investigation of incident of information security – the process performed by employees of bank, organization and the third parties for the purpose of establishment of the reasons and premises of emergence of incident of information security, procedure for realization of incident of information security, assessment of scale of impact and damage from realization of incident of information security, efficiency analysis of the taken responses to incidents of information security;
3) the standard procedure of reaction – procedure for application of urgent measures for localization of incident of information security which probability of origin is high without possibility of decrease in risk of emergence of incident of information security in short terms;
4) the compromise indicator – the unique characteristic of the object observed in volatile memory on electronic media or in network traffic which with high probability specifies device compromise;
5) vulnerability – lack of information system or its separate elements which operation is capable to lead to violation of integrity and (or) confidentiality and (or) availability of information system.".
3. Bring in the resolution of Board of the Agency of the Republic of Kazakhstan on regulation and development of the financial market of November 23, 2020 No. 111 "About approval of technique of risks assessment of information security, including procedure for ranging of the financial organizations for degree of risk exposure of information security" (the following change is registered in the Register of state registration of regulatory legal acts at No. 21686):
in the Technique of risks assessment of information security, including procedure for ranging of the financial organizations for degree of risk exposure of the information security approved by the specified resolution:
state Item 2 in the following edition:
"2. In the Technique the following concepts are used:
1) the business owner of data asset – the owner of the main business process for which providing lifecycle the data asset is used;
2) threat of information security – set of the conditions and factors creating premises to emergence of incident of information security;
3) risk of information security – probable emergence of damage owing to violation of confidentiality, deliberate violation of integrity or availability of data assets;
Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info
Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system
If you cannot find the required document, or you do not know where to begin, go to Help section.
In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.
You also may open the section Frequently asked questions. This section provides answers to questions set by users.