It is registered
Ministry of Justice
Russian Federation
On December 6, 2016 No. 44582
of August 24, 2016 No. 552-P
About requirements to information security in payment system of the Bank of Russia
This Provision based on the Federal Law of July 10, 2002 No. 86-FZ "About the Central bank the Russian Federation (Bank of Russia)" (The Russian Federation Code, 2002, No. 28, Art. 2790; 2003, No. 2, Art. 157; No. 52, Art. 5032; 2004, No. 27, Art. 2711; No. 31, Art. 3233; 2005, No. 25, Art. 2426; No. 30, Art. 3101; 2006, No. 19, Art. 2061; No. 25, Art. 2648; 2007, No. 1, Art. 9, Art. 10; No. 10, Art. 1151; No. 18, Art. 2117; 2008, No. 42, Art. 4696, Art. 4699; No. 44, Art. 4982; No. 52, Art. 6229, Art. 6231; 2009, No. 1, Art. 25; No. 29, Art. 3629; No. 48, Art. 5731; 2010, No. 45, Art. 5756; 2011, No. 7, Art. 907; No. 27, Art. 3873; No. 43, Art. 5973; No. 48, Art. 6728; 2012, No. 50, Art. 6954; No. 53, Art. 7591, Art. 7607; 2013, No. 11, Art. 1076; No. 14, Art. 1649; No. 19, Art. 2329; No. 27, Art. 3438, Art. 3476, Art. 3477; No. 30, Art. 4084; No. 49, Art. 6336; No. 51, Art. 6695, Art. 6699; No. 52, Art. 6975; 2014, No. 19, Art. 2311, Art. 2317; No. 27, Art. 3634; No. 30, Art. 4219; No. 40, Art. 5318; No. 45, Art. 6154; No. 52, Art. 7543; 2015, No. 1, Art. 4, Art. 37; No. 27, Art. 3958, Art. 4001; No. 29, Art. 4348, Art. 4357; No. 41, Art. 5639; No. 48, Art. 6699; 2016, No. 1, Art. 23, Art. 46, Art. 50; No. 27, the Art. 4225, the Art. 4273, the Art. 4295), article 20 of the Federal Law of June 27, 2011 No. 161-FZ "About national payment system" (The Russian Federation Code, 2011, No. 27, Art. 3872; 2012, No. 53, Art. 7592; 2013, No. 27, Art. 3477; No. 30, Art. 4084; No. 52, Art. 6968; 2014, No. 19, Art. 2315, Art. 2317; No. 43, Art. 5803; 2015, No. 1, Art. 8, Art. 14; 2016, No. 27, the Art. 4221, the Art. 4223) and taking into account requirements of the Provision of the Bank of Russia of June 9, 2012 No. 382-P "About requirements to ensuring information security when implementing money transfers and about procedure the Bank of Russia of control of observance of requirements to ensuring information security when implementing money transfers", No. registered by the Ministry of Justice of the Russian Federation on June 14, 2012 24575, on July 1, 2013 No. 28930, on September 10, 2014 No. 34017 ("the Bulletin of the Bank of Russia" of June 22, 2012 No. 32, of July 10, 2013 No. 37, of September 17, 2014 No. 83), establishes requirements to information security in payment system of the Bank of Russia (further - PS BR) when implementing money transfers.
1.1. Action of this provision extends to the participants of PS BR who are clients of the Bank of Russia (further - participants).
1.2. Participants provide protection of the following information in PS BR:
information containing in orders of participants;
information on committed money transfers, including information containing in notices (confirmations) concerning acceptance to execution of orders of participants and also in notices (confirmations) concerning execution of orders of participants;
information on balances in cash on the accounts opened at participants and connected with implementation of money transfer in PS BR;
information necessary for the certificate participants of the right of the order money;
key information of the means of cryptographic information security (further - SKZI) used when implementing money transfers (further - cryptographic keys);
information on objects of information infrastructure, and also information on the configuration determining parameters of operation of technical means of information security;
information of limited access, including personal data and other information which is subject to the obligatory protection in accordance with the legislation of the Russian Federation processed when implementing money transfers.
2.1. For information security when implementing access to objects of information infrastructure participants shall provide access to the automated workplace (further - automated workplace) exchange of electronic messages (further - ES) with PS BR only from segment of local area network (further - LAN) in which the automated workplace of exchange of ES with PS BR is located (further - the site of PS BR).
2.2. For the purpose of fixing of the decision on need of application of organizational measures of protection of information and (or) use of technical means of information security and ensuring application of the specified measures participants shall develop documents according to the list of the procedures regulated for the purpose of ensuring information security on the site of PS BR (appendix to this Provision). The documents regulating procedures for information security shall be approved with service of information security of the participant.
2.3. The documents specified in Item 2.2 of this provision shall determine procedure for ensuring information security and provide measures for ensuring information security at all stages of creation, operation (proper use, maintenance and repair), upgrades, removals from operation of objects of information infrastructure of the site of PS BR.
2.4. Participants shall provide fulfillment of requirements of operational documentation on systems of information security from unauthorized access (further - SZI from NSD), SKZI, remedies from impacts of malicious code (further - SZ from VVK) applied on the site of PS BR during all term of their operation, including in case of installation and setup, and also to provide recovery of the specified technical means of information security in cases of failures and (or) refusals in their work.
3.1. Participants exercise control of physical access to objects of information infrastructure for the purpose of prevention of physical impact on the computer aids applied to implementation of money transfers with use of organizational measures or technical means of control and management of access to rooms in which are created, processed, controlled and are given ES (are accepted) (further - rooms).
3.2. Physical access to rooms shall be provided only to those workers of the participant who are specified in the list of access to these rooms.
3.3. Rooms shall be equipped with the security alarm system, be given under protection and be located in the action area of system of video surveillance and access control.
3.4. The storage duration of information of systems of video surveillance and access control (in case of their use), stipulated in Item 3.3 this provision, shall constitute at least three years.
4.1. Procedures of identification, authentication and authorization in case of logical access for workers to the site of PS BR shall be performed with use of the personified unique accounting records according to the existing list of subjects of access to which logical access to the site of PS BR is provided.
4.2. For the purpose of registration of actions when implementing logical access for workers to the site of PS BR and actions connected with appointment and distribution of the rights of logical access, and also ensuring storage of the specified information maintaining the following online magazines shall be provided:
magazines of logical access to the PS BR information resources (further - magazines of logical access);
the transaction journals executed when implementing logical access to the PS BR information resources (further - transaction journals);
magazines of means of information protection.
Storage durations of magazines of logical access, transaction journals and magazines of means of information protection shall constitute at least three years.
4.3. For the purpose of information security from unauthorized access magazines of logical access and transaction journals shall be available to the employees of service of information security and employees of service of informatization performing servicing of objects of information infrastructure on the site of PS BR. Magazines of means of information protection shall be available only to employees of service of information security. Entering of corrections into transaction journals is not allowed.
5.1. For the purpose of ensuring identification, authentication and authorization of the client in system of Internet banking, and also determination of the list of devices with which use access to system of Internet banking in case of money transfer by means of transfer of ES to PS BR can be provided of function of forming, processing, control and transfer (acceptance) of ES components of the automated bank system (further - ABS) participants shall be performed with use of automated workplace of exchange of ES with PS BR or with use special.
5.2. For protection of ES against misstatement, falsification, readdress, unauthorized acquaintance, destruction and false authorization by the software of automated workplace of exchange of ES with PS BR or special the ABS components of the participant shall be performed only functions, stipulated in Item 5.1 this provision.
5.3. Control (monitoring) of respect for the established technology by preparation, processing, transfer and storage of ES is performed by the participant by registration of all transactions in the payment engineering procedures performed on the site of PS BR in which interaction of workers with objects of information infrastructure is performed.
5.4. For the purpose of possibility of recovery of information on balances in cash on bank accounts in case of intentional (accidental) destruction (misstatement) or failure of computer aids, and also providing reconciliation of output ES with corresponding entrance and processed by ES when implementing calculations in payment system participants shall store all entering and outgoing ES. Storage durations of the entering and outgoing ES shall constitute at least five years.
6.1. For the purpose of control of unauthorized modification of structure of the site of PS BR of the software established and (or) used on computer aids control of integrity of the software of automated workplace of exchange of ES with PS BR in case of each inclusion shall be exercised.
6.2. For the purpose of accounting and control of structure of the site of PS BR of the software established and (or) used on computer aids participants shall keep the urgent list of the specified software.
7.1. On the site of PS BR participants shall use SZ from VVK of different producers and provide their separate installation on personal electronic computers and servers.
7.2. Participants shall carry out preliminary inspection of the software and computer aids (further - SVT) on lack of malicious code before their inclusion in the site of PS BR.
7.3. For the purpose of informing participants of PS BR on detection of malicious code or the fact of impact of malicious code participants shall conduct statistics of the events connected with impacts of malicious code on the site of PS BR.
7.4. Storage durations of data on the events connected with impacts of malicious code on the site PS BR and their analysis shall constitute at least three years.
8.1. For information security when implementing money transfers on technical means of the site of PS BR SKZI shall be established.
8.2. For the purpose of prevention of unauthorized use of cryptographic keys under the organization of work with cryptographic keys by participants accomplishment of the following requirements shall be provided:
exception of possibility of access for unauthorized persons to cryptographic keys;
use of carriers with the working copy of cryptographic key during the work with SKZI;
use of storages (metal cases, safes) for storage of carriers with cryptographic keys upon termination of the working day, and also out of operating time with SKZI (storage of carriers with cryptographic keys in storage together with other documents on condition of the room of carriers with cryptographic keys in the individual sealed container is allowed);
informing the Bank of Russia in case of origin or suspicion on emergence of the event determined by the owner of cryptographic key as acquaintance of unauthorized person (persons) with its cryptographic key, and initiation of actions for unplanned change of cryptographic key;
exception of possibility of accomplishment of the following actions:
production of unauthorized copies from carriers of cryptographic keys;
acquaintance with content of carriers of cryptographic keys or transfer of carriers of cryptographic keys to persons which do not have access rights to carriers of cryptographic keys;
conclusion of cryptographic keys to the display of the electronic computer (further - the COMPUTER) or output devices (seal) of text or graphical information;
installations of carriers of cryptographic keys in the COMPUTER reader on which functioning of SKZI in the emergency modes, and also on other COMPUTERS which are not intended for work with PS BR is performed;
records on carriers of cryptographic keys of any information, except for cryptographic key.
8.3. For the purpose of safety of processes of production of cryptographic keys in case of failure of the carrier with the working copy of cryptographic key it is necessary to manufacture with use of the software of SKZI the new carrier with the working copy of cryptographic key on the basis of the carrier containing the original of cryptographic key.
9.1. For the purpose of ensuring increase in awareness of workers in the field of ensuring information security by participants it shall be carried out and be fixed documentary training of workers concerning ensuring information security on the site of PS BR with involvement of service of information security.
9.2. The nominated persons responsible for development, implementation of plans and training programs concerning information security on the site of PS BR shall be participants.
10.1. Participants perform informing the Bank of Russia on the revealed incidents connected with violation of requirements to ensuring information security on the site of PS BR (further - incidents), including about unauthorized transfers of money of the participant through PS BR, and also about suspicions, about origin or about possibility of incidents on the site of PS BR. Informing is performed in any form by sending the message for the e-mail address fincert@cbr.ru, or the request for transfer of these data using measures and means of information protection no later than three hours after identification of incident is initiated.
10.2. For the purpose of the analysis of providing in information security PS BR when implementing money transfers participants shall fix documentary all information on incidents, including analysis results of origins of incidents, information on the actions taken for minimization of negative effects of incidents and other information connected with incidents.
10.3. The storage duration of information on incidents shall constitute at least three years from the date of emergence of incident.
11.1. Participants shall develop and approve the plan of providing continuity and recovery of activities (further - ОНиВД) approved with service of information security and providing actions for recovery of functioning of technical means of information security and objects of information infrastructure on the site of PS BR in cases of failures and (or) refusals in their work.
11.2. Participants the workers responsible for functioning of technical means of information security in PS BR, including for ОНиВД shall be appointed.
12.1. For the purpose of ensuring evaluating requirements to ensuring information security when implementing money transfers participants shall carry out and document monitoring procedure of fulfillment of requirements to information security (further - control TZI), established by this Provision. Control TZI and its analysis shall be carried out by participants at least once a quarter.
12.2. The storage duration of information on results of monitoring procedure of TZI and the decisions made by results of the specified control shall constitute at least three years from date of control TZI.
13.1. This Provision becomes effective after 10 days after day of its official publication.
13.2. Participants should fulfill requirements to information security on the site of PS BR according to this Provision till June 30, 2017.
Chairman of the Central bank of the Russian Federation
E. S. Nabiullina
to the Provision of the Bank of Russia of August 24, 2016 No. 552-P "About requirements to information security in payment system of the Bank of Russia"
The list of the procedures regulated for the purpose of ensuring information security on the site of PS BR
|
N |
Document purpose |
|
1 |
2 |
|
1. |
Appointment of the curator on information security |
|
2. |
Creation of divisions (appointment of the workers) responsible for the organization and control of ensuring information security, and also allocation of necessary resources by it |
|
3. |
Basic provisions about service of information security (including powers) |
|
4. |
Appointment of workers, actionees of procedure for ensuring information security on the site of PS BR, and determination of their functions and tasks |
|
5. |
The organization of ensuring information security taking into account requirements of this provision |
|
6. |
Ensuring information security when implementing money transfers with use of the Internet |
|
7. |
Determination of the site of PS BR |
|
8. |
Functions and tasks of workers in case of control of TZI |
|
9. |
Organization of protection against VVK |
|
10. |
Conducting preliminary verification of the software and SVT on lack of malicious code |
|
11. |
List and description of objects of information infrastructure of the site of PS BR |
|
12. |
Procedure for destruction of not used protected information at stages of lifecycle of objects of information infrastructure of the site of PS BR |
|
13. |
The list of the means of information protection used on the site of PS BR |
|
14. |
Accounting and control of the software established on computer aids of the site of PS BR |
|
15. |
Structure and procedure for application of organizational measures and technical means of information security on the site of PS BR |
|
16. |
Functions and tasks of the workers responsible for processes of response to incidents on the site of PS BR |
|
17. |
Operations procedure on identification and response to incidents on the site of PS BR |
|
18. |
List and terms of monitoring procedure of TZI |
|
19. |
The list and terms of holding actions for training and increase in knowledge of workers concerning information security |
|
20. |
The training program of workers concerning information security |
|
21. |
The list of persons having access to objects of information infrastructure of the site of PS BR, and access procedure |
|
22. |
The list of persons having rights on impact to objects of information infrastructure which can lead to violation of provision of services on implementation of money transfers |
|
23. |
The list of persons having rights on forming of electronic messages to automated workplace of exchange of ES with PS BR |
|
24. |
The description of functions and tasks of users of the program and technical means operated on the site of PS BR, and also the personnel providing operation and administration of the specified means |
|
25. |
Functions and tasks of the workers responsible for providing continuity and recovery of activities of the participant, including functioning of technical means of information security in PS BR |
|
26. |
Plan ОНиВД |
|
27. |
Operations procedure on providing continuity and recovery of activities of the participant and functioning of technical means of information security in PS BR |
|
28. |
Engineering procedures of preparation, acceptance, input, processing and transfer of ES |
|
29. |
Information on PS BR SKZI applied on the site, procedure for the address with SKZI at all stages of lifecycle of SKZI, basic provisions about safety of cryptographic keys |
|
30. |
The list of the workers having rights on management of cryptographic keys |
|
31. |
The list of the workers allowed to work with SKZI on the site of PS BR |
|
32. |
Appointment of person responsible for ensuring functioning and safety of SKZI (responsible user of SKZI), and also appointment of the permanent commissions on destruction of SKZI, appointment of persons responsible for forming of cryptographic keys and safety of cryptographic keys |
|
33. |
The list of the workers having access rights to rooms of the site of PS BR |
|
34. |
The list of the software for each object of information infrastructure |
|
35. |
Acts of installation (setup) of SZ from VVK |
|
36. |
Acts of installation (setup) of SKZI on technical means of the site of PS BR |
|
37. |
Results of control TZI and decisions made by results of control TZI with indication of participants, the bases for monitoring procedure and object of control TZI |
Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info
Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system
If you cannot find the required document, or you do not know where to begin, go to Help section.
In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.
You also may open the section Frequently asked questions. This section provides answers to questions set by users.
The document ceased to be valid since April 6, 2019 according to the Provision of the Central bank of the Russian Federation of January 9, 2019 No. 672-P