of September 28, 2017 No. 95
About approval of the Regulations on organization of events on ensuring information security in bank system of Ukraine
According to Articles 7, of 15, 56 Laws of Ukraine "About the National Bank of Ukraine", for the purpose of enhancement of requirements to information security in information systems of banks taking into account urgent cyberthreats, establishment of requirements for organization of events on ensuring information security and cyberprotection of banks, the Board of the National Bank of Ukraine decides:
2. To department of safety (Skomarovsky A. A.) within four months from the date of official publication of this resolution to develop Methodical recommendations for check of management system information security and accomplishment of actions for safety of information when conducting inspection checks of banks of Ukraine.
3. To department of safety (Skomarovsky A. A.) after official publication to inform banks of Ukraine information on adoption of this resolution for use in work.
4. To impose control over the implementation of this resolution on the First Deputy Chairman of the National Bank of Ukraine Smoliya Ya. V.
5. The resolution becomes effective since March 1, 2018, except the Section V of the Provision which will become effective since September 1, 2019.
Acting as chairman
Ya. V. Smoly
Approved by the Resolution of Board of the National Bank of Ukraine of September 28, 2017 No. 95
1. This Provision is developed according to the Laws of Ukraine "About the National Bank of Ukraine", "About banks and banking activity", "About information security in information and telecommunication systems", "About bases of homeland security of Ukraine", presidential decrees of Ukraine of February 13, 2017 No. 32/2017 "About the decision of the National Security and Defense Council of Ukraine of December 29, 2016 "About threats of cyber security of the state and urgent measures for their neutralization" and of March 15, 2016 No. 96/2016 "About the decision of the National Security and Defense Council of Ukraine of January 27, 2016 "About the Strategy of cyber security of Ukraine", national standards of Ukraine concerning information security of ISO/IEC 27000: 2015 "Information technologies. Protection methods. Management system information security. The overview and the dictionary" (further - GSTU ISO/IEC 27000: 2015), GSTU ISO/IEC 27001: 2015 "Information technologies. Protection methods. Management systems information security. Requirements" (further - GSTU ISO/IEC 27001: 2015), GSTU ISO/IEC 27002: 2015 "Information technologies. Protection methods. The code the practician on measures of information security" (further - GSTU ISO/IEC 27002: 2015), the accepted by the order of the State company "Ukrainian research and training center of problems of standardization, certification and quality" and taking into account international standards concerning information security, commonly accepted principles of ensuring information security and cyberprotection in the international practice for the purpose of increase in level of information security in bank system of Ukraine.
2. This Provision establishes:
1) the mandatory minimum requirements to organization of events on ensuring information security and cyberprotection;
2) principles of information security management;
3) requirements to the information systems of bank interacting with information systems of the National Bank of Ukraine (further - National Bank), taking into account the directions of development of cryptographic information security in information systems of National Bank.
3. In this Provision terms and concepts are used in the following values:
1) multiple-factor authentication - authentication which is performed by means of the protected mechanisms of two or more types [for example, application for authentication of the password together with the information security hardware (token) or biometric authentication together with the password];
2) malicious code - the computer program / complex of computer programs or part of program code of information system which takes root with participation of the user or is carried out automatically creates threat or conditions for realization of threat of violation of full-time job of the equipment of bank and/or violation of confidentiality, integrity, availability of information which is processed in information systems of bank;
3) critical business processes of bank - the business processes of activities of bank determined by bank critical by information security by results of their assessment by bank by the following criteria: confidentiality, integrity, availability;
4) network of bank - complex of technical means of the telecommunications intended for routing, switching, transfer and/or acceptance of information by wire and/or wireless communication between the terminal equipment (the computer equipment, other components of information systems of bank) in perimeter of bank;
5) the minimum level of powers - powers and the access rights minimum necessary for high-quality execution by bank staff of service duties;
6) structures of the unified management of threats (Unified threat management, UTM) - devices which can perform several functions of safety from one device: firewall, prevention of unauthorized access to network, anti-virus lock, anti-spam lock, virtual private network (Virtual private network, VPN), filtering content, balancing of loading, prevention of data leakage;
7) risk - the oriented approach to ensuring information security - acceptance of management decisions based on the analysis of comparison of the current risks of information security with acceptable.
Other terms used in this Provision are used in the values determined by the laws of Ukraine, regulatory legal acts of National Bank and GSTU ISG/IEC 27000: 2015.
4. This Provision does not establish requirements relatively:
1) physical safety of premises of banks, technical information security for premises of banks, use of cryptographic means of information protection of National Bank in information systems of National Bank, requirements to which are determined by the corresponding regulatory legal acts of National Bank;
Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info
Database include more 38000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
If you cannot find the required document, or you do not know where to begin, go to Help section.
In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.
You also may open the section Frequently asked questions. This section provides answers to questions set by users.