of September 28, 2017 No. 95
About approval of the Regulations on organization of events on ensuring information security in bank system of Ukraine
According to Articles 7, of 15, 56 Laws of Ukraine "About the National Bank of Ukraine", for the purpose of enhancement of requirements to information security in information systems of banks taking into account urgent cyberthreats, establishment of requirements for organization of events on ensuring information security and cyberprotection of banks, the Board of the National Bank of Ukraine decides:
2. To department of safety (Skomarovsky A. A.) within four months from the date of official publication of this resolution to develop Methodical recommendations for check of management system information security and accomplishment of actions for safety of information when conducting inspection checks of banks of Ukraine.
3. To department of safety (Skomarovsky A. A.) after official publication to inform banks of Ukraine information on adoption of this resolution for use in work.
4. To impose control over the implementation of this resolution on the First Deputy Chairman of the National Bank of Ukraine Smoliya Ya. V.
5. The resolution becomes effective since March 1, 2018, except the Section V of the Provision which will become effective since September 1, 2019.
Acting as chairman
Ya. V. Smoly
Approved by the Resolution of Board of the National Bank of Ukraine of September 28, 2017 No. 95
2. This Provision establishes:
1) the mandatory minimum requirements to organization of events on ensuring information security and cyberprotection;
2) principles of information security management;
3) requirements to the information systems of bank interacting with information systems of the National Bank of Ukraine (further - National Bank), taking into account the directions of development of cryptographic information security in information systems of National Bank.
3. In this Provision terms and concepts are used in the following values:
1) multiple-factor authentication - authentication which is performed by means of the protected mechanisms of two or more types [for example, application for authentication of the password together with the information security hardware (token) or biometric authentication together with the password];
2) malicious code - the computer program / complex of computer programs or part of program code of information system which takes root with participation of the user or is carried out automatically creates threat or conditions for realization of threat of violation of full-time job of the equipment of bank and/or violation of confidentiality, integrity, availability of information which is processed in information systems of bank;
3) critical business processes of bank - the business processes of activities of bank determined by bank critical by information security by results of their assessment by bank by the following criteria: confidentiality, integrity, availability;
4) network of bank - complex of technical means of the telecommunications intended for routing, switching, transfer and/or acceptance of information by wire and/or wireless communication between the terminal equipment (the computer equipment, other components of information systems of bank) in perimeter of bank;
5) the minimum level of powers - powers and the access rights minimum necessary for high-quality execution by bank staff of service duties;
6) structures of the unified management of threats (Unified threat management, UTM) - devices which can perform several functions of safety from one device: firewall, prevention of unauthorized access to network, anti-virus lock, anti-spam lock, virtual private network (Virtual private network, VPN), filtering content, balancing of loading, prevention of data leakage;
7) risk - the oriented approach to ensuring information security - acceptance of management decisions based on the analysis of comparison of the current risks of information security with acceptable.
Other terms used in this Provision are used in the values determined by the laws of Ukraine, regulatory legal acts of National Bank and GSTU ISG/IEC 27000: 2015.
4. This Provision does not establish requirements relatively:
1) physical safety of premises of banks, technical information security for premises of banks, use of cryptographic means of information protection of National Bank in information systems of National Bank, requirements to which are determined by the corresponding regulatory legal acts of National Bank;
2) uses of cloudy technologies / services (Cloud technologies) in the sphere of automation, technical and technological support of activities of banks, requirements to which are determined by the separate document.
5. Requirements of this Provision extend to banks. Requirements of the Section III of this provision extend to non-bank participating organizations of information systems of National Bank.
6. Principles of ensuring information security:
1) approach to ensuring information security shall be system (complex);
2) process of enhancement and development of information security shall be continuous and be performed by reasons and realization of rational means, methods, actions using the best international experience;
3) measures of protection from real and potential hazards of information security of bank shall be timely and adequate;
Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info
Database include more 38000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
If you cannot find the required document, or you do not know where to begin, go to Help section.
In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.
You also may open the section Frequently asked questions. This section provides answers to questions set by users.