Document from CIS Legislation database © 2003-2021 SojuzPravoInform LLC

THE RESOLUTION OF BOARD OF THE AGENCY OF THE REPUBLIC OF KAZAKHSTAN ON REGULATION AND DEVELOPMENT OF THE FINANCIAL MARKET

of November 23, 2020 No. 111

About approval of technique of risks assessment of information security, including procedure for ranging of the financial organizations for degree of risk exposure of information security

According to the subitem 2) parts one of article 13-6 of the Law of the Republic of Kazakhstan of July 4, 2003 "About state regulation, control and supervision of the financial market and the financial organizations" Board of the Agency of the Republic of Kazakhstan on regulation and development of the DECIDES: financial market

1. Approve the enclosed Technique of risks assessment of information security, including procedure for ranging of the financial organizations for degree of risk exposure of information security.

2. To provide to management of cyber security in the procedure established by the legislation of the Republic of Kazakhstan:

1) together with Legal department state registration of this resolution in the Ministry of Justice of the Republic of Kazakhstan;

2) placement of this resolution on official Internet resource of the Agency of the Republic of Kazakhstan on regulation and development of the financial market after its official publication;

3) within ten working days after state registration of this resolution submission to Legal department of data on execution of the action provided by the subitem 2) of this Item.

3. To impose control of execution of this resolution on the supervising vice-chairman of the Agency of the Republic of Kazakhstan on regulation and development of the financial market.

4. This resolution becomes effective since January 1, 2021 and is subject to official publication.

The chairman of the Agency of the Republic of Kazakhstan on regulation and development of the financial market

M. Abylkasymova

Approved by the Resolution of Board of the Agency of the Republic of Kazakhstan on regulation and development of the financial market of November 23, 2020 No. 111

Technique of risks assessment of information security, including procedure for ranging of the financial organizations for degree of risk exposure of information security

Chapter 1. General provisions

1. This Technique of risks assessment of information security, including procedure for ranging of the financial organizations for degree of risk exposure of information security (further - the Technique), is developed according to the Law of the Republic of Kazakhstan of July 4, 2003 "About state regulation, control and supervision of the financial market and the financial organizations" and is applied for the purpose of the organization of process of risks assessment of information security in the financial organizations and branches of banks - nonresidents of the Republic of Kazakhstan, branches of the insurance (reinsurance) organizations - nonresidents of the Republic of Kazakhstan, branches of insurance brokers - nonresidents of the Republic of Kazakhstan (further - the financial organizations) to whom requirements for evaluating risks of information security, for determination of priorities and the resource optimization involved when processing risks of information security in the financial organizations are imposed.

2. In the Technique the following concepts are used:

1) the business owner of data asset - the owner of the main business process for which providing lifecycle the data asset is used;

2) threat of information security - set of the conditions and factors creating prerequisites to emergence of incident of information security;

3) risk of information security - probable emergence of damage owing to violation of confidentiality, deliberate violation of integrity or availability of data assets;

4) risk level of information security - combination of probability of event and its consequences;

5) the level of materiality of losses from violation of information security - the level of losses from violation of information security in the financial organization which excess on separate data asset is not acceptable for the financial organization;

6) critical data asset - the data asset determined according to the resolution of Board of National Bank of the Republic of Kazakhstan of March 27, 2018 No. 48 "About approval of Requirements to ensuring information security of the banks and the organizations performing separate types of banking activities, Rules and terms of provision of information on incidents of information security, including data on violations, failures in information systems", registered in the Register of state registration of regulatory legal acts at No. 16772.

3. For risks assessment of information security the financial organization holds the following events:

1) forming of the list of critical data assets;

2) risks assessment of information security for critical data assets.

Chapter 2. Forming of the list of critical data assets

4. For the purpose of forming and the subsequent updating of the list of critical data assets the financial organizations provide realization of the following processes:

1) the analysis of the business processes entering management system scope information security of the financial organization;

2) determination of potential losses from violation of properties of information security (confidentiality, integrity and availability) data assets;

3) forming and subsequent updating of the list of critical data assets.

5. The analysis of the business processes entering management system scope information security of the financial organization is performed by divisions owners of business processes of the financial organization under the direction of division for risk management of the financial organization for the purpose of identification of the data assets necessary for functioning of business processes. Types of identifiable data assets are determined by the list of types of data assets according to appendix 1 to the Technique.

For identification of data assets according to the decision of division owner of business process of the financial organization the division on information technologies of the financial organization is attracted.

6. The financial organization determines the following types of potential losses from violation of information security by each identified data asset:

1) losses from violation of confidentiality of data asset;

2) losses from violation of integrity of data asset;

3) losses from violation of availability of data asset.

Losses are determined by business owners of data assets under the direction of division by risk management of the financial organization.

7. For assessment of potential losses from violation of information security of data assets the financial organization provides participation in loss assessment of the employees having knowledge:

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.

Search engine created by SojuzPravoInform LLC. UI/UX design by Intelliants.