THE RESOLUTION OF BOARD OF THE AGENCY OF THE REPUBLIC OF KAZAKHSTAN ON REGULATION AND DEVELOPMENT OF THE FINANCIAL MARKET

of September 21, 2020 No. 89

About approval of requirements to competences of heads and employees of divisions of information security, including requirements for advanced training of persons responsible for ensuring information security

According to the subitem 3) article 13-6 of the Law of the Republic of Kazakhstan of July 4, 2003 "About state regulation, control and supervision of the financial market and the financial organizations" Board of the Agency of the Republic of Kazakhstan on regulation and development of the DECIDES: financial market

1. Approve the enclosed Requirements to competences of heads and employees of divisions of information security, including requirements for advanced training of persons responsible for ensuring information security.

2. To provide to management of cyber security in the procedure established by the legislation of the Republic of Kazakhstan:

1) together with Legal department state registration of this resolution in the Ministry of Justice of the Republic of Kazakhstan;

2) placement of this resolution on official Internet resource of the Agency of the Republic of Kazakhstan on regulation and development of the financial market after its official publication;

3) within ten working days after state registration of this resolution submission to Legal department of data on execution of the action provided by the subitem 2) of this Item.

3. To impose control of execution of this resolution on the supervising vice-chairman of the Agency of the Republic of Kazakhstan on regulation and development of the financial market.

4. This resolution becomes effective since January 1, 2021 and is subject to official publication.

Appendix

to the Resolution of Board of the Agency of the Republic of Kazakhstan on regulation and development of the financial market of September 21, 2020 No. 89

Requirements to competences of heads and employees of divisions of information security, including requirements for advanced training of persons responsible for ensuring information security

Chapter 1. General provisions

1. These Requirements to competences of heads and employees of divisions of information security, including requirements for advanced training of persons responsible for ensuring information security (further – Requirements) are developed according to the Law of the Republic of Kazakhstan of July 4, 2003 "About state regulation, control and supervision of the financial market and the financial organizations" and establish requirements to competences of heads and employees of divisions of information security, including requirements for advanced training of persons responsible for ensuring information security (further – workers) the financial organizations of the Republic of Kazakhstan and branches of nonresident banks of the Republic of Kazakhstan, branches of the insurance (reinsurance) nonresident organizations of the Republic of Kazakhstan, branches of insurance nonresident brokers of the Republic of Kazakhstan (further – the organizations) irrespective of patterns of ownership.

2. In Requirements the following concepts are used:

1) information security - condition of security of electronic information resources, information systems and information and communication infrastructure from external and internal threats;

2) the domain - set of knowledge in separate subject domain;

3) competence - the result of assimilation of information received in training process and personal experience; set of knowledge, theories and the practicians belonging to the sphere of training or work; qualification component which is exposed to assessment.

In Requirements terms and determinations according to the state standard specification ISO/IEC 17024-2014 Interstate standard "Assessment of conformity are applied. General requirements to the bodies performing certification of personnel" (further – the Standard).

3. Requirements are based on the principles:

1) differentiations of functional obligations on standard positions;

2) orientations on knowledge and skills in the field of information technologies and information security, including cyber security;

3) independence of requirements imposed by software manufacturers and the hardware to workers;

4) balance of theoretical knowledge and practical skills, professional competences shown to standard positions;

5) uses of standard domains.

4. Standard positions in the organization:

1) the specialist - the employee of division of information security to whose functional duties ensuring information security of the organization belongs;

2) the head - the employee of division of information security to whose functional duties the organization of activities of division of information security belongs;

3) the ranking officer - the worker who is carrying out at the same time functional obligations of the specialist and head.

5. Separation of competences into domains is intended for:

1) balance of opportunities and specifics of the organization for ensuring information security;

2) forming of the requirement taking into account qualification, employee competence and features of business processes of the organization;

3) extensions of requirements due to creation of new domains.

Chapter 2. Structure of domains

6. Domains contain minimum necessary list of competences which at the discretion of the organization are supplemented, extend if necessary.

7. Structure of standard domains:

1) basic;

2) legal;

3) organizational;

4) hardware-software;

5) telecommunication;

6) methods and means of ensuring of information security;

7) risk management of information security;

8) incident management of information security.

8. Structure of the basic domain - terminology and requirements of management system information security.

9. Structure of the legal domain:

1) national, international standards in information security field;

2) legislative and regulatory legal acts in information security field;

3) methodical documents of authorized bodies on information security.

10. Structure of the organizational domain:

1) bases, purposes, principles of management activity;

2) bases of information and analytical activities;

3) main organizational measures and actions for information security.

11. Structure of the hardware-software domain:

1) general principles of functioning of software and hardware;

2) principles of creation, work of hardware and software systems of information security;

3) procedure for elimination of defects of software and hardware of information security.

12. Structure of the telecommunication domain:

1) principles of creation of information systems and networks of telecommunications;

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info