PROVISION OF CENTRAL BANK OF THE RUSSIAN FEDERATION

of August 30, 2023 No. 822-P

About requirements to ensuring the information security containing in the automated information system of insurance

This Provision based on the subitem 5 of Item 7 of article 33.10 of the Law of the Russian Federation of November 27, 1992 No. 4015-I "About the organization of insurance case in the Russian Federation" establishes requirements to ensuring the information security containing in the automated information system of insurance.

1. The operator of the automated information system of insurance (further - AIS of insurance) shall perform information security, containing in AIS of insurance specified in Item 1 of article 33.11 of the Law of the Russian Federation of November 27, 1992 to No. 4015-I "About the organization of insurance case in the Russian Federation" (further respectively - the protected information, the Law of the Russian Federation No. 4015-I), in case of its obtaining, preparation, processing, storage and provision (further - information security).

If the protected information contains personal data, the operator of AIS of insurance shall apply measures for safety of personal data in case of their processing according to article 19 of the Federal Law of July 27, 2006 No. 152-FZ "About personal data" (further - the Federal Law of July 27, 2006 No. 152-FZ) and the order of the Federal Service for Technical and Export Control of February 18, 2013 No. 21 "About statement of Structure and content of organizational and technical measures for safety of personal data in case of their processing in information systems of personal data" <1> (further - the order of FSTEC of Russia No. 21).

--------------------------------

<1> Registration No. 28375, with the changes made by orders of FSTEC of Russia of March 23, 2017 No. 49 is registered by the Ministry of Justice of the Russian Federation on May 14, 2013 (registration No. 46487) is registered by the Ministry of Justice of the Russian Federation on April 25, 2017, of May 14, 2020 No. 68 (registration No. 58877) is registered by the Ministry of Justice of the Russian Federation on July 8, 2020.

2. The operator of AIS of insurance shall determine in internal documents structure and procedure for application of organizational and technical measures of protection of information concerning the automated systems operated by it, the software, computer aids, the telecommunication equipment (further in case of joint mentioning - objects of information infrastructure) within the following processes (directions):

information security under management of access to objects of information infrastructure;

protection of computer networks;

control of integrity and security of objects of information infrastructure;

protection of objects of information infrastructure against impact of the program codes leading computer aids to violation of regular functioning (further - malicious codes);

prevention of leakages of the protected information;

event managements which brought or, according to the operator of AIS of insurance, can lead to illegal disclosure to the protected information or non-rendering of the services connected with obtaining or provision of the protected information (further - information security incidents);

protection of the circle of virtualization;

information security when implementing remote logical access with use of mobile (figurative) devices.

3. The operator of AIS of insurance shall perform information security by cryptographic information security (further - SKZI) according to the Federal Law of April 6, 2011 No. 63-FZ "About the digital signature" (further - the Federal Law of April 6, 2011 No. 63-FZ), Regulations on development, production, realization and operation of the cryptographic (cryptographic) means of information protection (The provision PKZ-2005), the approved order of Federal Security Service of the Russian Federation of February 9, 2005 No. 66 <1> (further - the Provision PKZ-2005), and technical documentation on SKZI.

--------------------------------

<1> Registration No. 6382, with the changes made by the order of FSB of Russia of April 12, 2010 No. 173 is registered by the Ministry of Justice of the Russian Federation on March 3, 2005 (registration No. 17350) is registered by the Ministry of Justice of the Russian Federation on May 25, 2010.

Ensuring personal data protection with use of SKZI is performed according to the order of the Government of the Russian Federation of November 1, 2012 No. 1119 "About approval of requirements to personal data protection in case of their processing in information systems of personal data", the order of Federal Security Service of the Russian Federation of July 10, 2014 No. 378 "About statement of Structure and content of organizational and technical measures for safety of personal data in case of their processing in information systems of personal data with use of the means of cryptographic information security necessary for accomplishment of the requirements to personal data protection established by the Government of the Russian Federation for each of security levels" <2> (further - the order of FSB of Russia No. 378) using SKZI having confirmation of conformity to the requirements established by federal executive body No. 40-FZ authorized in the field of safety when implementing regulation according to the Item "sh" of part one of article 13 of the Federal Law of April 3, 1995 "About the Federal Security Service" (further - the requirements established by the federal executive body authorized in the field of safety), and the safety hazards of the personal data determined by the Bank of Russia according to part 5 of article 19 of the Federal Law of July 27, 2006 No. 152-FZ and the subitem 6 of Item 7 of article 33.10 of the Law of the Russian Federation No. 4015-I providing neutralization.

--------------------------------

<2> Registration No. 33620 is registered by the Ministry of Justice of the Russian Federation on August 18, 2014.

--------------------------------

<1> Registration No. 73486 is registered by the Ministry of Justice of the Russian Federation on May 26, 2023. According to Item 3 of the order of Mintsifra of Russia No. 445 this act is effective till June 1, 2029.

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info