of March 28, 2024 No. 14/2
About approval of "Requirements to ensuring information security of subjects which activities are controlled in the financial markets"
For the purpose of strengthening of requirements to ensuring information security of subjects which activities are controlled in the financial markets according to international standards based on articles 22.1.17 and 48.3.4 of the Law of the Azerbaijan Republic "About the Central bank of the Azerbaijan Republic", and also article 34-1.4 of the Law of the Azerbaijan Republic "About compulsory insurances" the Board of the Central bank of the Azerbaijan Republic DECIDES:
1. Approve "Requirements to ensuring information security of subjects which activities are controlled in the financial markets" (further - Requirements) it (is applied).
2. The requirements approved by part of 1 this Resolution become effective after year from the date of their publication, and from this date part of 1 Resolution of Board of the Central bank of the Azerbaijan Republic of July 14, 2021 No. 20/1 "About approval of "Procedure for information security management in banks"" is cancelled.
3. Charge to Legal department to provide in 3-day time submission of this Resolution to the Ministry of Justice of the Azerbaijan Republic for entering into the State register of legal acts of the Azerbaijan Republic.
Chairman of the Central bank
Talekh Kazimov
Approved by the Resolution of Board of the Central bank of the Azerbaijan Republic of March 28, 2024 No. 14/2
1.1. These Requirements are developed based on article 48.3.4 of the Law of the Azerbaijan Republic "About the Central bank of the Azerbaijan Republic", and also article 34-1.4 of the Law of the Azerbaijan Republic "About compulsory insurances" and determines the minimum requirements to information security in banks, non-bank credit institutions, except for credit unions, insurers, the licensed persons in the security market, managing directors of joint-stock investment funds and investment funds, the national operator of mail service, payment institutes, the organizations of electronic money, operators of payment systems, credit bureaus, the central depositary.
1.2. These Requirements extend to information system on compulsory insurances and the connected assets of Bureau of compulsory insurance.
1.3. Persons provided by Items 1.1 and 1.2 of these Requirements jointly hereinafter are referred to as in these Requirements as subjects of control.
1.4. Items 4.12-4.16 and 6.5 of these Requirements are not applied to the subjects of control II of category provided by Items 2.1.35 of these Requirements.
1.5. Items 4. 4, 4.5, 4.12 - 4.16, 6.5, 6.9, 6.10, 6.12, 7.17, 7.19, 7.21 - 7.23 these Requirements are not applied to the subjects of control III of category provided by Items 2.1.36 of these Requirements.
1.6. Requirements to personal data protection in subjects of control along with these Requirements are regulated also by the Law of the Azerbaijan Republic "About personal data".
2.1. The basic concepts used in these Requirements have the following values:
2.1.1. asset - the main (business processes and information) and supporting (network and technical infrastructure, the software, personnel, the building, organizational structure) the assets having value for subjects of control;
2.1.2. the owner of asset - person responsible for management and protection of asset during the entire period of its functioning;
2.1.3. audit - the systematic, independent and documented process performed for the purpose of receipt of auditor proofs and determination of level of accomplishment of criteria of their audit for objective assessment;
2.1.4. authentication - control measure, the identity of the user of service allowing to check and justification of use of the personalized data of safety;
2.1.5. deep protection (defense in depth) - determination of multi-level control measures for protection of assets;
2.1.6. the emulator - the software which starts the programs working in operating system by imitation of this operating system;
2.1.7. labeling - designation of information and the connected assets by various methods (for example, by means of physical sign, heading and subtitle, metadata, watermark, stamp) according to classification of information;
2.1.8. operational environment - the real operational circle of information system opened for the user;
2.1.9. vulnerable information - information which is subject to protection against unauthorized processing including access, change or disclosure, in view of its potential negative impact on physical persons and legal entity, and also on homeland security (for example, vulnerable payment data, personal data, the state secret, trade secret, bank secrecy, insurance secret and other confidential information);
2.1.10. information - the facts, opinions, data, the news or other information created or received as a result of any activities irrespective of date of origin, form of representation and classification;
2.1.11. availability of information - the property of information characterizing possibility of its obtaining and use in case of need;
2.1.12. confidentiality of information - property of information to be unavailable and unopened for unauthorized accesses;
2.1.13. information process - creation, collection, processing, storage, search, distribution of information;
2.1.14. information system - ordered in organizational and technical procedure, including with use of computer facilities, set of information technologies and documents;
2.1.15. integrity of information - property of accuracy and completeness of information;
2.1.16. information security - protection of confidentiality, integrity and availability of information;
2.1.17. management system information security (further - SUIB) - set of the actions and procedures directed to creation, implementation, support and constant development of information security of the subject of management for the purpose of activities goal achievement;
2.1.18. information technologies - programs, systems or the equipment used for the automated accomplishment of information processes;
2.1.19. event of information security - the emergence of condition of system, service or network specifying possible violation of information security policy or failure of management, or earlier unknown condition which can be connected with safety.
2.1.20. incident of information security - one or several undesirable or unexpected events of information security having considerable probability of violation of business processes and creation of threat of information security;
2.1.21. the circle of development - development environment of the software of information system;
2.1.22. the user - the personnel and clients having right of access to information system;
Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info
Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system
If you cannot find the required document, or you do not know where to begin, go to Help section.
In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.
You also may open the section Frequently asked questions. This section provides answers to questions set by users.