Document from CIS Legislation database © 2003-2024 SojuzPravoInform LLC

RESOLUTION OF BOARD OF NATIONAL BANK OF THE REPUBLIC OF BELARUS

of June 20, 2024 No. 185

About approval of standards of financial services and technologies

Based on the paragraph of the fifty seventh of Article 26 and part one of article 39 of the Bank code of the Republic of Belarus the Board of National Bank of the Republic of Belarus DECIDES:

1. Approve:

standard of financial services and SFUT 9.01-2024 technologies "Banking activity. Ensuring information security. General provisions and terminology" it (is applied);

standard of financial services and SFUT 9.02-2024 technologies "Banking activity. Ensuring information security. Requirements to documentation on ensuring activities in information security field" (are attached).

2. This resolution becomes effective since October 1, 2024.

Chairman of the board

P.V.Kallaur

Approved by the Resolution of Board of National Bank of the Republic of Belarus of June 20, 2024, No. 185

Standard of financial services and SFUT 9.01-2024 technologies "Banking activity. Ensuring information security. General provisions and terminology"

Chapter 1. General provisions

1. This standard of financial services and technologies (further – the standard) establishes general provisions and the conceptual scheme of ensuring information security (further – IB) banks, the non-bank credit and financial organizations and "Development Bank of the Republic of Belarus" open joint stock company (further – banks).

2. This standard is applied in case of creation, check and assessment of the IB systems and systems of management of IB of bank.

3. In case of application of this standard it is necessary to observe requirements of the bank law, the legislation on information, informatization and information security, about electronic documents and the digital signature, about personal data, including:

The regulations on technical and cryptographic information security approved by the Presidential decree of the Republic of Belarus of April 16, 2013 No. 196;

the order of Operational analytical center in case of the President of the Republic of Belarus of February 8, 2019 No. 45 "About additional measures for implementation of the Law of the Republic of Belarus of December 28, 2009 No. 113-Z "About the electronic document and the digital signature";

the order of Operational analytical center in case of the President of the Republic of Belarus of February 20, 2020 No. 66 "About measures for implementation of the Presidential decree of the Republic of Belarus of December 9, 2019 No. 449".

4. For the purposes of this standard terms have the following values:

the automated bank system (further – ABS) – the automated system realizing bank engineering procedure or its part;

the automated system – the system consisting of personnel and complex of the automation equipment of its activities, realizing information technology of accomplishment of the functions established for this system;

authorization – provision to employees of bank, clients of access rights to object. Also software and hardware, information resource, process, system over which operations are performed belong to objects hardware, program;

asset – resources of bank *, data assets **, bank processes ***, the banking products and the services provided to clients, having value for bank and which are at its disposal;

______________________________

* Financial, computing (hardware and program), telecommunication resources, people and their qualification, skills, experience and other resources of bank.

** Different types of bank information (payment, financial and analytical, office, managing, etc.) at all stages of lifecycle of data assets (generation (creation), processing, storage, transfer, destruction).

*** Bank payment engineering and bank information engineering procedures, processes of lifecycle of ABS and other bank processes.

the attack – attempt of destruction, intentional disclosure, change, blocking, theft of asset, receipt of illegal access to it or its unauthorized use;

audit of IB – system documentary process of receipt of objective quality and quantitative standards about current status of IB in bank according to certain criteria and indicators of safety;

bank information engineering procedure – the part of bank engineering procedure realizing actions with information, necessary for accomplishment of the functions by bank;

bank payment engineering procedure – the part of bank engineering procedure realizing the actions with information connected with implementation of money transfers, clearing and calculation, and action with archives of the specified information;

bank engineering procedure – the engineering procedure realizing transactions on change and (or) determination of condition of the assets of bank used when functioning or banking services, necessary for provision;

safety – condition of security of interests (is more whole) than bank in the conditions of threats;

data – set of the data fixed on certain carrier in the form suitable for permanent storage, transfer and processing;

admissible risk of IB – risk of IB (expected damage) which the bank is also in this situation ready to accept at present;

availability of data assets – IB property which consists in provision of data assets to the user who underwent authorization in type, the place and in time, necessary for this user;

lifecycle of ABS – the continuous time frame which is beginning with the decision making moment about need of creation of system and coming to an end at the time of its complete withdrawal from operation;

protective measure – established practices, the procedure or the mechanism which are used for reduction of risk of IB of bank;

the protected information – any information, distribution and (or) provision of which it is limited;

data asset – information having value for its owner (owner);

infrastructure – complex of the interconnected structures constituting basis for the problem resolution (task);

incident of IB – the event or combination of events specifying on the come true, undertaken or probable realization of threat of IB;

classification of data assets – the distribution of the existing data assets of bank on types which is carried out according to severity of consequences from loss of the IB significant properties by them;

the client – legal entity or physical person, using services of bank;

confidentiality of data assets – IB property which is that processing, storage and transfer of data assets are available only to the users who underwent authorization, to objects of system or processes;

management – the coordinated activities for management and management;

model of the violator of IB – the description and classification of violators of IB, including the description of their experience, knowledge, available resources necessary for realization of threat, possible motivation of their actions, and also methods of realization of threats of IB from the specified violators;

model of threats of IB – the description of sources of threats of IB, implementation methods of threats of IB, objects suitable for realization of threats of IB, the vulnerabilities used by sources of threats of IB, types of possible losses (for example, violation of availability, integrity or confidentiality of data assets), scales of potential damage;

monitoring of IB – permanent observation of the objects, employees of bank, clients, actions and processes influencing IB of bank and also registration, collection, the analysis and generalization of results of observations;

the violator of IB – person realizing threats of IB with violation of statutory rules of access to assets of bank or rules of the order them;

Warning!!!

This is not a full text of document! Document shown in Demo mode!

If you have active License, please Login, or get License for Full Access.

With Full access you can get: full text of document, original text of document in Russian, attachments (if exist) and see History and Statistics of your work.

Get License for Full Access Now

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info

Effectively work with search system

Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system

Get help

If you cannot find the required document, or you do not know where to begin, go to Help section.

In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.

You also may open the section Frequently asked questions. This section provides answers to questions set by users.

Search engine created by SoyuzPravoInform LLC.