RESOLUTION OF BOARD OF NATIONAL BANK OF THE REPUBLIC OF BELARUS

of December 29, 2025 No. 390

About approval of the standard of financial services and technologies

Based on the paragraph of the fifty seventh of Article 26 and part one of article 39 of the Bank code of the Republic of Belarus the Board of National Bank of the Republic of Belarus DECIDES:

1. Approve the standard of financial services and SFUT 9.03-2025 technologies "Banking activity. Ensuring information security. General requirements" (are attached).

2. This resolution becomes effective since January 1, 2027.

No. 390 is approved by the Resolution of Board of National Bank of the Republic of Belarus of December 29, 2025

Standard of financial services and SFUT 9.03-2025 technologies "Banking activity. Ensuring information security. General requirements"

Section I. General provisions

1. This standard of financial services and technologies (further - the standard) extends to banks, the non-bank credit and financial organizations and "Development Bank of the Republic of Belarus" open joint stock company (further - banks) and establishes general requirements on ensuring information security (further - IB) in banks.

2. This standard is intended for application by inclusion of references to it and (or) the requirements established in it in local legal acts of banks, and also in agreements.

3. In case of application of this standard it is necessary to observe requirements of the legislation, including regulatory legal acts of National Bank and requirements of technical regulatory legal acts, obligatory for observance (further - TNPA).

4. This standard is applied during the designing, creation, audit of information security system (further - SIB) and systems of management of information security (further - SMIB) banks.

5. In this standard terms in the values established in regulatory legal acts of National Bank, standards of financial services and SFUT 9.01-2024 technologies "Banking activity are used. Ensuring information security. General provisions and terminology" and SFUT 9.02-2024 "Banking activity. Ensuring information security. Requirements to documentation on ensuring activities in information security field", approved by the resolution of Board of National Bank of the Republic of Belarus of June 20, 2024 No. 185.

Section II. Requirements to information security system of banks

Chapter 1. General provisions

6. Fulfillment of requirements to SIB of banks is basis for providing necessary and the IB sufficient level.

7. Forming of requirements to SIB of banks is carried out on the basis of provisions of this standard. Requirements to SIB of banks are drawn up documentary according to the standard of financial services and SFUT 9.02-2024 technologies "Banking activity. Ensuring information security. Requirements to documentation on ensuring activities in information security field".

8. In this standard basic requirements to SIB are determined. In case of need, and also taking into account features of activities of separate banks these requirements can be specified in local legal acts of banks.

9. In case of technical impossibility or economic inexpediency of implementation of separate requirements to SIB at design stage of SIB the compensating measures directed to neutralization of threats of IB are developed. Application of such measures is proved by bank.

10. Use of means of cryptographic information security (further - SKZI) is performed according to the legislation and (or) rules of payment systems. Works on ensuring information security with use of means of technical and cryptographic information security are carried out according to requirements of the legislation, program and operational documentation of means of information protection.

Chapter 2. Basic requirements to SIB

11. Basic requirements to SIB are implemented in the following directions:

ensuring anti-virus protection;

ensuring safe development of the software (further - ON);

safety of the automated workplaces (further - automated workplace);

safety during the work with the global computer Internet (further - the Internet);

safety of the server hardware;

safety of the circle of virtualization;

providing IB of the automated bank system (further - ABS) at stages of its lifecycle;

ensuring cryptographic information security using SKZI;

ensuring physical safety;

training and increase in awareness concerning IB;

prevention of leakages of confidential information;

management of access;

event management and IB incidents;

management of vulnerabilities.

12. In case of identification of events of IB in case of which temporarily there is no technical capability of application of basic requirements to SIB by the bank provides accomplishment by authorized personnel of actions for ensuring continuous work and maintenance of information systems (further - IS) according to the plan of ensuring continuous work and recovery (further - PONRV).

13. Basic requirements to SIB are created taking into account the requirements established by the legislation in the field of IB and international standards.

14. In case of assessment of SIB of bank only basic requirements to SIB are used.

Chapter 3. Requirements for ensuring anti-virus protection

15. On all automated workplaces and the ABS servers if other is not provided by bank engineering procedure, means of anti-virus protection are applied. The bank determines, carried out, registered and control procedures of installation and regular updating of means of anti-virus protection (versions and databases) on automated workplace and the ABS servers.

When ensuring anti-virus protection the means of anti-virus protection having the certificate of conformity of National system of confirmation of conformity of the Republic of Belarus or the positive expert opinion by results of the state examination which is carried out by Operational analytical center in case of the President of the Republic of Belarus are used.

16. Functioning of means of anti-virus protection is organized in the automatic mode on permanent basis without possibility of their shutdown (except for persons performing administration of means of anti-virus protection). Installations of updates of the anti-virus software and its databases are performed in the automatic or manual mode.

Are determined, take root, carried out by bank, procedures of installation and regular updating of means of anti-virus protection (versions and databases), and also control of shutdown of anti-virus means, on all ABS technical means are registered and controlled. At the same time administration of means of anti-virus protection is carried out on behalf of special accounting records according to recommendations of developer of means of anti-virus protection.

Control of installation and functioning of means of anti-virus protection is assigned to division of IB.

17. Complete scanning of automated workplace and servers (in case of technical capability without violation of engineering procedures) is provided on regular (at least 1 time a month) to basis during their low loading and (or) in time off.

18. In case of connection of removable machine data carriers (further - THINK) to computer aids (further - SVT) before use their anti-virus inspection, as a rule, on the automated workplace which is not used in bank engineering procedure is carried out.

19. Procedures of preliminary check of the viruses established or changed ON to absence are documentary determined and performed. After installation or change of the software anti-virus check is carried out. The installations this about results, changes of the software and anti-virus check are stored at least one year.

20. Instructions and recommendations about protection against the malicious software (further - VPO) considering features of bank engineering procedures are developed and become effective.

21. To clients of bank recommendations about information security from impact of VPO are led up.

22. Protection against malicious code at the level of control of public access objects is implemented (including ATMs, payment terminals).

23. The bank will organize check of all entering traffic on availability of malicious code by stream antivirus (except for the ciphered traffic, and also the traffic transferred in the technological channels which are specially organized with payment systems).

24. The procedures performed in case of detection of VPO in which, in particular, it is necessary to fix are determined, take root, registered and are controlled:

necessary measures for reflection and elimination of effects of the virus attack;

procedure for suspension in need of work (for elimination of effects of the virus attack).

25. Obligations of the employees of bank having access to automated workplace and (or) ABS on accomplishment of measures of anti-virus protection are provided by local legal acts on the organization of anti-virus protection.

Chapter 4. Requirements for ensuring safe software development

26. Processes of safe software development are performed on planned basis.

Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info