It is registered
Ministry of Justice
Russian Federation
On December 6, 2016 No. 44582
of August 24, 2016 No. 552-P
About requirements to information security in payment system of the Bank of Russia
This Provision based on the Federal Law of July 10, 2002 No. 86-FZ "About the Central bank the Russian Federation (Bank of Russia)" (The Russian Federation Code, 2002, No. 28, Art. 2790; 2003, No. 2, Art. 157; No. 52, Art. 5032; 2004, No. 27, Art. 2711; No. 31, Art. 3233; 2005, No. 25, Art. 2426; No. 30, Art. 3101; 2006, No. 19, Art. 2061; No. 25, Art. 2648; 2007, No. 1, Art. 9, Art. 10; No. 10, Art. 1151; No. 18, Art. 2117; 2008, No. 42, Art. 4696, Art. 4699; No. 44, Art. 4982; No. 52, Art. 6229, Art. 6231; 2009, No. 1, Art. 25; No. 29, Art. 3629; No. 48, Art. 5731; 2010, No. 45, Art. 5756; 2011, No. 7, Art. 907; No. 27, Art. 3873; No. 43, Art. 5973; No. 48, Art. 6728; 2012, No. 50, Art. 6954; No. 53, Art. 7591, Art. 7607; 2013, No. 11, Art. 1076; No. 14, Art. 1649; No. 19, Art. 2329; No. 27, Art. 3438, Art. 3476, Art. 3477; No. 30, Art. 4084; No. 49, Art. 6336; No. 51, Art. 6695, Art. 6699; No. 52, Art. 6975; 2014, No. 19, Art. 2311, Art. 2317; No. 27, Art. 3634; No. 30, Art. 4219; No. 40, Art. 5318; No. 45, Art. 6154; No. 52, Art. 7543; 2015, No. 1, Art. 4, Art. 37; No. 27, Art. 3958, Art. 4001; No. 29, Art. 4348, Art. 4357; No. 41, Art. 5639; No. 48, Art. 6699; 2016, No. 1, Art. 23, Art. 46, Art. 50; No. 27, the Art. 4225, the Art. 4273, the Art. 4295), article 20 of the Federal Law of June 27, 2011 No. 161-FZ "About national payment system" (The Russian Federation Code, 2011, No. 27, Art. 3872; 2012, No. 53, Art. 7592; 2013, No. 27, Art. 3477; No. 30, Art. 4084; No. 52, Art. 6968; 2014, No. 19, Art. 2315, Art. 2317; No. 43, Art. 5803; 2015, No. 1, Art. 8, Art. 14; 2016, No. 27, the Art. 4221, the Art. 4223) and taking into account requirements of the Provision of the Bank of Russia of June 9, 2012 No. 382-P "About requirements to ensuring information security when implementing money transfers and about procedure the Bank of Russia of control of observance of requirements to ensuring information security when implementing money transfers", No. registered by the Ministry of Justice of the Russian Federation on June 14, 2012 24575, on July 1, 2013 No. 28930, on September 10, 2014 No. 34017 ("the Bulletin of the Bank of Russia" of June 22, 2012 No. 32, of July 10, 2013 No. 37, of September 17, 2014 No. 83), establishes requirements to information security in payment system of the Bank of Russia (further - PS BR) when implementing money transfers.
1.1. Action of this provision extends to the participants of PS BR who are clients of the Bank of Russia (further - participants).
1.2. Participants provide protection of the following information in PS BR:
information containing in orders of participants;
information on committed money transfers, including information containing in notices (confirmations) concerning acceptance to execution of orders of participants and also in notices (confirmations) concerning execution of orders of participants;
information on balances in cash on the accounts opened at participants and connected with implementation of money transfer in PS BR;
information necessary for the certificate participants of the right of the order money;
key information of the means of cryptographic information security (further - SKZI) used when implementing money transfers (further - cryptographic keys);
information on objects of information infrastructure, and also information on the configuration determining parameters of operation of technical means of information security;
information of limited access, including personal data and other information which is subject to the obligatory protection in accordance with the legislation of the Russian Federation processed when implementing money transfers.
2.1. For information security when implementing access to objects of information infrastructure participants shall provide access to the automated workplace (further - automated workplace) exchange of electronic messages (further - ES) with PS BR only from segment of local area network (further - LAN) in which the automated workplace of exchange of ES with PS BR is located (further - the site of PS BR).
2.2. For the purpose of fixing of the decision on need of application of organizational measures of protection of information and (or) use of technical means of information security and ensuring application of the specified measures participants shall develop documents according to the list of the procedures regulated for the purpose of ensuring information security on the site of PS BR (appendix to this Provision). The documents regulating procedures for information security shall be approved with service of information security of the participant.
2.3. The documents specified in Item 2.2 of this provision shall determine procedure for ensuring information security and provide measures for ensuring information security at all stages of creation, operation (proper use, maintenance and repair), upgrades, removals from operation of objects of information infrastructure of the site of PS BR.
2.4. Participants shall provide fulfillment of requirements of operational documentation on systems of information security from unauthorized access (further - SZI from NSD), SKZI, remedies from impacts of malicious code (further - SZ from VVK) applied on the site of PS BR during all term of their operation, including in case of installation and setup, and also to provide recovery of the specified technical means of information security in cases of failures and (or) refusals in their work.
3.1. Participants exercise control of physical access to objects of information infrastructure for the purpose of prevention of physical impact on the computer aids applied to implementation of money transfers with use of organizational measures or technical means of control and management of access to rooms in which are created, processed, controlled and are given ES (are accepted) (further - rooms).
3.2. Physical access to rooms shall be provided only to those workers of the participant who are specified in the list of access to these rooms.
3.3. Rooms shall be equipped with the security alarm system, be given under protection and be located in the action area of system of video surveillance and access control.
3.4. The storage duration of information of systems of video surveillance and access control (in case of their use), stipulated in Item 3.3 this provision, shall constitute at least three years.
Disclaimer! This text was translated by AI translator and is not a valid juridical document. No warranty. No claim. More info
Database include more 50000 documents. You can find needed documents using search system. For effective work you can mix any on documents parameters: country, documents type, date range, teams or tags.
More about search system
If you cannot find the required document, or you do not know where to begin, go to Help section.
In this section, we’ve tried to describe in detail the features and capabilities of the system, as well as the most effective techniques for working with the database.
You also may open the section Frequently asked questions. This section provides answers to questions set by users.
The document ceased to be valid since April 6, 2019 according to the Provision of the Central bank of the Russian Federation of January 9, 2019 No. 672-P