Instruction No. 246 on Requirements for the Use of Information and Communication Technologies and Ensuring Information Security in Credit Bureau Operations

1 «Registered» by the Ministry of Justice of the Republic of Tajikistan on «15» December 2021, No. 1108 «Approved» by the Resolution of the Board of the National Bank of Tajikistan on «19» November 2021, No. 167 Instruction No. 246 «On Requirements for the Use of Information and Communication Technologies and Ensuring Information Security in Credit Bureau Operations» Instruction No. 246 «On Requirements for the Use of Information and Communication Technologies and Ensuring Information Security in Credit Bureau Operations» (hereinafter, the Instruction) was developed in accordance with Part 2 of Article 7 of the Law of the Republic of Tajikistan «On Credit Histories» and defines requirements for the use of information and communication technologies, as well as ensuring information security in Credit Bureau operations.

1. GENERAL PROVISIONS
2. A credit bureau (hereinafter – CB) is a legal entity, being a commercial organization providing services for organizing, processing, and storing credit histories, providing credit reports and other information in accordance with the procedure established by the legislation of the Republic of Tajikistan and this Instruction.
3. Only a legal entity holding a license to conduct CB activities may organize, process, and store credit histories, provide credit reports and other information.
4. In carrying out its activities, the CB is obliged to comply with the legislation of the Republic of Tajikistan and ensure compliance with the following requirements and conditions: − presence of internal regulatory documents governing information security policy; − availability of necessary premises for safe placement, operation, and technical protection of information systems, credit history databases; − use of licensed software with a valid warranty from the software provider.
5. The CB security system must provide special requirements for:

2 − server room and restricted access room; − system software used to automate CB activities; − specialized software (information system) used to automate CB activities; − technical means (information resources) of the CB; − information security assurance. 5. CB activities involve information subject to banking secrecy protected by law; the National Bank of Tajikistan pays special attention to the CB licensing process and takes into account the adequacy of security measures and data protection. 2. REQUIREMENTS FOR PREMISES 6. The CB must be located in a building and room with restricted access to third parties. 7. The server room must be located in areas allowing for subsequent space expansion and placement of large-scale equipment, and meet the following requirements: − minimum permissible area of the server room is 20 square meters; − the entire perimeter of the room must be equipped with raised floors; − the server room must be connected to the building's main grounding electrode via a conduit of 1.5 cm; − the required minimum ceiling height of the server room must be at least 2.44 meters. 8. The CB restricted access room must meet the following requirements: − presence of a controlled access system (individual electronic pass) that excludes uncontrolled entry and exit of persons without authorized permission; − presence of an entrance video surveillance system (camera with continuous recording); − presence of a fire alarm system; − presence of an intruder alarm system; − it is prohibited to locate workstations in the room that are not related to CB activities; − when locating the CB restricted access room, windows of the rooms are equipped with metal grilles; − only workstations of responsible personnel may be located in the CB restricted access room. 9. An equipped server room of the CB must possess:

3 − access control system (based on individual electronic pass); − entrance video surveillance system for the server room and cross-connect rooms; − intruder alarm system for doors and windows, and motion sensors inside the hermetic zone; − uninterruptible power supply system located in the server room's hermetic zone; − guaranteed power supply system for the entire electrical network of the server and cross-connect rooms, including round-the-clock standby lighting; − air conditioning and ventilation system with full reserve; − presence of an information security certification result for server rooms, issued by the relevant authority. 3. REQUIREMENTS FOR SOFTWARE 10. The system software used by the CB (operating systems, database management systems, office programs, antivirus programs) must be confirmed by official licenses and certificates. 11. CB software must be non-cracked and non-pirated versions with official contracts for use with the copyright holder. 12. An industrial database management system must be used for accumulating and storing credit history data, the developer of which must have an official representative office and technical support center within the Republic of Tajikistan. 13. Implementation and commissioning of CB software is performed based on a technical assignment approved by its head, with the necessary certificates for security mechanisms. 14. CB software must provide two or more methods of data (transfer) acquisition: − interactive interface with file preparation in standard format using reporting software in available formats; − network access using a standard transmission format in real-time, data input via manual input functionality, filling out web forms on the website using a web browser. 15. To ensure information security, CB software must provide the following: − identification/authentication with cryptographic transformation;

4 − user rights separation; − operation at the software kernel level such that no significant action within the system (whether user or process) occurs without the participation of a security mechanism; − a security scheme implemented in the software must be separated from the operating system's security means, meaning that vulnerabilities of the OS security means should not affect the operation of the software security scheme. 16. Data storage in the software must be organized to ensure:

1. presence of conformity certificates for the software issued by relevant authorities;
2. impossibility of accessing the specified data outside the software application's operation;
3. any movement of data into or out of the software database must be controlled by security mechanisms;
4. stable operation during failures;
5. three-tier «client-server» architecture so that the failure of a user workstation or unauthorized access by an attacker does not affect the server part of the system, and a software server failure does not affect the state of system data;
6. audit of system-significant events with recording in a registration log, as well as protection by any subject;
7. audit of user and administrator actions, both successful and unsuccessful;
8. control of exported and imported data;
9. ability to upgrade modules and security mechanisms;
10. the contract with the information system developer must include an obligation:
11. to regularly notify the CB about discovered errors and vulnerabilities, as well as timely provision of changes and system updates;
12. to organize an operational support service, including security issues, for consulting CB employees and providing practical assistance in information security matters.

17. CB software must ensure storage of information regarding the credit history subject for the period established by the Law of the Republic of Tajikistan «On Credit Histories», as well as the ability to generate credit reports for any point in time since the formation of credit histories within one minute. 4
18. REQUIREMENTS FOR TECHNICAL MEANS
19. CB technical means must meet the following requirements:

• presence of own hardware (computer equipment, servers, hardware protection devices, components and other equipment), as well as documents confirming the ownership of CB hardware;
• presence of hardware compliance contracts for security requirements, issued by relevant authorities;
• presence of a guaranteed power supply system - automatic transfer switch for backup power, diesel generator unit, operating from signals of two uninterruptible power supply (UPS) sources and continuously maintaining clean power in the network throughout the organization. At the same time, the load of each UPS must not exceed forty percent under normal operating mode.

19. CB servers must form a fault-tolerant complete system, representing a cluster with one hundred percent hardware duplication. Backup DB servers of the CB must be located separately from main servers, and ensure uninterrupted operation of the CB database such that in case of main server failure, the CB can ensure restoration of database operation on backup servers within a period not exceeding 6 (six) hours from the moment of main server failure. 5
20. REQUIREMENTS FOR ORGANIZING INFORMATION SECURITY OPERATIONS
21. Organization of information security operations must meet the following requirements: − presence of a secure data transmission channel with traffic encryption using border hardware routers; − presence of an attack detection/prevention system at the organization's borders using a firewall; − presence of cryptographic computer protection using crypto-keys and user identification systems; − presence of a hardware network traffic analyzer based on the MAC address identifier of users' network cards; − presence of a backup and information recovery system.

6 21. The CB exchanges data with information suppliers and credit report recipients via dedicated communication lines or through the internet, subject to compliance with the following requirements: − presence of a main channel with a capacity of at least 10 megabits per second; − presence of a wireless backup channel with a capacity of at least 2 megabits per second; − use of channels from different providers; − exclusive use of channels for exchanging information with information suppliers and credit report recipients. 6 6. REQUIREMENTS FOR WORKSTATIONS 22. CB employee workstations must meet the following requirements: − software is installed on a specially allocated personal computer, having a passport indicating its location, configuration, and hardware and software means installed on it. The passport is signed by the organization's head and kept by the employee; − operation of the employee's personal computer, as well as installation on it of software not related to preparation, processing, transmission or maintenance of electronic documents within the framework of participation in the information system is not allowed. 23. The employee's personal computer must have a protection complex including:

• user identification and authentication means;
• ability to maintain electronic journals for the duration of electronic document storage, for controlling activities related to computer access and user actions;
• presence of one system name and user code (responsible person), by which the user is identified upon entering the information system, corresponding to one physical person;
• personal computer must have means ensuring integrity and confidentiality of software;
• access to network resources, external media, and I/O ports of the personal computer must be disabled, including in BIOS settings;
• system unit and I/O ports of the personal computer are sealed or plombled by the system administrator;
• sealing (plombing) process is recorded in a special journal indicating surname, first name, patronymic (if any), position, date, time and purpose of applying the seal;

7

• for laptops, only disabling devices in BIOS without sealing ports is allowed;
• removing computers and laptops from the building is not allowed, except for repair and preventive maintenance conducted based on an employee's request to the CB head;
• access procedure to other resources (disk space, directories, databases and database backups) allocated for accumulating information for transmission to the information environment using a protection system, receiving information from the information environment, storing or processing information must exclude unauthorized access to these resources;
• employee access to the restricted access room is carried out in accordance with their job duties. 7

7. FINAL PROVISIONS
8. Ensuring compliance with this Instruction is assigned to responsible persons of the CB.
9. Supervision over compliance with this Instruction is carried out by the National Bank of Tajikistan through preparation of a conformity assessment act for the CB hardware-software complex according to Appendix 1 of this Instruction.
10. In case of non-compliance with this Instruction, the National Bank of Tajikistan applies enforcement measures against the CB in accordance with the legislation of the Republic of Tajikistan.

8 Appendix No. 1 to Instruction No. 246 on requirements for the use of information and communication technologies and ensuring information security in Credit Bureau operations ACT on conformity assessment of the CB hardware-software complex __________________ (place of preparation) ___________________ (date of preparation) This conformity assessment act for the CB hardware-software complex ______________________ regarding information protection requirements, prepared by the inspection group in the following composition: Representatives of the National Bank of Tajikistan:

---

Detailed description of inspected objects and studied documents by the inspection group:

---

Brief content of explanations from CB representatives:

---

The inspection group's verification of technical and other documents of the CB _______________________________, inspection of its technical premises and protection means and other objects intended for operation in the credit history formation system and their use has established:

---

---

(conformity (non-conformity) with the imposed requirements and their adequacy (inadequacy) for starting/continuing the organization's activities in the information services market).

9 The CB has provided technical documentation and other documents attached to the commission act:

---

---

The Act is prepared in two original copies and one copy each has been transferred to: National Bank of Tajikistan; CB. Members of the inspection group:

---

Representative of the CB: _________________________________________________________________».