LogoRegulatory Alerts
2022-12-09

Minimum Requirements for Software and Technical Infrastructure of Credit Financial Organizations

The National Bank of Tajikistan issued these Minimum Requirements to establish mandatory information security standards for credit financial organizations in Tajikistan. The regulation mandates comprehensive measures including the development of security strategies, asset management, infrastructure protection, and strict access controls to mitigate cyber risks. It specifically requires the implementation of advanced encryption, multi-factor authentication, regular risk assessments, and adherence to international standards such as ISO 27001 and NIST.

National Bank of Tajikistan logo

Tajikistan

National Bank of Tajikistan

Click to view thumbnail

Registered by the Ministry of Justice of the Republic of Tajikistan on November 23, 2022, No. 1203 Approved by the resolution of the Board of Directors of the National Bank of Tajikistan No. 121 dated October 18, 2022

Minimum Requirements for Software and Technical Infrastructure of Credit Financial Organizations

Minimum Requirements for Software and Technical Infrastructure of Credit Financial Organizations (hereinafter referred to as the Requirements) are developed in accordance with Part 5 of Article 42 of the Law of the Republic of Tajikistan "On the National Bank of Tajikistan" with the aim of ensuring the necessary level of information security in the banking system of the Republic of Tajikistan, achieving an appropriate level of protection against real cyberattack risks, and minimizing damage caused by violations of information systems or information security. These Requirements establish minimum requirements for the software and technical infrastructure of credit financial organizations.

  1. GENERAL PROVISIONS
  2. Basic terms used in these Requirements:

  • BankNet – a secure corporate network used by a credit financial organization to access the working systems of the National Bank of Tajikistan;

  • Advanced Encryption Standard (AES) – a symmetric block encryption algorithm (block size 128 bits, key 128/192/256 bits), adopted as the encryption standard by the US government;

  • Demilitarized Zone (DMZ) – a part of the network that includes public services and separates them from private services;

  • Global Positioning System (GPS) – a satellite navigation system that measures distance and time and determines location in the international WGS 84 coordinate system;

  • Intrusion Detection System (IDS) – software or hardware designed to detect unauthorized access to a computer system or network;

  • Intrusion Prevention System (IPS) – software or hardware designed to prevent unauthorized access to a computer system or network;

  • International Organization for Standardization (ISO) – an international organization developing standards;

  • International Electrotechnical Commission (IEC) – an international electrotechnical commission;

  • Local Area Network (LAN) – a computer network connecting computers located in a small area or close to each other;

  • National Institute of Standards and Technology (NIST) – the National Institute of Standards and Technology;

  • Open Database Connectivity (ODBC) – a software interface for accessing databases;

  • POS-terminal – electronic software and technical equipment for accepting payment cards for payment;

  • RJ45 (Registered Jack) – a registered connector with serial number 45;

  • Structured Query Language (SQL) – a declarative programming language used to create, modify, and manage data in a relational database;

  • switch – a network device used to connect multiple nodes of a computer network in one or several parts of the network;

  • firewall – a device or application designed to filter (allow or prohibit) data transmission over a network. The firewall operates according to a set of rules designed to protect networks from unauthorized access;

  • Automated Banking System (ABS) – an automated banking system – a set of software and technical infrastructure designed to automate banking business processes;

  • ANSI 1992 – a new SQL language standard adopted at the end of 1992 to eliminate shortcomings;

  • database (DB) – an organized structure designed for storing, modifying, and processing interrelated data;

  • database management system (DBMS) – a set of software designed to build a new database structure, populate it with data, make changes, and display data;

  • integration of information systems – the process of establishing connections between the information systems of a credit financial organization, designed to achieve a unified information environment and organize the support of its business processes;

  • electronic wallet – a program or software complex that allows storing electronic money and conducting cashless transactions with them;

  • data backup – the process of creating a backup copy of data on data transmission equipment, designed for data recovery in the old or new location in case of damage or loss;

  • data recovery – the process of restoring data in the old location;

  • password – a conditional word or set of characters used to identify a physical person or obligation;

  • computer virus – a type of malicious software that penetrates the code of other programs, system memory areas, and boot sectors, and spreads its copies through various communication channels;

  • antivirus programs – special computer programs designed to detect computer viruses;

  • authentication – the process of verifying the authenticity of something/a person. For example, the authentication process by comparing the password entered by the user with the password entered in the information system;

  • multiple authentication – broad authentication, a method of controlling access to a computer, in which the user must provide more than one proof of the authentication mechanism to access data;

  • double authentication – a type of multi-level authentication, a method of user identification by requesting authentication data of different types, for example, the first password and the second code, which is offered by a special program in random order;

  • authorization – granting rights to a specific person or group of persons to perform certain operations, as well as the process of checking rights when performing these operations.

  1. These Requirements help achieve the following goals:
  • creating an information technology security infrastructure in a credit financial organization and creating an absolutely reliable environment for information and communication technologies;
  • developing a security policy in accordance with international security standards and best practices;
  • strengthening the regulatory legal framework to ensure a secure environment in a credit financial organization;
  • increasing the level of protection and resilience of a credit financial organization in the design, development, and implementation of information resources;
  • integration of information and communication technology products and services by creating an infrastructure for managing these products and services;
  • assessing the risks of information and communication technology activities;
  • increasing awareness and ensuring the security of human resources.
  1. Credit financial organizations must ensure the implementation of the following measures to protect information:

  • paying special attention to information security and taking necessary measures to protect information and manage information systems;

  • constantly improving their software and bringing it into compliance with generally accepted standards;

  • taking into account and documenting information risks of financial operations, as well as measures to reduce them, when managing operational risks;

  • taking into account the stability and security of information processes that may affect the continuity of activities of credit financial organizations, their clients, and service providers;

  • understanding and correctly assessing the threat of information security and the ability of existing security systems to reduce risks;

  • having a special certificate when participating in the processing, storage, or transmission of information related to bank payment cards, electronic wallets, ATMs, or electronic terminals (POS-terminals);

  • compliance with risk management methodology to ensure resilience, information, and business continuity with international NIST and ISO standards.

  1. INFORMATION SECURITY STRATEGY AND POLICY
  2. The information security strategy must be approved by the management of the credit financial organization. The strategy must cover at least the following areas:
  1. the cyber threat environment and its possible impact on the activities of the credit financial organization;
  2. approaches to information security risk management, as well as to the identification and monitoring of cyber threats and information security threats;
  3. principles for implementing cyber security and information measures.

  1. Legislation in the field of information security must comply with the regulatory legal acts of the Republic of Tajikistan, as well as international information security standards (ISO 27001).

  2. The strategy should be reviewed no less than once every two years, regardless of whether any updates are required during this period.

  3. Internal acts regarding the information security requirements of a credit financial organization may include, but are not limited to, the provisions of these Requirements.

  4. Internal acts must define the policy and strategy of the credit financial organization in the field of information security in accordance with these Requirements. Also, internal acts must comply with all control processes and methods for achieving the goals of the credit financial organization in the field of information security.

  5. The following aspects must be reflected in internal acts:

  • main goals and the need for information security;
  • employee responsibility for cyber security and information;
  • detailed description of necessary control and operational measures, as well as monitoring and response systems;
  • raising awareness among employees, business partners, suppliers, service providers, and clients;
  • collection and exchange of information between employees and other organizations.

  1. It is necessary to develop and regularly update specific policies for implementing security measures based on cyber policy and information security.

  2. Based on modern industry innovations in the field of information security, a specific procedure must be established covering all issues of cyber security and information.

  3. The procedure must contain detailed information, including each stage, process, and infrastructure related to financial operations, security, data backup, system reliability, data recovery, and data management.

  4. Processes should be reviewed annually or, if necessary, after changes in the relevant business or technological environment.

  5. LIST OF INFORMATION AND COMMUNICATION TECHNOLOGY ASSETS

  6. Credit financial organizations should compile a list of all assets in the field of information and communication technologies.

  7. This registry must contain the following information about assets:

  • material and immaterial institutional information assets;

  • material and immaterial information assets that are not located in the premises of the credit financial organization but are under its responsibility;

  • information assets that are beyond the responsibility of the credit financial organization, but the absence of these assets or their incapacity may affect the organization.

  1. Assign a responsible person for each asset from among the employees of the corresponding structural subdivisions of the credit financial organization with the following powers and duties:
  • use of assets;
  • ensuring the integrity of the asset and instructions for its use in case of incidents related to information security;
  • copying and ensuring the recovery of assets after an accident;
  • control of information technology assets, identification of responsible persons and access policies to these assets.
  1. All employees must comply with the accepted requirements for asset use, and their compliance must be documented.
  2. Each information asset should be divided into the following groups:
  • value or cost of assets for the credit financial organization;
  • sensitivity to cyber security and information security, as well as to legal aspects;
  • size of damage in case of damage, forgery, or illegal appropriation of information assets by the credit financial organization to the financial institution.

  1. REQUIREMENTS FOR INFORMATION AND COMMUNICATION TECHNOLOGY INFRASTRUCTURE AND ARCHITECTURE

  2. The principles of operation of the information and communication technology infrastructure must comply with the information security requirements of the credit financial organization.

  3. The information and communication technology infrastructure must comply with the level of security risks, information sensitivity, expected level of losses, and legislative requirements.

  4. A credit financial organization must apply necessary methods and measures to prevent, detect, correct, and document violations of its IT system.

  5. The internal communication network of a credit financial organization must be distributed according to criteria related to the organizational structure, activities, and information sensitivity.

  6. Credit financial organizations must prohibit the use of data transmission devices by employees without permission.

  7. Antivirus software must be installed to prevent the penetration of malicious programs into networks, systems, servers, and workstations.

  8. Files containing confidential information must be encrypted.

  9. A credit financial organization should conduct regular monitoring of information and communication technologies to identify suspicious actions or violations of security policy.

  10. REQUIREMENTS FOR LOCAL NETWORK AND NETWORK EQUIPMENT

  11. The internal network of a credit financial organization must comply with standards of efficiency, reliability, and security.

  12. The size of the internal network may be limited to two computers and more.

  13. The cabling system must comply with ISO/IEC 11801 requirements.

  14. For connection to the internal network, each workstation must have at least one RJ-45 socket.

  15. All RJ-45 connectors at workstations and switches must be marked by typographic or printer methods.

  16. When laying network cables, the following requirements must be taken into account:

  • cables should be laid behind suspended ceilings, drywall walls, in special places or cable channels;
  • cables must be secured along their entire length with special materials (boxes);
  • equipment and schemes must be provided with double precautionary measures;
  • installation and cable laying must not violate the aesthetic appearance of the building.

  1. Network equipment must operate around the clock (24/7). Preventive maintenance time is not taken into account.

  2. The number of ports of network equipment (or their combination) must cover the work of all (100%) workstations and have at least 20% spare parts.

  3. The router must have a firewall function and the ability to assign access lists for network integration.

  4. All unused network ports must be disabled manually or using a network access management program.

  5. Credit financial organizations must have a backup copy of the configuration of network equipment and information protection elements in encrypted form.

  6. The internal network must be protected by a security system that controls the speed of incoming and outgoing network traffic based on established security rules (for example, a firewall).

  7. The internal network must be physically or logically separated from the external network. A credit financial organization must impose strict restrictions on the use of firewalls (software and/or hardware) between internal and external networks (Banknet networks, internet providers, clients, and service providers).

  8. Credit financial organizations must take measures such as a demilitarized zone (DMZ), data transmission mechanisms, information filtering, and segmentation.

  9. Credit financial organizations must install special network equipment to protect against attacks. This equipment must be designed to prevent attacks, network surveillance, and systems against malicious actions or violations of security policy by internal and external attackers (including IDS/IPS).

  10. REQUIREMENTS FOR REMOTE ACCESS

  11. For remote access to the corporate network, a high degree of identification and authentication must be defined.

  12. All equipment components that have remote access to the networks of credit financial organizations must be signed with a digital signature certificate for authentication.

  13. Credit financial organizations must provide remote access to the network and key systems only when necessary. Access in such cases must be provided at specific times in accordance with the job duties of the applicant.

  14. In case of remote access, connection and secure encryption must be ensured.

  15. Credit financial organizations must use a system to which there is no direct remote access.

  16. Access must be carried out through a secure server that provides channel encryption, password management, and audit control.

  17. REQUIREMENTS FOR INTERNET NETWORK ACCESS

  18. Employee access to the internet network must be provided directly by the management of the credit financial organization based on risk assessment and the adoption of appropriate control measures.

  19. Before receiving access to the internet network, an employee must sign a document confirming awareness of what is allowed and prohibited. The document must state that all user actions are controlled. This document must also detail the rights and obligations of the employee when using internet services.

  20. An employee must have access to the internet from a specific workstation subject to the following conditions:

  1. the workstation must be separated from the local network at the logical or physical level and must not contain confidential information or business programs of the credit organization (including ABS);
  2. connection to the internet network must be carried out through a separate proxy server. The proxy server must be constantly protected and monitored.
  1. The following precautionary measures must be implemented on the proxy server and on workstations connected to the internet network:
  • content and spam filtering;
  • prevention of the use of malicious links;
  • intrusion detection systems (IDS);
  • firewalls;
  • antivirus software with updated antivirus databases;
  • presence of a website blacklist;
  • audit log documenting all user actions.

  1. Failover and penetration tests must be conducted for servers, communication equipment connected to the internet network, including mail infrastructure, no less than once a quarter.

  2. REQUIREMENTS FOR THE USE OF CORPORATE EMAIL

  3. A credit financial organization will prepare procedures detailing allowed and prohibited actions regarding email.

  4. An employee of a financial organization allowed to use corporate email must sign a document confirming awareness of allowed and prohibited actions, including the fact that email actions are constantly monitored.

  5. All attachment files that may pose a threat to the system (extensions *.exe, *.bat, *.com) must be automatically blocked by the mail system. The list of file extensions may be supplemented.

  6. When using corporate email, employees are prohibited from:

  • sending/receiving non-business emails;
  • sending emails with attachments containing viruses and/or other malicious programs;
  • sending mailings of a spam nature – "happiness" letters and the like;
  • employees are prohibited from following links and entering their passwords and/or logins on pages that cause doubt.
  1. Mail servers and email systems must be protected using security measures, including, but not limited to, the following restrictions:
  • content and spam filtering;
  • system for detecting, blocking, and reporting data breaches;
  • firewalls;
  • antivirus programs.
  1. REQUIREMENTS FOR WEBSITES AND WEB APPLICATIONS
  2. Websites and WEB programs must comply with the following requirements:
  • each page of the site must have the ability to navigate to the main page;
  • presence of an "About Us" page and full information about the credit financial organization;
  • presence of a convenient way to contact between the user and the credit financial organization;
  • presence of search capabilities on the site;
  • presence of an appropriate message for the 404 error page (Error 404) and the presence of links to empty pages or pages marked "in process";
  • use of clear definitions for links. If necessary, providing links to articles from other sources;
  • roles, procedures, and guidelines for site content management must be documented.

  1. The site must have a special service that allows analyzing and collecting information about the actions of its users.

  2. The site must have at least content published in two languages.

  3. REQUIREMENTS FOR ACCESS CONTROL AND AUTHENTICATION

  4. The subject requesting access to the information and communication technology systems of a credit financial organization must undergo an identification and authentication procedure.

  5. Credit financial organizations must have specialized systems for managing and controlling access permissions. Access to information and communication technology systems must be controlled and documented by internal audit.

  6. Access methods to information and communication technology systems must be standard, including identification and authentication:

  • user identifier and password;
  • checking access rights using access to server operating systems.

  1. It is necessary to use technology that combines user identification and authentication, confidentiality, and reliability of their personal data.

  2. It is necessary to establish criteria for the session timeout mechanism after a certain period of user inactivity in the system. The maximum timeout time is one minute.

  3. It is necessary to set working hours and dates when access to information and communication technology resources is allowed. This schedule must apply to all employees. Exceptions to these rules may be applied to administrators and technical specialists.

  4. When transferring an employee to another department, all old permissions must be canceled, and new ones must be issued in accordance with the new position.

  5. Access to the corporate network of a credit financial organization must be provided only after user identification and authentication.

  6. Mechanisms for two-factor authentication (biometric/smart card/token/OTP) must be developed for critical systems.

  7. Users are not allowed to use a shared account. Each system user must be unique and identifiable.

  8. User tasks must correspond to the approved...

Share