LogoRegulatory Alerts
2021-12-22 | 106323

Regulation on Information Security Requirements for Commercial Banks of the Kyrgyz Republic

The National Bank of the Kyrgyz Republic issued this regulation to establish unified information security requirements for commercial banks, aiming to enhance systemic security and minimize losses from malicious actions or errors. The document mandates a comprehensive security management system, strict personnel controls, role-based access principles, and robust risk management and business continuity planning. It further specifies technical requirements for system lifecycle protection, event logging, and secure payment processing, including SWIFT operations.

National Bank of the Kyrgyz Republic logo

Kyrgyzstan

National Bank of the Kyrgyz Republic

Click to view thumbnail

Back to top

Print Version

Creation Date: 2021-12-29

Approved by the Board of Directors Resolution

National Bank of the Kyrgyz Republic

of December 22, 2021 No. 2021-P-20/72-8-(NPA)

REGULATION

on information security requirements

for commercial banks of the Kyrgyz Republic

Chapter 1. General Provisions

  1. The purpose of this Regulation is to establish unified requirements for commercial banks of the Kyrgyz Republic (hereinafter - Banks), aimed at raising the level of information security of the banking system of the Kyrgyz Republic, as well as minimizing possible losses caused by the actions of attackers, accidental failures, and personnel errors.

  2. For the purposes of this Regulation, the following definitions apply:

Authorization

– the process of granting a specific object/subject rights to perform certain actions in accordance with the role performed in the system.

Automated System – a system consisting of personnel, a set of tools for automating their activities, methods and measures implementing the information technology for performing established functions.

Automated Banking System – an automated system implementing the technology for performing bank functions.

Authentication

– verification of ownership of the presented identifier by the object/subject or confirmation of authenticity.

Outsourcing

– outsourcing is understood as the bank's attraction of external service providers to perform on a continuous basis certain types of work and services that would normally be carried out by the bank itself. The Bank cannot use outsourcing for operations related to lending, attracting deposits, or other banking operations requiring a license.

Availability of an Information Asset

– a property of the bank's information security consisting in the fact that information assets are provided to an authorized user, in the format and location necessary for the user, and at the time when they are needed by the user.

Identifier

– a unique attribute of a subject or object of access.

Identification

– the process of assigning an identifier (unique name) to objects/subjects or comparing the identifier of an object/subject with a list of assigned identifiers.

Information Security – security related to threats in the information sphere. Protection is achieved by ensuring a set of information security properties: availability, integrity, and confidentiality of information assets. The priority of information security properties is determined by the value of these assets for the interests (goals) of the bank.

Information System

– an interconnected set of means, methods, and personnel used for storing, processing, and issuing information in the interests of achieving the set goal. An information system contains automated and non-automated processes for storing, processing, and issuing information.

Information Assets

– information having value for the bank in terms of achieving its goals and presented on any physical carrier in a form suitable for its processing, storage, or transmission.

Confidentiality of an Information Asset

– a state of bank resources consisting in the fact that the processing, storage, and transmission of information assets are carried out in such a way that information assets are available only to authorized users, system objects, or processes.

Object

– a process running in an information system, requesting permission to access information.

Password

– a secret set of characters intended to confirm user authority.

PIN Envelope

– a special envelope for confidential storage of the PIN code.

User of an Automated System

– a subject or object registered in the automated system and using its resources (bank employees and clients);

Authorization (Sanctioning)

– an action to provide a user with the ability to perform (grant permission for) specific actions in the system based on their job duties. Without special sanction, no user is allowed access to any information or application.

Smart Card

– a plastic card with a built-in microchip. In most cases, a smart card contains a microprocessor and an operating system controlling the device and access to objects in its memory. In addition, a smart card, as a rule, has the ability to perform cryptographic calculations.

Subject

– a user requesting permission to access information.

Token ("Key") –

a compact device in the form of a USB key fob or a key in the cloud (a special secure server), which serves for user authorization, protection of electronic correspondence, secure remote access to information resources, as well as reliable storage of any personal data.

Integrity of an Information Asset

– a property of the bank's information security to preserve unchangeability or detect the fact of change in its information assets.

  1. The Information Security Management System is part of the overall management system, based on the use of business risk assessment methods for the development, implementation, operation, monitoring, analysis, support, and improvement of the bank's information security. The Information Security Management System can be built in accordance with ISO/IEC 27001.

  2. The National Bank of the Kyrgyz Republic (hereinafter – the National Bank) has the right to conduct inspections of the bank for compliance with the requirements established by this Regulation.

  3. The bank's management bears full responsibility for the use and operation of its entire information system.

  4. In managing the information security assurance system, the bank must continuously use processes such as planning, implementation, verification, and improvement.

  5. Information security requirements must be comprehensively interconnected and continuous throughout all stages of the lifecycle of information systems.

Chapter 2. Requirements for Information Security Documents

  1. To ensure information security in the bank, three levels of documentation must be developed:

  • general policies;

  • private policies (documents regulating information security assurance practices);

  • operational procedures for information security assurance.

  1. General policies must reflect the bank's management approaches to ensuring information security, describe general principles and goals of security assurance, and the system of measures and methods to achieve the goal of information security. An authorized person responsible for implementing the information security policy must be appointed in the bank.

  2. Private policies regulating security assurance practices (private policies) must reflect the support of goals established by management and further detail the general principles, defining detailed measures necessary to fulfill the requirements of the information security policy.

  3. Information security assurance requirements displayed in the bank's private information security policies must be defined for the following most important areas:

  • personnel requirements;

  • assignment, distribution of roles, and registration in the information system;

  • identification, assessment, and monitoring of information security risks;

  • ensuring information security at the lifecycle stages of automated systems;

  • protection against unauthorized and unregulated access, access management, and registration of all actions in automated systems, telecommunications equipment, automatic telephone exchanges, etc.;

  • antivirus protection;

  • use of internet resources;

  • use of cryptographic protection tools;

  • protection of banking payment and information technology processes;

  • ensuring business continuity;

  • backup and recovery;

  • physical protection;

  • information security incident management, etc.

  1. Documents on operational procedures for security assurance must contain descriptions of practical techniques at the technical level that ensure the implementation of necessary practices. Procedures must comply with the bank's policies.

  2. The bank must ensure the presence and preservation of documents containing evidence of completed activities and actions to ensure information security (reports, acts, logs) and reflect achieved results (intermediate and final) in the implementation of requirements of documents related to the bank's information security assurance.

Chapter 3. Bank Personnel Requirements

  1. Bank personnel must include at least the following categories of employees:

  • management – a group of persons making strategic decisions for the entire bank or its separate subdivisions, controlling the activities of bank subdivisions, and making final decisions on operational activities and financial issues in the bank;

  • managers – a group of persons making tactical decisions, organizing and controlling work within their subdivisions;

  • security personnel – a group of persons responsible for ensuring security in the bank in various areas. Security personnel must be subordinate directly to management, taking into account the exclusion of conflicts of interest, and have appropriate authority to perform their functions;

  • internal audit – a bank subdivision responsible for organizing and conducting internal audit in the bank, including IT audit and information security audit;

  • development and technical support personnel – a bank subdivision responsible for the development, modernization, and maintenance of the information system's operability, and the technical implementation of security measures;

  • operational personnel – a group of persons performing authorized operations in the bank's information system, as well as responsible for servicing bank clients.

  1. Procedures for hiring must be developed in the bank, including:

  • verification of the authenticity of provided documents, claimed qualifications, accuracy, and completeness of biographical facts;

  • verification of professional skills and assessment of professional suitability.

  1. All bank employees must be familiarized in writing with information security assurance requirements and compliance with confidentiality and adherence to corporate ethics rules, including requirements to prevent conflicts of interest.

  2. The bank subdivision responsible for implementing information security must systematically update information on threats in the field of information security, taking into account global trends, timely inform the bank's management and employees about threats, and conduct measures aimed at raising the overall level of personnel awareness to counter these threats.

  3. Personnel duties and responsibilities for fulfilling information security assurance requirements must be included in their job descriptions.

  4. Non-fulfillment or improper fulfillment by bank employees of information security assurance requirements is equated to non-fulfillment of job duties.

Chapter 4. Assignment, Distribution of Roles, and

Registration in the Automated System

  1. The bank must develop and adopt a document containing employee roles, including roles for information security assurance.

  2. Roles ensuring clear separation of employee authorities must be defined in the automated system.

  3. When providing employees with access to the automated system, authorization, identification, authentication, and authorization procedures for users must be performed. Before issuing an identifier to a user, verification of the user's identity confirmation must be carried out. The system must record the executor who issued the identifier to the user.

  4. The work of all users of the automated system must be carried out under unique accounts.

  5. When distributing access rights of employees and clients to information assets, banks must be guided by the following principles:

  • "Know Your Customer" (KYC) – a principle used by regulatory authorities to express the attitude towards financial organizations in terms of knowledge of their clients' activities;

  • "Know Your Employee" (KYE) – a principle demonstrating the bank's concern regarding the attitude of bank employees to such their duties and possible problems such as misuse of property, financial difficulties, which can lead to security problems;

  • "Need to Know" – a principle limiting the authority of bank employees and clients to access information and resources for information processing to the level minimally necessary to perform certain duties;

  • "Least Privileges" – a principle meaning that to perform a certain operation, a user must receive or provide the minimally necessary privileges;

  • "Dual Control" for operations in payment systems and when assigning roles in the automated system (Dual Control – principle of four eyes) – a principle of preserving the integrity of the process and combating distortion of system functions, requiring that two authorized bank employees, independently of each other, take some action before completing certain transactions.

  1. The bank must document the list of information assets (automated systems and their types) and the access rights of employees and clients to these assets.

  2. Role formation must be carried out based on the bank's existing business processes and with the aim of excluding the concentration of authority and reducing the risk of information security incidents related to the loss of information assets' properties of availability, integrity, or confidentiality.

  3. The bank must monitor "privileged access," namely: accounts with elevated access rights to automated systems (administrator accounts) to minimize risks and ensure the security of critically important automated systems.

  4. Persons responsible for their execution must be assigned for each role. Employee responsibility must be recorded in their job descriptions.

  5. User authentication in the system must correspond to the criticality of the information received and be carried out based on one or more authentication mechanisms:

  • by knowledge "something to know" (password, PIN code);

  • by possession "something to have" (smart card, token);

  • by physical characteristics of the user "someone to be" (fingerprints or other biometric data).

Two-factor authentication includes any two of these three mechanisms: a person "knows something" and "has something" or "is someone".

  1. Events regarding the registration and change of user access rights must be recorded in the system event log.

  2. The bank must apply protective measures aimed at ensuring protection against unauthorized access, unauthorized actions, and violation of the integrity of information necessary for the registration, identification, authentication, and/or authorization of bank clients and employees. All attempts of unauthorized actions and unauthorized access to such information must be recorded in the event log.

  3. When providing employees with remote access to the automated system and corporate services, the bank must implement multi-factor authentication technology.

  4. Upon dismissal of employees or change of job duties of bank employees having access to automated system information, their access rights to the automated system must be blocked or changed.

  5. The bank must develop and implement a password policy. The password policy must include at least such basic rules and components as:

  • requirements for the degree of complexity and length of the password;

  • requirements for the inadmissibility of recording and storing passwords on physical carriers;

  • user responsibility for violating the policy

  1. Bank employees must be familiarized with the password policy and strictly comply with its requirements during work.

  2. The bank must develop recommendations for compliance with information security policy requirements for users and clients of remote banking services, mobile banking, electronic wallets, and conduct work to inform users about compliance with these requirements during work with banking products.

Chapter 5. Information Security Risk Management Process Requirements

  1. The bank must develop an information security risk management policy integrated with the bank's overall risk management policy.

  2. The bank must determine the value of assets, identify vulnerabilities, threats, and risks. Identified risks must be quantitatively or qualitatively assessed. The bank must determine appropriate measures and control means for risk treatment.

  3. The organization of the risk assessment process may be based on the international standard ISO 27005 or similar standards.

Chapter 6. Bank Business Continuity

  1. To ensure business continuity, the bank must develop:

  • a business continuity policy, which must contain necessary guidelines for ensuring business continuity and necessary role authorities to perform assigned tasks;

  • an emergency action plan, where procedures and management that will ensure the continued operation of the bank in an emergency state must be described;

  • a business recovery plan, where procedures ensuring the rapid restoration of operability of critical systems and functions must be described.

  1. Analysis of the impact of emergencies on the bank's activities is an important tool for ensuring the bank's business continuity, which is inextricably linked with the identification of critical functions and systems. For these purposes, critical functions and systems must be identified in the bank and categorized based on their degree of criticality.

  2. Upon identifying threats, the bank is obliged to select and implement protective measures to reduce the level of bank risks that can lead to emergencies.

  3. To properly prepare personnel for performing tasks in case of an emergency, the bank must periodically test the plan, conduct trainings, education, and drills for bank employees.

Chapter 7. Security in the Lifecycle

of the Bank's Automated Systems

  1. The bank must ensure comprehensive protection of automated systems at all stages of the automated system lifecycle (design, implementation, testing, acceptance, operation, maintenance, modernization, decommissioning must be documented and approved by top management). At the same time, testing must be conducted in a test environment identical to the production environment.

  2. The bank must use only licensed software; open-source software or in-house development is allowed if there is a complete set of documentation approved by top management (technical specification, test program and methodology, test act and log, commissioning act).

Chapter 8. Maintenance of Event Registration Log

of Conducted Operations

  1. The bank must ensure the maintenance of an event registration log (logging) of activities carried out in the automated system, personal computer, server and network equipment, and databases as a means for conducting information security audits, restoring the course of events, and maintaining accountability. The event registration log must include the actions of all users, including highly privileged accounts (root, administrator, sysdba, dba).

  2. Monitoring and analysis of event log information must be conducted daily by automated system administrators (technical support personnel), including using automated systems, and all non-standard situations related to security must be investigated.

  3. Event log information must be stored electronically for a period equal to the storage period of the processed data of the corresponding automated system, but not less than 2 (two) years.

  4. Event log information must be protected from accidental or intentional deletion, modification, or falsification. Disabling logging, deleting, modifying, or falsifying event log information must be considered an incident.

Chapter 9. Payment and Settlement Process

in the Automated System (including SWIFT)

  1. When carrying out the payment and settlement process (own and client), the bank must ensure compliance with the following information security requirements:

  • processing, accounting, and storage of payment information in the automated system on the territory of the Kyrgyz Republic;

  • protection of payment information from distortion, falsification, redirection, unauthorized destruction, false authorization of electronic payment messages;

  • bank employee access to automated system resources that ensure payment and settlement only for the execution of job duties;

  • control (monitoring) of the execution of processes for preparing, processing, transmitting, and storing payment information;

  • authentication of incoming electronic payment messages;

  • two-way authentication of automated workstations (workstations and servers), participants in the exchange of electronic payment messages (for both bank branches/offices and clients);

  • the ability to enter payment information into the automated banking system only for authorized users;

  • compliance in the automated banking system with the principle of end-to-end payment processing (ensuring continuous processing of the entire information flow of incoming financial information without manual intervention throughout the entire technological chain (from the entry of information into the automated system to the completion of its processing) to achieve maximum speed of operations and exclude errors);

  • control aimed at excluding the possibility of malicious actions (double entry, reconciliation, transaction authorization, setting limits depending on the amount of operations performed, etc.) (both by authorized employees and by clients);

  • recovery of payment information in case of its intentional (accidental) destruction (distortion) or failure of computing equipment;

  • reconciliation of outgoing electronic payment messages with corresponding incoming and processed electronic payment messages when carrying out interbank settlements;

  • delivery of electronic payment messages to participants in information exchange.

  1. Bank employees, including automated system administrators, must not have authority to uncontrolled creation, authorization, destruction, and modification of payment information, as well as to carry out unauthorized operations to change the state of bank accounts.

  2. Processing of payment information and control (verification) of processing results must be carried out by different employees.

  3. For systems ensuring payment and settlement, a main and backup staff composition must be provided. In case of absence of any sp

Share