Methodological Recommendations for Checking Compliance with Information System Security in Commercial Banks of the Kyrgyz Republic

Return Back

Print Version

Date of creation: 2024-10-31

APPROVED

by the resolution of the NBKR Supervision Committee

No. 26/1 dated 03.12.2004

Methodological Recommendations

on checking compliance with information system security

in commercial banks of the Kyrgyz Republic.

(amendments and additions approved by the resolutions of the Supervision Committee

No. 53/2 dated 24.12.2012, No. 22/2 dated 29.06.2017, No. 39/1 dated 10.09.2024)

Introduction

1.1. These Methodological Recommendations are developed by the National Bank of the Kyrgyz Republic (hereinafter referred to as the National Bank) to assist banking supervision inspectors and information security specialists in conducting checks on compliance with information system security in commercial banks and other financial and credit organizations licensed by the National Bank (hereinafter referred to as banks) and serve as a guide for conducting on-site inspections.

(In the edition of the resolution of the Supervision Committee No. 22/2 dated 29.06.2017, No. 39/1 dated 10.09.2024)

1.2. This document is of a standard nature, and when using it in practice, the features of the information systems of a specific bank must be taken into account.

2. Terms and Definitions

2.1. The terms and definitions used in these Methodological Recommendations are applied in the following regulatory acts:

0

Concept for ensuring information system security in banking institutions of the Kyrgyz Republic, approved by the resolution of the Board of the NBKR No. 1618 dated 03.06.98,

1

Recommendations for ensuring information system security in banking institutions of the Kyrgyz Republic, approved by the resolution of the Board of the NBKR No. 8/8 dated 13.02.02,

2

Instruction on ensuring the necessary level of security of electronic payments, approved by the resolution of the Board of the NBKR No. 66/9 dated 6.11.99,

3

Regulation "On requirements for ensuring information security in banking institutions of the Kyrgyz Republic when working with information resources of the NBKR", approved by the resolution of the Board of the NBKR No. 19/7 dated 3.07.03,

4

Standards for ensuring information security of institutions of the banking system of the Kyrgyz Republic, approved by the resolution of the Board of the NBKR No. 24/10 dated 15.09.04 (reg. number of the Ministry of Justice of the KR No. 117-04 dated 22.10.04)

3. Purpose of the Inspection

3.1. The main purpose of conducting an inspection of compliance with information system security in banks is to assess the level of information security of banks, assess the risks of information security violations by identifying information security threats, determining their sources and possible consequences for banks.

3.2. The most dangerous (significant) information security threats (methods of causing damage to subjects of information relations) are:

5

violation of confidentiality (disclosure, leakage) of information constituting banking or commercial secrets, as well as personal data;

6

violation of availability (disorganization of work) of information systems, blocking access to information, violation of technological processes, failure to timely solve tasks;

7

violation of integrity (distortion, substitution, destruction) of information, software and other resources, as well as falsification (forgery) of documents.

3.3. The main sources of information security threats are:

8

unintentional (erroneous, accidental, thoughtless, without malicious intent or selfish goals) violations of established regulations for the collection, processing and transmission of information, as well as other actions of personnel during the operation of information systems, leading to unproductive time and resource costs, disclosure of limited distribution information, loss of valuable information or violation of the operability of individual workstations, subsystems or the entire system as a whole;

9

deliberate (for selfish purposes, under coercion by third parties, with malicious intent, etc.) actions of employees allowed to work with information systems, as well as employees responsible for maintaining, administering software and hardware, protection tools and ensuring information security;

10

activities of criminal groups and formations, political and economic structures, as well as individual persons to obtain information, impose false information, disrupt the operability of the system as a whole and its individual components;

11

errors made in the design of information systems and their protection systems, errors in software, failures and malfunctions of technical means (including information protection tools and control of the effectiveness of protection);

12

actions of computer viruses;

13

accidents, natural disasters, etc.

4. Objects of Inspection

4.1. The main objects of inspection are:

14

the bank's regulatory framework for ensuring information security;

15

systems for ensuring the security of information resources with limited access, constituting state, commercial, banking secrets, and other sensitive information resources subject to random and unauthorized impacts and violation of their security, including open (publicly available) information presented in the form of documents and information arrays, regardless of the form and type of their presentation;

16

systems for ensuring the security of information processing processes - information technologies, regulations and procedures for the collection, processing, storage and transmission of information;

17

systems for ensuring the security of information infrastructure, including information processing and analysis systems, technical and software means for its processing, transmission and display, including information exchange channels and telecommunications, objects and premises where infrastructure components are located.

5. General Familiarization with the Bank's Information Systems

5.1. During the inspection process, the inspector must study the structure of the bank's information system, as well as regulatory documents governing the operation of the bank's information systems, namely:

18

Organization of the local area network (LAN) in the bank.

19

Methods of connecting bank employees' workstations to the LAN.

20

Organization of backup and recovery of important information. Organization of restoring the operability of information systems in case of emergencies.

21

Organization of connection to Internet resources and e-mail.

22

Methods of protecting electronic payments.

23

Organization of security of internal electronic document flow in the bank.

24

Organization of record-keeping with confidential documents. Access of persons to work with confidential documents.

25

Organization of interaction between the bank and bank representative offices and branches.

26

Organization of employee training on security rules;

27

Organization of archiving systems, attack detection systems and antivirus protection.

5.2. The regulatory framework for ensuring the bank's information security must at least include the list of regulatory documents provided in Appendix C to the Standards for ensuring information security of institutions of the banking system of the Kyrgyz Republic, approved by the resolution of the Board of the NBKR No. 24/10 dated 15.09.04 (reg. number of the Ministry of Justice of the KR No. 117-04 dated 22.10.04) and correspond to the regulatory acts indicated in paragraph 2 of these Methodological Recommendations.

5.3. The inspector must also study control reporting - registration journals and reports on the security of information systems, all organizational and administrative documents on issues of ensuring information security, as well as reports of internal and external audits of information systems.

6. Inspection of Technical Means Security

6.1. In order to identify violations of technical means security compliance, the inspector must check:

28

the presence of premises for information system equipment; corresponding to the operating conditions of this equipment;

29

the compliance of the technical strengthening of premises with the requirements established by the National Bank;

30

compliance with access restrictions to special premises;

31

the presence of special equipment for storing information carriers, providing protection against unauthorized access, thermal, mechanical and electromagnetic impact;

32

the use of autonomous and uninterruptible power sources.

7. Inspection of Software Security

7.1. In order to identify violations of Automated Systems (AS) security compliance, the inspector must check:

33

compliance with access restrictions to software;

34

separation of rights and authorities when working with AS;

35

the presence of a backup copy of the software.

8. Inspection of Access Control to Information Resources

8.1. In order to check the prevention of unauthorized access to information resources, the inspector must check:

36

the presence of a system for separating employee access to work with automated systems;

37

the application of user registration, their actions, as well as unauthorized operations;

38

the application of user identification;

39

the application of antivirus protection.

9. Inspection of Data Confidentiality

9.1. In order to check the provision of data confidentiality, the inspector must check:

40

the application of security policy norms;

41

ensuring the registration of access to confidential data;

42

the application of special information encoding tools (cryptographic tools) and firewalls.

10. Inspection of Data Integrity

10.1. In order to check the provision of data integrity, the inspector must check:

43

ensuring data duplication;

44

ensuring periodic backup and data recovery;

45

ensuring appropriate protection of data at the external level.

11. Inspection of Personnel Security

11.1. In order to check the provision of personnel security, the inspector must check:

46

the presence of appropriate personnel;

47

the application of normative policy;

48

compliance with the segregation of authorities;

49

ensuring control over the establishment and compliance of user authorities.

12. Inspection of Communication Security

12.1. In order to check the provision of communication security, the inspector must check:

50

ensuring the security of the use of communication lines and communication equipment;

51

the presence of backup communication lines or alternative methods of information transmission;

52

the application of cryptographic tools, data firewalls, as well as authentication tools when protecting information at the external level;

53

ensuring the protection of payment documents;

54

ensuring the registration and storage of payment documents.

13. Inspection of Security When Using Plastic Cards

13.1. In order to check the provision of security when using plastic cards, the inspector must check:

55

ensuring control over the integrity and authenticity of transaction transmission over communication channels, as well as subsequent identification and authentication of the cardholder;

56

conducting monitoring and control over transactions in the system, monitoring and management of the network of terminals and ATMs;

57

the application of encryption and verification methods.

14. Preparation of the Inspection Report

14.1. Upon completion of the inspection, the inspector prepares a report on the inspection of information system security, including at least the following:

58

a schematic description of the structure of the bank's information system;

59

a description of the inspection results of all the above sections of these Methodological Recommendations;

60

recommendations for eliminating violations of information system security compliance, if any were identified.

Contacts

Public Reception

+996 (312) 61-04-86 +996 (312) 66-90-15 +1257, +1256

Consumer Protection Department

+996 (312) 66-90-15 +1671, +1666

Report Corruption

+996 (312) 66-90-15 +2120 +996 (312) 61-04-00

Auto-informer of official exchange rates

+996 (312) 61-07-11

Numismatic Museum

+996 (312) 66-90-15 +1232 +996 (312) 61-24-14

E-mail

mail@nbkr.kg

For media relations

press@nbkr.kg

720010, Kyrgyz Republic, Bishkek, Kievskaya St., 189