Recommendations on Ensuring Information System Security in Microfinance Organizations of the Kyrgyz Republic

Back to top

Print Version

Creation Date: 2023-01-20

Approved by Resolution

of the Supervisory Committee of the NBKR

of October 21, 2009 No. 21/1

RECOMMENDATIONS

on ensuring the security of information systems

in microfinance organizations of the Kyrgyz Republic

(amendments and additions approved by resolutions of the Supervisory Committee of the National Bank No. 22/2 dated June 29, 2017, and No. 43/2 dated December 30, 2022)

1. General Provisions

2. Objects of Information Security

3. Information Security Threats and Their Sources

4. Main Tasks of the Information Security Assurance System

5. Structure and Functionality of Information Systems

6. Computer Databases, Programs, and User Interface

7. Final Provisions

8. General Provisions

1.1. These recommendations are developed by the National Bank of the Kyrgyz Republic (hereinafter – the National Bank) to assist microfinance organizations (hereinafter – MFOs) in ensuring information security and minimizing potential losses caused by malicious actions, accidental failures, and personnel errors.

1.2

The recommendations are developed in accordance with the Civil Code of the Kyrgyz Republic, the Law of the Kyrgyz Republic "On Microfinance Organizations in the Kyrgyz Republic," and other regulatory and legal acts of the Kyrgyz Republic. This document is of a recommendatory nature and contains information and recommendations on the creation, development, and operation of information systems, as well as the selection and implementation of software.

(In the edition of the Resolution of the Supervisory Committee of the National Bank dated December 30, 2022 No. 43/2)

1.3. The recommendations apply to all microfinance companies, as well as microcredit companies having a network of branches or regional offices. When practically using these recommendations, the specifics of the information systems of a specific MFO, its structure, volumes of information flows, formation, dissemination, and use of information, and technical means of its processing must be taken into account.

1.4. In the recommendations, the term "MFO Information System" (hereinafter IS) refers to a system based on the use of computing equipment, software, computer databases, and methods of their use for input, processing, transmission, output, and storage of financial and management information.

1.5. Processing and storage of accounting information in the IS must be carried out in a computerized manner in compliance with the following main criteria: functionality; security and reliability; general requirements for computer databases, programs, and user interface.

1.6. MFO employees are direct users of the IS. The National Bank, if necessary, may request users of the system to provide the required information from the IS.

2. Objects of Information Security

2.1. The main objects of information security are:

• information resources with restricted access, constituting state, commercial, or banking secrets, and other sensitive information resources vulnerable to random and unauthorized impacts and security breaches, including open (public) information, presented in the form of documents and information arrays, regardless of the form and type of their presentation, the loss or disclosure of which could negatively affect the activities of the MFO;

• information processing processes – information technologies, regulations, and procedures for collecting, processing, storing, and transmitting information, scientific and technical personnel of system developers and users, and their support personnel;

• information infrastructure, including information processing and analysis systems, technical and software means for its processing, transmission, and display, including information exchange and telecommunications channels, information protection systems and means, and objects and premises where infrastructure components are located.

2.2. IS security must be built based on the specific structure of the IS, taking into account the features of its individual elements. Security assurance must be implemented at all levels of the IS. The MFO must define specific protection objects at each level of the information infrastructure.

2.3. To counter information security threats and ensure the effectiveness of measures to prevent and eliminate adverse consequences of impacts on operational, credit, and other risks, the MFO must ensure a necessary and sufficient level of information security. The MFO's activities to ensure information security must be strictly controlled by the MFO's management bodies.

3. Information Security Threats and Their Sources

3.1. The most dangerous (significant) information security threats (methods of causing damage to subjects of information relations) are:

• violation of confidentiality (disclosure, leakage) of information constituting banking or commercial secrets, as well as personal data;

• violation of operability (disorganization of work) of the IS, blocking access to information, violation of technological processes, and failure to solve tasks in a timely manner;

• violation of integrity (distortion, substitution, destruction) of information, software, and other resources, as well as falsification (forgery) of documents.

3.2. The main sources of information security threats are:

• unintentional (erroneous, accidental, thoughtless, without malicious intent or selfish goals) violations of established regulations for collecting, processing, and transmitting information, as well as other actions by personnel during IS operation, leading to unproductive time and resource costs, disclosure of limited-circulation information, loss of valuable information, or violation of operability of individual workstations, subsystems, or the entire system;

• intentional actions (for selfish purposes, under coercion by third parties, with malicious intent, etc.) of employees allowed to work with the IS, as well as employees responsible for maintaining, administering software and hardware, protection means, and ensuring information security;

• activities of criminal groups and formations, political and economic structures, as well as individual persons to obtain information, impose false information, and disrupt the operability of the system as a whole and its individual components;

• errors made in the design of the IS and its protection systems, errors in software, failures, and malfunctions of technical means (including information protection means and control of protection effectiveness);

• actions of computer viruses;

• accidents, natural disasters, etc.

4. Main Tasks of the Information Security Assurance System

4.1. To achieve the main goal of information protection and its processing system, the security system must ensure the effective solution of the following tasks:

• protection against interference in the functioning process of the IS by unregistered persons (the ability to use the automated system and access its resources must be available only to users registered in the established manner);

• separation of access of registered users to hardware, software, and information resources (access is possible only to those resources and execution of only those operations with them that are necessary for specific users to perform their official duties);

• protection against unauthorized access:

• to information circulating in the microfinance sector;

• to computing equipment;

• to hardware, software, and cryptographic protection means;

• registration of user actions when using protected resources in system logs and periodic control of the correctness of user actions by analyzing the contents of these logs;

• control of integrity (ensuring immutability) of the program execution environment and its restoration in case of violation;

• protection against unauthorized modification and control of integrity of used software means, as well as protection of the system from the introduction of unauthorized programs, including computer viruses;

• protection of limited-circulation information from leakage via technical channels during its processing, storage, and transmission via communication channels;

• protection of limited-circulation information, stored, processed, and transmitted via communication channels, from unauthorized disclosure or distortion;

• ensuring user authentication participating in information exchange (confirmation of the authenticity of the sender and recipient of information);

• ensuring the functioning of cryptographic information protection means in the event of compromise of part of the key system;

• timely identification of information security threat sources, causes, and conditions contributing to damage to interested subjects of information relations, creation of a mechanism for rapid response to information security threats and negative trends;

• creation of conditions for minimizing and localizing damage caused by unlawful actions of physical and legal persons, weakening of negative influence, and elimination of consequences of information security violations;

• provision of a set of technical and procedural measures to protect against unauthorized access from Internet network users.

4.2. The stated main protection goals and the solution of the above-listed tasks are achieved:

• through strict accounting of all system resources subject to protection (information, tasks, communication channels, servers, automated workstations, etc.);

• through regulation of information processing processes subject to protection using automation means and actions of employees of structural subdivisions using the IS, as well as actions of personnel performing maintenance and modification of software and technical means, based on organizational and administrative documents on information security assurance;

• through completeness, real feasibility, and consistency of requirements of organizational and administrative documents on information security assurance;

• through appointment and training of officials (employees) responsible for organizing and implementing practical measures to ensure information security and its processing processes;

• through granting each employee (user) the minimum necessary authority to access IS resources to perform their functional duties;

• through clear knowledge and strict compliance by all employees using and maintaining hardware and software means with the requirements of organizational and administrative documents on information security assurance;

• through personal responsibility of each employee participating, within the framework of their functional duties, in automated information processing processes and having access to IS resources for their actions;

• through implementation of information processing technological processes using a set of organizational and technical measures to protect software, technical means, and data;

• through the application of physical and technical (software-hardware) means to protect system resources and continuous administrative support of their use;

• through separation of information flows, providing for prevention of information of a higher confidentiality level entering carriers and files with a lower confidentiality level, as well as prohibiting the transmission of limited-circulation information via unprotected communication channels;

• through effective control over employees' compliance with information security assurance requirements;

• through constant analysis of the effectiveness and sufficiency of adopted measures and information protection means, and development and implementation of proposals for improving the information protection system.

5. Structure and Functionality of IS

5.1. IS security is recommended to be built based on the specific structure of the IS, taking into account the features of its individual elements. All elements of IS security assurance are functionally divided into several levels.

Hardware Level – related to ensuring security in the use of IS equipment. The hardware level must include technical means to protect against unauthorized use of equipment, its destruction or theft, to ensure equipment fault tolerance, as well as its restoration or replacement.

Application Level – related to ensuring security in the use of resources by IS users through application programs. The application level must have its own protection means against unauthorized operations by users working with application programs.

System Level – related to managing access to operating system resources. At this level, direct interaction with users occurs, application programs are launched, and interaction between the IS and users is managed. Due to the special importance of the system level, special attention must be paid to protecting system resources from unauthorized access.

Network Level – related to managing access to information resources within the local computer network of the MFO. Information security at the network level is ensured by means of user authentication and separation of access to computer network resources.

External Level – determines the interaction of the IS with resources of IS of other MFOs and banking institutions, as well as with its own remote IS. Since IS are critically important from the perspective of security assurance, they must be closed to any other IS. Thus, the external level must be limited exclusively to the MFO's IS. At the external level, protection must be ensured against unauthorized receipt of information by external users, as well as against unauthorized receipt of information by own users from external IS, and unauthorized transmission of information by own users to external IS.

5.2. All data processed in the IS, as well as the corresponding application software intended for their processing, are recommended to be divided into categories.

General Information – information for which unauthorized access is not associated with losses. This category includes general information indirectly related to the activities of the MFO, or not related to the activities of the MFO, or freely distributed. Security measures are not applied to protect this information.

Useful Information – information that can be restored without significant costs, and its alteration or destruction entails relatively small material losses. This category includes, for example, some information marked "for official use only" and other non-secret information directly related to the activities of the MFO. Ordinary security measures are applied to protect this information to ensure its integrity.

Important Information – information necessary for the activities of the MFO, the restoration process of which is either impossible or associated with significant costs. Unauthorized access, alteration, or destruction of this information entails significant material or moral losses. This category includes information marked "for official use only" or "secret," directly affecting the normal operation of the MFO. Special security measures are applied to protect this information to ensure its integrity and secrecy, providing for protection measures at the external and internal levels.

Critical Information – information without which the main functions of the MFO cannot be implemented. Unauthorized access, alteration, or destruction of this information entails especially large material or moral losses, up to complete bankruptcy of the MFO or cessation of its activities. This category includes information marked "of special importance" or "top secret," as well as information vital to the MFO, including all financial and payment documents of the MFO. Special security measures are applied to protect this information to ensure its integrity and secrecy at all levels, as well as authentication at the external level.

5.3. To ensure data secrecy in the IS at the hardware level, application level, and network level, normative security policy must be applied. All authorized operations for obtaining, changing, or destroying secret information, as well as attempts at unauthorized operations, must be registered in the system. Registered data on operations with secret information must be accessible only to the system administrator, as well as to the person or group of persons bearing personal responsibility for ensuring information security in the bank.

To ensure data secrecy in the IS at the external level, it is recommended to apply special information encoding means (cryptographic means) and firewalling.

5.4. Data integrity in the IS is recommended to be ensured by data duplication (including on a remote IS), constant backup of data, control of user authorities, and appropriate data protection at the external level.

5.5. Processing and storage of "general information" category data, as well as static data of the "useful information" category, may be organized on client machines as well as on specialized servers.

Processing and storage of dynamic data of the "useful information" category, as well as data of the "important information" and "critical information" categories, is recommended to be organized only on specialized servers.

5.6. Authorities of IS users of all categories must be determined based on their direct official duties established by corresponding job descriptions. User authorities in the IS must be established by information owners. When establishing user authorities, normative policy and segregation of authorities must be applied. Security personnel must control the establishment of user authorities for working with "important information" and "critical information" categories.

5.7. User registration in the information system is recommended to be performed at the specialized server level.

At the specialized server level, the following must be registered: user name, user personal password, network address, and its authorities. The user's personal password must be registered by the user themselves in accordance with password formation rules. No one except the user themselves should know their personal password. Periodic replacement of user passwords must be carried out at certain intervals and exclude password repetition. User personal passwords must be stored on the specialized server in an unreadable form. It is not allowed to record user personal passwords in any other form.

5.8. User identification in the IS is recommended to be organized at the specialized server level. Successful identification allows access to the information resources of the specialized server in accordance with the user's authorities. User identification at the specialized server level must be performed in conjunction with client machine identification. After a given number of unsuccessful user identification attempts, further attempts must be automatically blocked by the system.

5.9. Control of user authorities in the IS must be comprehensive and performed at all levels: hardware level, application level, system level, network level, and external level. At each level, user authorities for using system information resources must be clearly defined. User authorities must be established in accordance with an approved procedure. Current control of user authorities is recommended to be performed by the system administrator and security personnel. Information owners must keep logs of issued and revoked user authorities regarding their own information resources.

5.10. Current control of system configuration is recommended to be performed by the system administrator with the help of technical personnel. Any changes in the system configuration must be coordinated with security personnel.

5.11. All authorized operations for using IS resources, as well as attempts at unauthorized operations, must be registered in the system. Registered data must contain all necessary information for controlling user actions performed and be accessible only to system and database administrators, as well as security personnel.

5.12. The system administrator is recommended to report to the MFO security personnel at least once a month about all cases of violation or attempts to violate access rights to information resources during the reporting period.

The system administrator must immediately notify the MFO security personnel in case of violation or attempt to violate access rights to information resources regarding "important information" and "critical information" categories.

5.13. It is recommended to create backups on magnetic media available for use in a specific IS. Backups are recommended to be created mandatorily for information of various categories, as well as for system and application software necessary for processing this information. Data carriers may include floppy disks, magnetic tapes, recordable optical digital disks, etc. All backups must have an identifier including the category of stored information, serial number, and date of the last backup. It is recommended to have duplicates of all backups. Backups and their duplicates must be stored separately (if possible in rooms remote from each other) in special containers providing protection against unauthorized access, electromagnetic radiation, thermal effects, mechanical effects, and maintaining internal air temperature and humidity at a specified level.

5.14. For "important information" and "critical information" categories, data recovery procedures from backups must be provided, as well as procedures for restoring normal equipment operation, replacing, and connecting its individual units in case of unauthorized or accidental violation of information integrity or its destruction. Descriptions of recovery procedures are recommended to be prepared in two copies and stored separately from backups.

5.15. All operations for backup, recovery from backups, replacement and connection of individual equipment units, as well as changes to IS configuration must be recorded in special journals by persons responsible for performing these operations. One journal must be with the security personnel, and the other with the system administrator.

5.16. For data transmission at the external level, it is recommended to use the most reliable communication lines and communication equipment corresponding to international standards. The use of non-standard equipment is not recommended.

For transmission of "critical information" category data, it is recommended to use special dedicated communication lines, and it is also recommended to provide backup communication lines or alternative information transmission methods. In case of using switched communication lines, it is recommended to apply special modems with automatic callback. Information about numbers, codes, and configuration of switched communication lines, as well as encoding keys and personal secret keys, must be classified as "critical information."

Protection of information at the external level should be organized comprehensively, using means