Bank information security documents
The development of digital technologies for processing banking information makes information security especially relevant. According to FinCERT (Center for Monitoring and Responding to Computer Attacks in the Banking Sector), cyber-thefts are much more relevant today than “classic” robberies. The activities of all financial institutions operating in the Russian Federation are regulated by the Central Bank. It evaluates information threats and the possibilities for their implementation, as well as calculates financial losses and develops proposals for their prevention. The services that ensure the protection of banking information and the secrecy of payment transactions, in their work, rely on documents on the information security of the bank, developed by the country's leadership and the Central Bank of Russia.
Basic documents on data protection in Russian banks
These include acts and regulations concerning the requirements for organizing the safe operation of banks, as well as regulations developed by the Central Bank of the Russian Federation. As new information threats emerge, amendments and additions are made to them.
Federal Law "On the National Payment System"
Articles 27 and 28 of this document ("Ensuring the protection of information in the payment system" and "Risk management in the payment system") states that those responsible for protecting information are:
- organizations involved in money transfer (payment system operators);
- persons providing the supply of equipment for payments through electronic systems, as well as for electronic correspondence with bank customers;
- creators of applications with which payments are made, computer programs for paying for goods and services, replenishing the balance on an electronic bank card and withdrawing cash from it.
Money transfer and service providers inform the Central Bank of the Russian Federation about any incidents associated with attempts to withdraw money from accounts or cards by outsiders. The information goes to the Central Bank, where there is a database of such data. In response, organizations receive recommendations for countering fraudsters and strengthening information security.
The list of incidents related to unauthorized monetary transactions is coordinated with the FSB of Russia, posted in the documents of the Central Bank of the Russian Federation:
- Bank of Russia Standard (STO BR) "Security of Financial Transactions";
- Incident Management Participant Handbook (ASOI) FinCERT BR.
This includes, in particular, such violations as the introduction of virus programs, posting on the network of texts of prohibited content and phishing sites, the use of social engineering techniques by fraudsters.
Regulation of the Central Bank "On requirements for ensuring the protection of information"
It indicates what information requires protection, the activities of which organizations are controlled by the Central Bank of Russia. It is noted that the following information is not subject to publicity:
- data on payment transactions, the amount of money transferred, the conditions for spending money from the bank account;
- personal data of bank clients and plastic card holders;
- details on methods of encrypting information, using hardware;
- information about the balance on bank accounts or electronic cards.
The document states that it is necessary to limit the access of employees of financial institutions to confidential information. It is required to ensure information security at all stages of processing and using secret data. It is important to exclude unauthorized access to the system by outsiders and to protect it from the introduction of virus programs. Make it impossible to steal money via the Internet, ATM or payment terminals (when making payments and withdrawing cash).
Financial and credit institutions, including their branches, must have an information security service. Its tasks are to instruct personnel on the protection of confidentiality, develop and take protective measures, improve them, as well as analyze and eliminate the causes of violations.
The regulation states that in order to fulfill all these requirements, the following is necessary:
- thoughtful identification and authentication of employees working with confidential information, minimizing their access to the system;
- compliance with the rules for authorizing clients, using electronic signatures, recording the actions of users of the payment system;
- double control over the work of employees when performing particularly important operations;
- involvement of employees of the information security service in measures to create or improve information systems;
- use of software certified by the FSTEC of the Russian Federation and meeting information security requirements;
- creation of instructions for users of Internet banking. They should contain information on methods of detecting malicious programs, updating access passwords, protecting against data leakage;
- compliance with the rules for receiving, sending and storing electronic messages related to monetary transactions;
- annual testing of the state of information security in financial institutions to detect vulnerabilities.
Every two years, an assessment is made of the compliance with security measures by operators of the payment system and financial infrastructure services, their compliance with the requirements for safe operation. The analysis is carried out by FSTEC.
The assessment is given on the basis of reports provided in several forms:
- 0403202 - on the requirements for ensuring information security when transferring money;
- 0403203 - on non-compliance by operators with the terms of rendering money transfer services;
- 0409258 - on illegal actions with electronic cards.
The provisions of the Central Bank note that information about the money transfers made, the actions of operators and incidents that arise (for example, withdrawing money without the knowledge of customers) must be stored in the database in encrypted form for 5 years.
Document of the Central Bank of Russia "Main directions of development of information security in the credit and financial sector for 2019-2020"
The Central Bank of the Russian Federation notifies financial institutions about the emergence of new types of cyber attacks and regulates how to respond to the actions of cybercriminals.
The document says about the need for increased attention to assessing the levels of cyber risk in each financial institution.
Proposals are being made to ensure their readiness to resist cyber attacks and to strengthen protection against such threats. A procedure for assessing information risks, as well as material costs to cover possible losses is proposed.
The documents related to the information security of the banking system discuss the protection of confidential data and the exclusion of offenses in the field of payment services. The Central Bank of Russia plays a leading role in overseeing the financial system. The basis for the work of information security services in financial organizations is the legislative regulations of the Central Bank. They talk about the danger of theft using viral computer programs and direct deception of people using social engineering techniques. The importance of assessing the threats and risks of theft of personal data of citizens is noted. Methods are being developed to counter cyber risks and identify violations associated with intruders into the information systems of financial organizations.