Regulation of RBPO. Part 2 – Requirements in the financial industry

Hi all!

This is Albina Askerova, Head of Regulatory Relations at Swordfish Security. We continue the series of articles devoted to the regulation of secure software development (SSD).

The first article about general requirements is available at the link (you can also see what is planned in the following materials). Today we’ll go through the requirements for companies in the financial industry.

Let me remind you that we are considering all regulations that relate to information security and the secure development process, as well as those that can be partially accomplished by implementing DevSecOps practices. It will not work briefly, since the Bank of Russia (BR) found 13 valid documents!

Reservation

While we were doing the analytics, projects for updating 3 of these 13 documents appeared (but we’ll talk about trends in the 5th article). I would like the speed of adoption of the new regulation to reach a new level, but I believe that by the time the 5th part is released, this article will still be relevant, so now we will consider the regulation currently in force.

For convenience, we divide the regulation in the financial industry into 2 blocks: for credit and non-credit organizations; There will still be general requirements.

To understand the terminology:

1. Credit

Article 1 of Federal Law No. 395-1

Credit organization – a legal entity that, in order to make a profit as the main goal of its activities, on the basis of a special permit (license) of the Central Bank of the Russian Federation (Bank of Russia), has the right to carry out banking operations provided for by this Federal Law. A credit organization is formed on the basis of any form of ownership as a business company.

Bank – a credit institution that has the exclusive right to carry out the following banking operations in aggregate: attracting funds from individuals and legal entities as deposits, placing these funds on its own behalf and at its own expense on the terms of repayment, payment, urgency, opening and maintaining bank accounts of individuals and legal entities.

A complete list of operating credit institutions is posted follow the link.

2. Non-credit

Article 76.1. Federal Law No. 86-FZ

Non-credit financial organizations are persons engaged in the following types of activities:

1) professional participants in the securities market;

2) management companies of an investment fund, mutual investment fund and non-state pension fund;

3) specialized depositories of an investment fund, mutual investment fund and non-state pension fund;

4) joint-stock investment funds;

5) clearing activities;

6) activities to perform the functions of a central counterparty;

7) activities of the trade organizer;

8) activities of the central depository;

9) repository activities;

10) activities of insurance business entities;

11) non-state pension funds;

12) microfinance organizations;

13) credit consumer cooperatives;

14) housing savings cooperatives;

15) agricultural credit consumer cooperatives;

16) activities of the operator of the investment platform;

17) pawnshops;

18) financial platform operator;

19) operators of information systems in which digital financial assets are issued;

20) digital financial asset exchange operators.

Also mentioned in the documents credit bureau And credit rating agency.

If your company belongs to any industry from the list, then you are at the right place. And if not, too, because who knows where your career path will lead you?

So, let's turn our eyes to the depths of the ocean for 5 seconds, let's wipe away the tears Let's smile and continue!

General requirements

  1. GOST R 57580.1-2017 Security of financial (banking) transactions. Protection of information of financial organizations. Basic composition of organizational and technical measures

The standard establishes general requirements for the content and procedure for performing work related to the creation of safe software and the formation of an environment to ensure the prompt elimination of identified software errors and program vulnerabilities.

GOST is applied by any organization on a voluntary basis or mandatory if mentioned in a regulatory document.

Requirements for secure development practices can be found in clause 7.4. It contains a description of processes, including, for example, “Control of the integrity and security of the information infrastructure” (measure “CI”).

P.7.4.1 The measures used by the financial organization to control the integrity and security of the information infrastructure must ensure:

– monitoring the absence of known information security vulnerabilities of informatization objects;

– organization and control of placement, storage and updating of information infrastructure software;

– control of the composition and integrity of information infrastructure software;

– registration of information security events related to the results of monitoring the integrity and security of the information infrastructure.

The full set of DZI measures is described in paragraphs 7.4.2-7.4.5.

  1. Methodological document of the Bank of Russia from 2021 Protection profile application software for automated systems and applications of credit organizations and non-credit financial organizations

This document is intended for companies creating application software for automated systems and applications credit institutions And non-credit financial institutionsas well as for institutions that certify software for compliance with security requirements, including conditions for analyzing vulnerabilities and monitoring the absence of undeclared capabilities. The latter include applicants for product certification, certification bodies, testing laboratories and organizations that independently conduct conformity assessment.

The document can be used to develop software for credit and non-credit financial organizations, but only if the software is not classified as CII objects (Critical Information Infrastructure).

Requirements for RBPO:

The document establishes the conditions of trust in the security of an object, among which there is a trust class “Vulnerability Assessment”. Section 7.4 specifies the requirements for the Safe Life Cycle of an Object. Essentially, Secure by Design and maximum shift left are described. This is a large and detailed section, you can open it on page 140 and study everything.

Let me remind you that a methodological document becomes mandatory only when it is referred to in a binding document (in this case, in the BR Regulations).

  1. Regulation of the Bank of Russia dated October 17, 2022 N 808-P On the requirements for ensuring the protection of information when carrying out activities in the field of providing professional services in the financial market in order to counter the implementation of illegal financial transactions…

The provision establishes:

– mandatory for persons providing professional services in the financial marketrequirements for ensuring the protection of information when carrying out activities in the field of providing professional services in the financial market in order to counter the implementation of illegal financial transactions;

– collateral requirements credit bureau information protection;

– requirements for the safety and protection of information obtained in the course of activities credit rating agency.

What about RBPO:

P.2.4. For processing, storing and transmitting information, credit history bureaus must use application software of automated systems that have been certified in the relevant system of the federal executive body authorized in the field of countering technical intelligence and technical information protection, or assessing compliance with the requirements for the estimated level of confidence (ACL) not lower than OUD 4, provided for in paragraph 7.6 of the national standard of the Russian Federation GOST R ISO/IEC 15408-3-2013.

  1. Methodological recommendations of the Bank of Russia dated September 30, 2024 No. 16-MR on organizing the interaction of information systems of financial market organizations with the infrastructure that ensures information and technological interaction of information systems used to provide state and municipal services and perform state and municipal functions in electronic form

Quite fresh. It's not even a month yet.

Methodological recommendations have been developed in order to ensure unity of approaches to organizing the interaction of their information systems with the infrastructure of State Services. The document can be used by credit and non-credit financial institutions when connecting to State Services/USIA.

And what about RBPO?:

P.2.8. The provisions indicate the mandatory implementation of GOST R 57580.1-2017, which contains such protection measures as “monitoring the absence of known (described) information security vulnerabilities of informatization objects”, “controlling the placement, storage and updating of information infrastructure software”, “monitoring the composition and integrity of software information infrastructure” (Measure code – TsZI.Kh).

Requirements for credit institutions

  1. Regulation of the Bank of Russia dated April 17, 2019 No. 683-P On the establishment of mandatory requirements for credit institutions to ensure the protection of information when carrying out banking activities in order to counteract the implementation of money transfers without the client’s consent

The requirements are applied to ensure the protection of information in automated funds transfer systems.

Requirements for RBPO:

P.3.1. The provisions indicate the mandatory implementation of GOST R 57580.1-2017, which contains such protection measures as “monitoring the absence of known (described) information security vulnerabilities of informatization objects”, “controlling the placement, storage and updating of information infrastructure software”, “monitoring the composition and integrity of software information infrastructure” (Measure code – TsZI.Kh).

P.3.2. The Regulations establish an annual analysis of information security vulnerabilities of information infrastructure facilities.

P.4.1. Credit institutions must ensure the use for banking operations of application software of automated systems and applications distributed by the credit institution to clients to perform actions in order to carry out banking operations, as well as software that processes protected information in areas used to receive electronic messages for execution in automated systems and applications using the information and telecommunications network “Internet” (hereinafter referred to as the “Internet”), which have been certified in the certification system of the Federal Service for Technical and Export Control or assessed for compliance with the requirements for an estimated level of confidence (hereinafter referred to as the EAL) of not less than OUD 4.

At the same time, OUD4 contains a mandatory requirement to conduct a vulnerability analysis.

  1. Regulation of the Bank of Russia dated 04/08/2020 N 716-P On the requirements for the operational risk management system in a credit institution and a banking group

The credit institution and the parent credit institution of the banking group must organize operational risk management in accordance with these Regulations.

P. 1.4. For the purpose of unifying operational risk management, a credit organization (the parent credit organization of a banking group) identifies types of operational risk, management procedures for which are carried out by specialized units with the participation of the unit responsible for organizing operational risk management (hereinafter excerpt):

the risk of the implementation of threats to information security, which are caused by shortcomings in the processes for ensuring information security, including the implementation of technological and other measures, shortcomings in the application software of automated systems and applications, as well as the inconsistency of these processes in the activities of the credit institution.

Requirements for RBPO are found in Chapters 7 and 8 of the Regulations:

Chapter 7. “Information Security Risk Management” contains a requirement for annual penetration testing and analysis of information security vulnerabilities of information infrastructure facilities in accordance with subparagraph 3.2 clause 3 of Bank of Russia Regulation No. 683-P.

Chapter 8. “Risk Management of Information Systems” contains a requirement for annual testing of vulnerabilities of information systems and (or) their components and other sources of risk of information systems, as well as the development of a set of measures aimed at eliminating identified vulnerabilities of information systems and (or) other sources information systems risk.

  1. Regulation of the Bank of Russia dated January 12, 2022 N 787-P On mandatory requirements for credit institutions for operational reliability when carrying out banking activities in order to ensure continuity of provision of banking services

The Regulations establish mandatory operational reliability requirements for credit institutions when carrying out banking activities in order to ensure the continuity of the provision of banking services.

Requirements for RBPO:

Section 6.1. Credit institutions, in relation to elements that are significant objects of critical information infrastructure, must comply with the requirements for ensuring the security of significant objects of critical information infrastructure, established in accordance with paragraph 4 of part 3 of Article 6 Federal Law of July 26, 2017 N 187-FZ.

P 6.2. Credit institutions must ensure compliance with the following requirements for managing changes in critical architecture:

– management of vulnerabilities in critical architecture, due to which information threats can be realized and which can lead to exceeding the target operational reliability indicators;

– management of vulnerabilities and updates (patches) of information infrastructure objects.

  1. Regulation of the Bank of Russia dated July 25, 2022 N 802-P On requirements for information protection in the payment system of the Bank of Russia

These requirements must be met by direct participants in the Bank of Russia payment system, which are exchange participants and credit institutions (their branches) (hereinafter referred to as exchange participants), which are international financial organizations, as well as an operational center, a payment clearing center of another payment system when providing operational services and services payment clearing when transferring funds using the fast payment service (OPCC SBP), operator of information exchange services when providing exchange participants with information exchange services when making money transfers using the fast payment service (OUIO SBP).

Measures from RBPO:

Clause 3 of the Regulations indicates the mandatory implementation of GOST R 57580.1-2017, which contains such protection measures as “monitoring the absence of known (described) information security vulnerabilities of informatization objects”, “controlling the placement, storage and updating of information infrastructure software”, “controlling the composition and integrity of information infrastructure software” (Measure code – TsZI.X).

  1. Regulation of the Bank of Russia dated August 3, 2023 No. 820-P About the digital ruble platform

The Regulations establish requirements for participants of the digital ruble platform and users of the digital ruble platform.

RBPO requirements:

P.2.1. When performing transactions with digital rubles within the framework of the digital ruble platform, platform participants comply with the information security requirements established by the Bank of Russia on the basis of clause 7 of part 1 of article 30.7 of Federal Law No. 161-FZ. Such requirements are those approved Regulation of the Bank of Russia dated December 7, 2023 No. 833-P (review below).

  1. Regulation of the Bank of Russia dated August 17, 2023 No. 821-P requirements for ensuring the protection of information when making money transfers and on the procedure for the Bank of Russia to monitor compliance with the requirements for ensuring the protection of information when making money transfers

The Regulations establish requirements for the provision of funds transfer operators, bank payment agents (subagents), information exchange service operators, payment application providers, payment system operators, payment infrastructure service operators, operators of electronic information security platforms when making money transfers, as well as the procedure implementation by the Bank of Russia of control over compliance with information security requirements when making money transfers within the framework of supervision carried out by the Bank of Russia in the national payment system.

Requirements for RBPO:

Clause 1.1 (paragraph 2) of the Regulations indicates the mandatory implementation of GOST R 57580.1-2017, which contains such protection measures as “monitoring the absence of known (described) information security vulnerabilities of informatization objects”, “controlling the placement, storage and updating of information infrastructure software” , “monitoring the composition and integrity of information infrastructure software” (Code of measures – TsZI.H).

Clause 1.1 (paragraph 3) of the Regulations indicates the mandatory implementation of annual testing for the possibility of penetration into the information infrastructure and analysis of information security vulnerabilities of information infrastructure objects.

Clause 1.2 establishes the need to use application software that has passed the conformity assessment according to the requirements for an estimated level of confidence (hereinafter referred to as EAL) not lower than EAL 4.

At the same time, OUD4 contains a mandatory requirement to conduct a vulnerability analysis.

P.9.1. When ensuring the security of information infrastructure facilities that are CII objects, the requirements for CII established by the FSTEC of Russia and the FSB of Russia are also applied.

Requirements for CII containing requirements for safe development will be discussed in the next article.

  1. Regulation of the Bank of Russia dated December 7, 2023 No. 833-P On requirementsefforts to ensure information security for participants of the digital ruble platform

The regulation establishes requirements for ensuring the protection of information for participants in the digital ruble platform.

About RBPO:

Clause 4.1 of the Regulations indicates the mandatory implementation of GOST R 57580.1-2017, which contains such protection measures as “monitoring the absence of known (described) information security vulnerabilities of informatization objects”, “controlling the placement, storage and updating of information infrastructure software”, “controlling the composition and integrity of information infrastructure software” (Measure code – TsZI.X).

Clause 1 of the Requirements (Appendix to the Regulations) establishes requirements for the process of development, testing and operation of the client application (have a documented process for developing, testing and operating the client application, including descriptions of implemented measures, controls and checks to ensure information security, as well as a version control process and changes to the software that implements the client application).

Clause 2 of the Requirements (appendix to the Regulations) establishes the security requirements for the client’s application.

Clause 3 of the Requirements (appendix to the Regulations) establishes organizational and technical measures aimed at compliance with the security requirements of the mobile application.

Requirements for non-credit organizations:

  1. Regulation of the Bank of Russia dated April 20, 2021 No. 757-P On the establishment of mandatory requirements for non-bank financial organizations to ensure the protection of information when carrying out activities in the field of financial markets in order to counter the implementation of illegal financial transactions

The requirements are applied to ensure the protection of information when carrying out activities in the financial markets in order to combat illegal financial transactions.

What about RBPO:

P.1.4. The provisions indicate the mandatory implementation of GOST R 57580.1-2017, which contains such protection measures as “monitoring the absence of known (described) information security vulnerabilities of informatization objects”, “controlling the placement, storage and updating of information infrastructure software”, “monitoring the composition and integrity of software information infrastructure” (Measure code – TsZI.Kh).

P.1.4.5. Non-bank financial organizations implementing an enhanced level of information protection and non-bank financial organizations implementing a standard level of information protection (hereinafter referred to collectively as non-bank financial organizations implementing enhanced and standard levels of information protection) must carry out annual testing of information infrastructure facilities for penetration and analysis of information security vulnerabilities of information infrastructure objects.

P.1.8. Non-bank financial institutions implementing enhanced and standard levels of information protection must ensure the use of application software for financial transactions of automated systems and applications distributed by non-bank financial institutions to their clients to carry out actions in order to carry out financial transactions, as well as software that processes protected information when receiving electronic messages for execution in automated systems and applications using the information and telecommunications network “Internet” or assessment of compliance with the requirements for an estimated level of confidence (hereinafter – EAL) not lower than EAL 4.

At the same time, OUD4 contains a mandatory requirement to conduct a vulnerability analysis.

  1. Regulation of the Bank of Russia dated November 15, 2021 N 779-P On the establishment of mandatory requirements for non-credit financial organizations for operational reliability when carrying out the types of activities provided for in part one of Article 76.1 of the Federal Law of July 10, 2002 N 86-FZ “On the Central Bank of the Russian Federation (Bank of Russia)”, in order to ensure the continuity of the provision of financial services (except for banking services)

The Regulations establish mandatory operational reliability requirements for non-bank financial institutions.

About RBPO:

P. 1.5. Non-financial financial institutions required to comply with enhanced, standard or minimum levels of information security must ensure the following requirements for managing changes in critical architecture as part of ensuring operational reliability:

– management of vulnerabilities in critical architecture…;

– management of vulnerabilities and updates (corrections) of information infrastructure objects of non-credit financial organizations.

There are a lot of requirements, but money loves an account, and what will we consider if financial companies do not protect their products at the proper level, through which such important transactions take place.

In the next article we will talk about an equally important area – critical information infrastructure.

By the way, as I noted in the first article, if your product is not only a fintech, but also a CII object, then look at the requirements for CII protection for yourself.

If something is not included in the review, share information in the comments!

Ps who has ever taken part in rule-making activities knows how it is not just to put letters into words, but words into sentences in such a way as to take into account all the nuances as much as possible in a minimum of text, but so far we see that what happens is what happens. And yet, I would like to believe and urge that when developing requirements (and in general during any communication, except books, of course), the text is simplified as much as possible for the “consumer” of this information and removes the already huge cognitive load from the end user (developer, security specialist and etc.).

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *