Bank Information Security Policy - DOC by sxa13295

VIEWS: 163 PAGES: 5

Bank Information Security Policy document sample

More Info
									Information Security Policy JSC “UkrSibbank” (external)




                        Kyiv – 2009
                                                             Table of Contents

1. Introduction ................................................................................................................................ 3
2. Purpose of the Policy .................................................................................................................. 3
3. Scope of Application................................................................................................................... 3
4. The Bank’s Policy in the Field of Information Security ............................................................. 3
   4.1. Assets Classification ............................................................................................................................ 3
   4.2. Security Criteria Classification ............................................................................................................ 4
   4.3. Access Management ............................................................................................................................ 4
5. Roles and Responsibilities .......................................................................................................... 4
6. Security Incidents Response ....................................................................................................... 5
7. Policy Review ............................................................................................................................. 5




                                                                                                                                                2
          1. Introduction

        Information Security Policy (the Policy) – is a package of documents, describing and
regulating the system of information security management of JSCIB “UkrSibbank” (the Bank),
that is in full compliance with requirements of Ukrainian legislation and international
agreements, is based on BNP Paribas Group Information Security Policy, as well as on
recommendations of international standards ISO/IEC 27001:2005, ISO/IEC 17799/2005 and PCI
DSS.

          2. Purpose of the Policy

        Purpose of the Policy is to implement and to manage effectively the information security
system, designed to protect the Bank’s information assets, to ensure the Bank’s business
continuity, to mitigate information security risks, to contribute to the Bank’s positive reputation
and its confidential relations with customers.
        The main task of the information security is the Bank’s information assets protection
against internal, external, advertent or inadvertent threats.

          3. Scope of Application

        The Policy covers all the aspects of the Bank’s activity and is applicable to all the Bank’s
assets, which can possibly have a material impact on the final product, if absent or damaged.

          4. The Bank’s Policy in the Field of Information Security

          4.1. Assets Classification

          The following assets types are considered as major objects of informational security
action:
        -      information assets: information and data of any kind, received, stored, processed,
transferred, divulgated, including the Bank’s employees’ and partners’ knowledge, files and
databases, documentation, user guides, training materials, procedures descriptions, archived
information, etc.;
        -      software: application software, system software, server-based software and any
other software, regardless of a generation form (purchased, in-house developed, shareware), used
in the Bank by employees and systems for operations and interactions with customers and other
internal and external systems, etc.;
        -      physical assets: employees, IT environment (servers, workstations, firewalls,
printers, copying machines, telecommunications equipment, communication equipment, routers,
PABXs, fax machines, modems etc.), information-carrying media (digital tapes, discs etc.),
furniture, premises, production equipment, other technical facilities, etc.;
        -      service assets: computing and communication services (Internet, email,
communication channels etc.), other technical services (heating, illumination, power supply, air
conditioning, alarm and monitor systems), all services related to receipt, offer, use, handover and
destruction of assets, all legal entities and individuals, organizations, institutions and companies
(as well as their employees), which services are used by the Bank for receipt, use, handover and
destruction of assets.
         Eventual risks and methods of their minimization are determined for each asset, i.e. the
Bank uses a risk-informed approach.



                                                                                                  3
       4.2. Security Criteria Classification

       Potential risks of assets is evaluated according to four main security criteria:
              Availability – ensuring of anytime access to the Bank’s information and related
               assets and services according to users rights and authorities to the minimum
               required extent. The Bank’s business continuity plans must be drafted in the
               event of various critical situations.
              Integrity– protection of accuracy/authenticity and completeness of assets as well
               as of information processing methods.
              Confidentiality – ensuring of availability of information, assets only for
               officially authorized persons and users to the minimum required extent.
              Proof – ensuring of the possibility to identify who did, when and what was
               done with the Bank’s information asset. Ensuring of non-refusal principle for
               actions committed.

       Subjects – everything and everyone supposed to affect objects in a direct or indirect way.

       4.3. Access Management

        The Policy brings under regulation: access and password management, clear assignment
of roles and responsibilities, determination of security requirements for each asset, the Policy
implementation in information systems, maintenance of due security level, information security
training for employees, security control of information systems, incidents managements,
classification and ensuring of information confidentiality, antivirus protection, backup, licensing
transparence, incoming/outgoing control of computer engineering, ensuring of physical security,
follow-up of requirements of the Policy and other information security aspects.

       5. Roles and Responsibilities

        The Bank’s management and top management are well aware of the fact that the Bank’s
information security is a basis of the Bank’s activity, therefore there has been created and is
permanently acting the Information Security Coordination Council, which decisions are
compulsory for all the Bank’s employees.
        The Policy documents are drafted by Information Technology Security Unit. A
permanent control of the Policy implementation, execution, upgrading and updating shall be also
vested upon Information Technology Security Unit.
        The Bank’s management and top management contribute to the Policy creation,
implementation, control and maintenance.
        Decisions and recommendations of the Security Department in terms of information
security are indisputable and compulsory for all the Bank’s employees.
        The Bank’s information technologies development strategy and all the projects related to
information assets must be agreed with the Information Security Policy.
        Every employee of the Bank takes part in maintaining the due level of the Bank’s
information security. Within the scope of their functions and authorities the employees shall
follow and be responsible for the observance of the Policy, legislative and international rules,
Bank’s internal regulations, and shall be also liable for their violation in compliance with the
Ukrainian law and the Bank’s internal regulatory documents.
        The Policy documentation is available to all the employees inside the Bank and is drafted
to assist in the implementation and execution of the Policy.
                                                                                                 4
        To reduce risks of information security incidents caused ignorantly, the Bank, by any
available means, shall provide systematical trainings of information security norms for its
employees and, if possible, for its customers.
        Business continuity plans for various critical situations are drafted, run, systematically
tested and updated.

       6. Security Incidents Response

        The employees shall notify their immediate superior as well as the Bank’s special entity
in charge of incidents management about every information security incident. The Policy
stipulates the relevant analysis of and response to various incidents. Test-reviewed preventive
measures, relevant to such incidents, must be taken.

       7. Policy Review

       Special measures are being taken to constantly update the Policy. The Policy is subject
for review as may be necessary, but at least once in 18 months at the generation and/or
modification of the Bank’s assets and/or new technologies as well as in case of legal or
regulatory developments.




                                                                                                5

								
To top