Standard for outsourcing financial system information security developed

Photo: ESB Professional/shutterstock

The Bank of Russia in cooperation with the professional community has developed a standard that establishes the procedure for ensuring the information security of financial institutions when using outsourced services.

The standard is intended for banks, NFIs, national payment system constituent entities and financial market participants. Its provisions are specifically important for the activity of small and medium organisations that need to establish an information security framework and maintain it at an acceptable level while facing the shortage of financial and personnel resources.

The standard defines the information security violation risk factors while using outsourced services and establishes the requirements for the management of such risks, control over them and their appraisal. Moreover, the standard determines the remit and responsibilities of managers of financial institutions when outsourcing information security services and establishes the criteria for the service provider assessment and the requirements for the contents of outsourcing agreements.

In particular, the document specifies that financial institutions can choose between three models of cooperation with outsourcers: long-term, medium-term, and short-term cooperation. In the first case, the outsourcer continuously monitors cyber attacks and responds to them, establishes and maintains the cyber risk counteraction framework. In the second case, a financial institution engages an outsourcer to complete a technologically complicated project, e.g. to build its own cyber attack monitoring and response centre. The third model assumes that a financial institution engages an outsourcer when the cyber risk level is elevated.

The standard becomes effective on 1 July 2018. Its provisions are for advisory purposes only. Their mandatory application may be considered in the future.

30 March 2018

× Закрыть