Financial and capital market Commission, the provisions of regulations No 49, Riga 2014 26 March (financial and capital market Commission Council meeting Protocol No 11.3 p).
Financial and capital market information system security regulations Issued in accordance with the provisions of the credit institutions act article 50.8 sixth and eighth article 50.9, financial instruments market law article 123.3 and 123.4 sixth article eighth, insurance companies and supervision Act 50. the second paragraph of article ' of the law ', Of private pension funds ' ' article 28 of the sixth and the financial and capital market Commission of the law article 7, first paragraph, point 1. And payment services, electronic money, article 45 of the law i. General questions 1. "financial and capital market information system security regulations" (hereinafter-the rules) are binding on Latvia registered a financial and capital market participants (hereinafter operator): credit institutions, credit unions, payment institutions, electronic money institutions, insurance companies, insurance intermediaries, private pension funds, regulated market organizers, Latvian central depository, investment brokerage firms , investment management firms and alternative investment fund managers. 2. the aim is to limit the market participants and customers for the provision of services of information systems to be used (hereinafter also – IR) risks generally striving for care information system risk management (risk appetite), as well as to provide uniform structured requirements for market participants IS the security risk management. 3. minimum requirements. The operator may introduce additional safeguards, depending on the classification levels of information resources and the risk analysis carried out in the light of the services of the company, number of employees, and information technology (hereinafter IT) the level of use. II. Terms 4. Audit trail-records available for analysis, which tracked data for specific events IS (access, input, change, delete, output, etc.). 5. Outsourcing provider, third party after market operator's request, IT IS the operators and management, development, security, audit, or other market participant provided a necessary service that is associated with this. 6. security measures-technical or organisational measures, which are certainly risk management and reduce the risk to acceptable ISO level. 7. Vulnerability – IS not entirely, allowing some particular risks materialise and affect the IS security. 8. information system-data input, storage and processing system that provides specific functions and provides lietotājpieej to the data stored in it or information. 9. Confidentiality of the information-providing access to information only to authorized persons. 10. Information integrity, information and its processing methods, the accuracy, correctness and completeness. 11. Access to information – opportunity to persons authorized to use the information at a specific time and place. 12. Information resource-information unit containing a data file containing the IS stored, processed and IS available to users, as well as all the information IS input and output documents, regardless of the media type. 13. Information resource holder – a person who is responsible for information resources and work with them on behalf of the operator. 14. payment-Internet kredītpārvedum, direct debit or electronic money transfer via the internet. 15. Authentication factors (elements)-remote user authentication used for authentication features that are known only to the user (such as your password, PIN), which is in use, or belong only to the user (for example, code card, code, calculator, mobile phone), or what is the user's unique characteristics (such as fingerprints). 16. IS security – IS confidentiality, integrity and availability requirements. 17. IS security incident-harmful event or the offence as a result of which are endangered or may be compromised IS the safety (t.sk. Or the computer network attacks, operational equipment, which result or may result in unauthorized access to the IR, denial of service). 18. IS the user – the person within the limits of the powers conferred on the IS used. 19. The Risk associated with the functioning of the Organization IS suspected of failing to fully and quality to perform some of his obligations or functions as the likelihood of unwanted event and its consequences. 20. Strong authentication – authentication that uses at least two different factors or authentication elements, of which at least one factor or element is not repeating/unique and can not be easily copied. 21. Technological resources – IS a component that includes the sistēmprogramm, applications, utilities, sistēmfail, computer, network, hardware, and other equipment which will ensure the IR activities. 22. The technological resource holder – a person who is responsible for the technological resources and work with them on behalf of the operator. III. Organization of the security of information systems of management accountability and 23 support 23.1. Market participants shall be responsible for the management of the IS security policy and IT strategy and implementation, staff duties and responsibilities, as well as the organisation of control adequate allocation of resources IS security and audit functions to make the ISO. 23.2. The IS security policy objective is to define market position and control of the aid IS in line with the security market and customer needs. 24. the regulations. Operators approved 24.1 the hierarchically structured set of documents that define the ISA Management, t.sk. Is security management. Defining security management, ISO sets the ISO security objectives, roles, responsibilities, and IS the application of the security measures. 24.2. The market operator shall document at least the ISA management processes that can lead to failure of the IS a security risk. 24.3. The market operator shall ensure the availability of regulations and updating staff. 15.2. The market operator shall determine the employees ' liability for non-compliance with the regulations. 15.2. The market operator shall establish and maintain up-to-date information and data flow diagram. 25. IS security or the IR risk management function (hereinafter IR security function) 25.1. The market operator shall ensure the IS a security feature, to the realization of the risk control and IR security measures. 25.2. The IS security functions within a market participant shall ensure at least: 25.2.1. security regulations ISO development and updating; 25.2.2. IS the classification and risk management process, coordination and identification of hazards; 25.2.3. management information on compliance with the safety requirements and relevant IR security incident; 25.2.4. monitoring the security measures laid down; 25.2.5. employee training and information IS security; 25.2.6. IS security incident management; 25.2.7. membership IS restored and continuity planning. 25.3. The market operator shall ensure IS security functions independent of the IS development and maintenance functions and responsibilities directly to inform market participants IS essential for the management of security events. If on IS security officer their duties performed in combination, then followed the principle of separation of duties – the performer may not be his to control. 26. The IS audit function 26.1. The market operator shall ensure the IS audit function to ensure the implementation of security measures IS independent examination. 26.2. The Audit function can also provide outsourcing provider. 16.3. market participants until March 1 of each year shall be transmitted to the financial and capital market Commission, for the previous year, performed with the IR security audit list, specifying the subject of the audit objectives and audit, the analyst. 27. Outsourcing Management 27.1. The operator may use a third party provider-outsourcing-services. Make all market participants used outsourcing. 27.2. Outsourcing arrival does not release the operator from the law or the contract with its clients determine responsibility – it is responsible for the outsourcing of work to the same extent as on your own. ISA security level, if the IS develops or maintains an outsourced provider, must not be lower than the market's. 27.3. before taking a decision on the acquisition of the outsourcing market assess suppliers and, taking into account the requirements of quality and safety of services, including accessibility, assess the risks, as well as the termination of the service strategy. 27.4. The market operator contract with the external service provider shall include the requirements for the control of outsourcing, for example, a clear description of the service, security requirements, confidentiality obligations, a right to service the information necessary for the supervision of outsourcing provider immediately to report the incidents, the right to terminate the contract. 27.5. Outsourcing, t.sk. cloud computing, a market participant is obliged to maintain the necessary control over information resources that contain information about the market's customers. The operators classified IS a safe way is physically or logically distinct from outsourcing provider's other clients IS. Draw up and regularly update the service interruption plan, providing data, software and technical resources of the return and deletion of customer information to the service provider. 17.1. The market operator shall carry out the monitoring of the quality of the outsourcing and security control, t.sk. receive reports on quality of service and incidents. 17.2. market participants by providing outsourced third-parties using its IR, including authentication, it is the duty of the outsourcing solution for controlling the third-party company. Market participants shall inform partners about the risks associated with the use of such services. Security requirements in the event of non-compliance has the responsibility to stop cooperation. IV. Information systems resource management 28. Resource ownership 28.1. The market operator shall designate in writing the IS resources (information and technological resources) the holder for all the information and technological resources. 28.2. the holders of the information is responsible for the following: 28.2.1. classify his holdings in existing information resources; 28.2.2. participate in his holdings of existing information resources and related risk analysis and ISO to approve it; 28.2.3. confirm access rights IS; 28.2.4. approve the changes to ISA and implementation; 28.2.5. determine the requirements for creating an audit trail; 28.2.6. collaborate with the technological resources of the holder of the IR functionality and security. 28.3. Operator provides the holders of information to training duties. 28.4. The technological resource holder is responsible for the following: to provide technological resources 28.4.1. the physical and logical protection; 28.4.2. collaborate with the holders of information to enforce his claim on information resources and access to them; 28.4.3. participate in risk analysis, identify the resources associated with the process IS to assess the risks and likelihood of these risks; 28.4.4. ensuring ISO restore procedures, if technological resources have been damaged and disrupted the functioning of ISA or impossible; 28.4.5. collaborate with the holder of the IR information resources IS the functionality and security. 28.5. Resource holder obligations can be instructed to perform resource guardians – who ordered the holders and everyday are responsible for the relevant ISA resources or part of it. 29. The IS classification classification 29.1. the objective is to assess the importance of ICTS and ensure its protection according to the level of classification. Make all market participants IS determining the classification, IS privacy, values and level of availability, and documented. 29.2. the level of privacy IS granted by the operator depending on the damage that could be caused to the employer of the information or if the operator is allowed to access that IS not authorized. 29.3. the level of Value IS assigned by the operator depending on the damage that could be caused to the employer of the information or if the operator does not ensure the integrity of the ISO. 29.4. the level of resources available IS determined by the operator depending on the operator's operating needs (business requirements), in view of the harm which might be caused to the employer of the information or if the operator does not ensure the availability of resources, and the ISO determines the allowable time IS may not be available (Recovery time objective), and the allowable time period for which data can be lost (Recovery point objective). 29.5. The market operator IS used classification scheme which complies with these terms and with at least two levels of each classification category. 18.4. market participants according to the level of classification of information to determine use of classified information and protection requirements. V. Risk analysis and management 30. Risk analysis and management objectives are: 30.1. establishing an acceptable or acceptable risk (risk limit or appetite); 30.2. to assess the likelihood of the hazard of the ISA, which IS the risk is intentionally (intentionally) or negligently made, action or inaction or possible events that may cause ISA security incident; 30.3. to assess the potential harm to the employer information, market participant or any other person, without the IS security; 18.9. to determine the appropriate and necessary security measures if the risk is not acceptable; 5. accept the implementation of security measures, the residual risk (compliance with specified risk limits). 31. Risk analysis is a regular process. Market participant is performed throughout the life cycle, ISO t.sk. starting the IS project through major changes to the ISA, the advent of new significant threats, the occurrence of significant incidents or increasing their total number. 32. Market risk analysis is conducted using the approved methodology. Market participant using a risk analysis methodology that allows effectively to enforce this rule 30. the objectives set out in paragraph 1. 33. A market plan and implement security measures if the risk analysis, the estimated risk is not acceptable, and planned security measures determine the marketing priorities, deadlines and responsible.
34. the security measures are designed to reduce the residual risk to an acceptable level. Operator safety measures shall be based on the costs and the possible loss of samērojamīb.
Vi. Staff role in the security of information systems 35. Market risk management carried out in the framework of the measures of employee resulting from an act or an omission IS the security risks, as well as the role of employees IS safety measures and promote the awareness of the staff IS ready and the need for protection. 36. The market operator shall ensure that the IS user level of knowledge is an appropriate use of ICT needs. 37. The market operator before the present employees with the governing documents. 38. The market operator shall determine the IS user: 38.1. the responsibility for the operation of regulatory documents IS not complied with; 38.2. the responsibility for all activities that are carried out with the ISA his user name; 38.3. the obligation to respect the obligation of confidentiality in relation to the data that comes into the person's possession, carrying out job responsibilities; 23.9. the obligation to inform the appropriate person (for example, ISA security principal) for IT security incidents and threats. 39. security awareness promotion 24.3. The market operator shall at regular intervals carry out systematic measures to promote the awareness of each employee IS the protection and promote employee awareness of common IR security (security awareness). 24.4. The market operator shall determine how and how often employees are informed and trained on IS security issues. 39.3. The market operator carries out training for the protection of classified information. VII. Physical and environmental security management 40. Market risk management IS carried out in the framework of the measures of physical protection, which protects from unwanted ambient (fires, floods, temperature, etc.), technical (inadequate electricity supply, the electromagnetic field exposure, etc.) and human factors (intentionally or unintentionally damage, theft, etc.). 41. The IS infrastructure (technological resources, t.sk, disk array servers, network equipment and cable etc., except for the end user of technological resources) physical protection of 25.5. Market IS infrastructure operates limited access spaces, physical protection, which provides the only access to the authorised person. If it is determined by the technological necessity, then, operating outside the restricted access to the premises IS technological resources physically restrained. ISA infrastructure facilities deployed in buildings where there is less risk, the likelihood of implementation. 41.2. The market operator shall determine which persons may enter this provision in paragraph 41.1 spaces and their access to the register. This list includes only those persons who work duties require physical access to ICT infrastructure. 41.3. Third-party ISA infrastructure facilities may stay only in the presence of the persons who have the right of access to the IS infrastructure. 25.7. The market operator shall ensure the IS infrastructure indoor climate (humidity, temperature URu.tml.) IS used for the operation of the infrastructure hardware manufacturer. 25.8. The market operator shall be equipped with IR room infrastructure security alarm and detectors. 25.8. Market technological resources administering staff jobs separate limited access spaces. 42. Media physical protection of market participants will take 42.1. the necessary security measures for the physical medium of protection depending on the IS classification, but in whatever form (t.sk. dismantled drive equipment, paper, Flash memory card, URu.tml.). 26.2. The market operator shall determine the order in which used stored and safely destroy the media. 26.3. the market participant media protection within the output data apparatus of physical protection, preventing unauthorized acquisition of information resources (such as printers equipment protection, limiting the use of interfaces). 26.3. If media containing sensitive ICT resources, is designed to destroy, then players will do it in a way that would not be possible to restore data. 43. The market operator shall take additional measures of physical protection depending on the ISO classification level. If necessary, physical protection measures may be offset by logical Defense (software and processes). VIII. Information System access rights management 44. new IS user registration, assignment of cancellation and blocking the market operator shall be carried out in accordance with documented request which confirms the information resource. Documentation for the method must be able to carry out effective current right of access control. 45. Each operator IS the user and the administrator is assigned a unique user code. 46. user authentication 46.1. authenticating the User aims to make sure that an IS classified using the authorized user code owner. 46.2. The market operator shall determine the means of authentication (for example, passwords, codes calculator, private key, biometric features, etc.), use t.sk. password (password length, complexity, duration of the repeatability limit). 46.3. the password IS stored in encrypted form. Enter your password, it may not be legible on the screen. Password change immediately if it could be or is unauthorised become known to another person. 46.4. by creating, delivering and enabling authentication feature, the operator shall ensure that it is available only to the owner of the user code (t.sk. secure personalization and user password creation process). 28.9. If market participants used technology permits, in addition to the built-in administrator account operator creates an individual account for each administrator who is used in the daily maintenance of the ISO. ISA administrator code and copies of passwords stored in a secure location with limited access outside network connected to engineering resources. 47. The right of access IS a market participant shall be determined in accordance with the approved documented roles or user profiles. Is a user access only to the information and functions that are necessary for the performance of his duties. This requirement must be respected in determining technological ICT users also (account) rights. 48. IS the user's or administrator's job responsibilities change or termination in the event of a market participant shall immediately change or block IS the user and administrator rights. 49. The market operator shall at regular intervals carry out current permissions check to control 47. these rules and requirements of paragraph 48.
IX. Communications and operations management 50. Employees, performing the IS maintenance, the operator determines the duties and responsibilities and ensure interchangeability and qualifications. Process control to ensure separation of duties. 51. Configuration management and control of 51.1. The market operator shall take technological resources and their current configuration. 51.2. The market operator shall determine any request, authorize, tested and technological resources. 51.3. Market risk control framework and controls the configuration of ISA maintained, taking into account the recommendations of security practices (hardening standards) and the known system vulnerabilities. 51.4. Market risk control framework and make the necessary technological changes in technological resources and reduce the standard configuration functionality to the required amount. 51.5. market participants shall promptly take the necessary IS the standard software update works (t.sk. Security fix installation). 52. the protection of computer networks 52.1. Market internal computer networks separate from the external network. The data flow between internal and external computer networks allow only those services that are necessary for the function of the market participants. 52.2. The market operator shall establish and maintain an up-to-date computer network and connection scheme. 52.3. The market operator shall conduct regular checks on the existence of any external connections and make sure that there are only those connections that meet the market's operational needs. 52.4. Market risk control framework exercises necessary and possible additional data flow restrictions (t.sk. application, site containment) between the internal and external networks. 52.5. Market operator carries out monitoring of computer networks and vulnerabilities (t.sk. of malware). 52.6. If the ISA Administration is performed from a remote location, the operator uses the cryptography features (such as a virtual private network (VPN)) and safe (at least two factor) user authentication. 52.7. If you use a wireless data transmission technology, a market risk management framework provides the additional protection to ensure only authorized the use of ICTS. 53. the PC and device protection 53.1. The market operator shall determine what information resources may be stored and how to protect personal data processing equipment, t.sk. desktop and portable computer (hereinafter PC), Smartphone, Tablet PC URu.tml. 53.2. Pc is installed and used only in the software and in a configuration set operators, which also lays down the procedure and take measures for protection against harmful programs via, for example, antivirus software, the software restriction policy. 53.3. Pc functionality in a market limited to the work required for the level of function, t.sk. control the computer's port and the connection of equipment, controls access to the public network information (blacklisting, whitelisting) and logically separated access to the public network (internet) information from the internal organisation IS using, such as virtualization. 53.4. Pc is connected only to certain network operators. 13. The operator shall ensure that when a user leaves your PC unattended, to resume use of the ISA, or connect to the network operators may only when user authentication has been performed. 53.6. using PCs that have strengthened physical security threats to t.sk. portable devices used outside the premises of operators, classified information is transmitted and stored in encrypted form. 53.7. The market operator shall make all the existing personal computer for use outside the premises of operators, records to determine which person uses the equipment. 53.8. If the market allows employees to work using their own PCs, it determines the order of use. This procedure must not reduce the level of protection IS established. If the supplied remote is 53.9 approach market participant IS using a Smartphone or Tablet PC, the security must be protected in the event of an incident, to prevent customer or market sensitive data from falling into the possession of a third party (for example, protected access to the device, the data is not stored on the device or after sessions are automatically deleted). 54. the data reserve copying 54.1. To limit the risks to the integrity and availability of market data, backup copying. 54.2. The market operator shall develop documented data backup creation, determining what technology and operations are defined in the data backup and restoration of production information, as well as how often and to what extent you create backup copies of the data, taking into account the allowable time IS may not be available (Recovery time objective), and the time period for which data can be lost (Recovery point objective), as well as how often you perform the copy and restore procedures. 54.3. The market operator shall ensure that at least the IR, which provide the market participant or its customers essential services, data backup copying is carried out with the method that minimizes the risks (of the IS physically or logically separate data carriers). The data from the backup stored in the IS geographically separate location. 54.4. The market operator shall protect backup data against unauthorized use or damage. 55. The IS monitoring the market participant IS 55.1. monitoring by at least the following objectives – take preventive action IS a security maintenance and timely identification of the incident. Monitoring measures are applied according to the ISO classification. 55.2. The market operator shall carry out regular monitoring of ISA: 55.2.1. timely identification of both internal and external threats; 55.2.2. identifying system vulnerabilities, and fix them; 55.2.3. monitoring unauthorized use of equipment and software, and its prevention; 55.2.4. controlling an IR and equipment configuration changes; 55.2.5. monitoring IS the process, equipment and availability. 56. the audit trail management 56.1. to identify the user actions and the IS operator error, sort, store and analyze the audit trail. 56.2. Audit trail logging operators shall include at least all successful and unsuccessful connection to the appropriate time and user codes. Additional audit trail shall be made on the ISA parameter change, t.sk. for working with user accounts, as far as you can to provide technological solutions used. 56.3. market participants use methods and tools, which allow you to effectively analyze the audit trail. These tools are available only to authorized personnel. 56.4. The market operator shall ensure the integrity of the audit trail. 56.5. market participants synchronizes all it IS time tracking, which are interconnected to Exchange data, or transaction processing. 57. Cryptography use 57.1. Market participants, depending on the level of confidentiality of information resource uses the cryptography features. 57.2. The market operator shall determine the cryptographic products, as well as their protection. X. remote services security management 58. Market, customers, offering remote services provide services security management to minimize customer risks. 59. The market operator shall perform customer identification, and other necessary measures to remote authentication feature of the services receive only its owner. Client authentication (Tools, software) are required, delivered and activated in a safe way. 60. The client through internet payments, client authentication is used for strong authentication. Payment is determined according to the risk profile of the customer limit. 61. Transferring customer data, protected by cryptographic means. Transferring customer data, it may not be encrypted if the information does not contain the other data of the customer and the customer accepts possible risks. 62. The operator uses at least two-factor client authentication to a repeating element (for example, code card) and you can not use authentication specified in paragraph 60:62.1. internet payments, which is the specific risk profile of the customer, according to the daily limit, which may not exceed EUR 5000 and are at the customer's request can be reduced at least to EUR 150; 62.2. internet payments beneficiary client is included with the approved payment list (white list), using strong authentication, t.sk. upon arriving in person customer service center; 38.7. others not listed in paragraph 60 services related to access to customer financial information, such as surveys of business history. 63. The operator uses at least one factor client authentication and can not use authentication specified in paragraph 60:39.2. at one market operator using remote services, does not change the owner of the assets (t.sk. currency conversion, transfers of assets between client accounts); 39.3. internet payment is mikromaksājum limit (30 euros) with the appropriate daily limit (150 EUR); 63.3. service allows you to view only the information about the customer's account, which does not include third-party data, t.sk. account balance, transaction history, account number; 63.4. service includes the use of financial instruments (purchase/sale). 64. The client user access is blocked by up to five auth attempts. 65. An inactive session is locked, no more than fifteen minutes. Client user access again will activate the safe way. 66. the customer close to real time, you can get information about the client's transaction approved status (through initiation and execution). 67. The operator client security awareness program provides customers with a full frame information on remoting services risks and information on how to safely and effectively use IS. Market participant before the client gives you access to remote services and continue, on a regular basis, inform the customer of the cooperation on market participants and client rights and responsibilities, the use of the service, payment and authorization, the security measures required on the client side (t.sk. client workstation, mobile equipment), the authentication features for safe use and operation in the event of loss, as well as measures to identify potential fraudulent activity, t.sk. money mule.
68. The market operator, communicate with clients, assess the information content and, if necessary, use a secure communications channel, such as Internet banking, which ensures the authenticity of the information provided. 69. The market operator shall carry out the monitoring of internet payment or monitoring, identify typical payments that meet specific updated samples (patern) and suspended them to proactively prevent fraudulent transactions. The right to stop the fraudulent payment possible execution is necessary to provide for mutual agreement with customers. 70. before remote service deployment, becoming new threats or making significant changes to the ISA, the operator carries out security checks or tests. 71. The market operator shall keep, for at least 13 months, the audit trail of the Remoting service and refuse connections using (t.sk. the source IP address, time) and user transactions and other transaction information necessary for identification. XI. the development of information systems and change management 72. The market operator manages the development and change of the ISO management processes to minimize security risks and to develop ICT for IR and other related IS. 73. The market operator shall determine IS the development, acquisition, testing, implementation, and change management processes. 74. The IS development started. The market operator 74.1 defines as the IS the person responsible for the project, t.sk. in accordance with these provisions is determined to develop the IR resource holders. 74.2. person in charge of the project and it IS carried out IS, which may affect the new IR, risk analysis, as well as setting the IR security requirements and risk control measures. 46.2. the holder of the IR Resources Developed in collaboration with the employees responsible for the security, make ISA ISA security requirements. 75. The IS development operator IS 75.1. the development environment separated from the environment of use. 75.2. The market operator shall document each IS. The documentation shall contain the necessary information to be able to make use of the ISO quality, maintenance and management of change (for example, ISA, ISA administrator description and user instructions, etc.). 75.3. The operator must keep and use the appropriate level of classification in this dossier. 76. IS testing Before introduction of the ISA 76.1. market participants under the plan IS carried out tests. The test plan IS also included in the functional requirements, not t.sk. The is a security test. 76.2. Market IS distinguished a test environment from the use of the environment. 76.3. Test and development environment does not use use environmental data, however, if the IS security risk mitigation purposes, a test or development environment you need to use use environmental data, then use them and apply them to the same security measures as the use of the environment (t.sk. the award, authentication, audit trail procedures). 77. implementation of the ISA IS established IS 77.1. holders of the authorization, certifying that the testing has been completed and IS ready for implementation. 77.2. before the transfer to use the ISA market employee training. 77.3. Market participants shall ensure that is done IS version control. 78. the change management 78.1. Changes take place only under the ISO related ISA holders permission. 78.2. The market operator shall analyse how the changes will affect existing security measures and IS granted access to the available information and or changes do not diminish the IS security level. 78.3. The market operator shall take ISA documentation additions. 78.4. The market operator shall draw up guidance on the activities of the emergency (unplanned) changes in circumstances and determine who is entitled to take a decision on the emergency changes. The operator determines how measures are planned to reduce the need for prevention to make emergency changes, and take measures to prevent unauthorized changes. 79. Stopping the use of ICTS by eliminating or transferring it to another person, t.sk. in cases where the market participant is terminated for some type of action from this ISA, the operator shall take the necessary security measures, t.sk. risk analysis. XII. Incident Management Incident Management 80. the goal is to minimize the impact of security incidents IS on the market for customers and market activities and reduce their risk of recurrence. 81. The market operator shall establish and implement in practice the IS security incident management process that includes at least: 81.1. IS security incident identification; 81.2. incident mitigation and relief; 81.3. recording of the incident incident register; 81.4. This IS a security incident analysis (t.sk. causes and risk mitigation measures) and the management of information activities; 81.5. evidence required. 82. The market operator until 1 March of each year, submit to the financial and capital market Commission last year IS recorded in a list of security incidents, including information about the groups or categories of incidents, in addition to adding the incident impact assessment and the total number of incidents with this level of impact. 83. ISA restore 83.1. Operator provides timely IR activities and restoring data, if the matter IS downtime. 51.7. Market participants shall develop a recovery plan for the IS operating in accordance with the market participant's business continuity plan. operations 83.3. ISA market recovery plan includes renewable IS services in order of priority, resources are used, to do list and responsible employees. 83.4. Market in accordance with the procedure laid down above shall have regular ISA restore processes involved training and documented testing of the plan and change it back to ensure the plan is up-to-date. XIII. concluding issues 84.62.60. Of rules and paragraph shall enter into force and apply to those market participants that contract customers about remoting services, starting with January 1, 2015, while for the rest of the market's customers points that shall enter into force by 1 January 2017. 85. in paragraph 69 of the Regulation shall enter into force by January 1, 2016. 86. Customers who contract for remoting services shut down by 2014. December 31, the market operator, offering access to these services by 2016 31 December you can use at least two-factor client authentication to the repeating element, such as a code card. 87. With the entry into force of these provisions force loses financial and capital market Commission 8 October 2010 regulations No. 270 "financial and capital market participants in terms of security of information systems". Financial and capital market Commission President k. Zakuli States