Advanced Search

Financial And Capital Market Information System Security The Legislative Provisions

Original Language Title: Finanšu un kapitāla tirgus dalībnieku informācijas sistēmu drošības normatīvie noteikumi

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.
Financial and capital market Commission, the provisions of regulations no 278 Riga 2010 October 8 (financial and capital market Commission Council meeting Protocol No 2 p 39.)
Financial and capital market information system security regulations Issued in accordance with the provisions of the credit institutions act article 50.8 sixth and eighth article 50.9, financial instruments market law article 123.3 and 123.4 sixth article eighth, an insurance company and under the supervision of the law article 50, second paragraph of the law '' on private pension funds ' in article 28 of the sixth and the financial and capital market Commission of the law article 7, first paragraph, point 1 i. General questions 1. "financial and capital market information system safety regulations "(hereinafter-the rules) are binding on Latvia registered a financial and capital market participants (hereinafter operator): credit institutions, credit unions, payment institutions, insurance companies, insurance intermediaries, private pension funds, regulated market organizers, Latvian central depository, investment brokerage companies and investment management firms.
2. the aim is to limit the market participants and customers for the provision of services of information systems to be used (the ISA) risk, as well as to provide uniform structured requirements for market participants IS the security risk management.
3. minimum requirements. The operator may introduce additional safeguards, depending on the classification levels of information resources and the risk analysis carried out in the light of the services of the company, number of employees, and information technology (hereinafter IT) the level of use.
II. Terms 4. Audit trail-records available for analysis, which tracked data for specific events IS (access, input, change, delete, output, etc.).
5. Outsourcing provider, third party after market operator's request, IT IS the operators and management, development, security, audit, or other market participant provided a necessary service that is associated with this.
6. security measures-technical or organisational measures, which are certainly risk management and reduce the risk to acceptable ISO level.
7. Vulnerability – IS not entirely, allowing some particular risks materialise and affect the IS security.
8. Information giver: the person who submitted the information to the operator or the person with whom the information is contained in the ISA (such as market participants client).
9. information system-data input, storage and processing system that provides specific functions and provides lietotājpieej to the data stored in it or information.
10. The confidentiality of the information-providing access to information only to authorized persons.
11. Information integrity, information and its processing methods, the accuracy, correctness and completeness.
12. Access to information – opportunity to persons authorized to use the information at a specific time and place.
13. Information resource-information unit containing a data file containing the IS stored, processed and IS available to users, as well as all the information IS input and output documents, regardless of the media type.
14. Information resource holder – a person who is responsible for information resources and work with them on behalf of the operator.
15. IS security – IS confidentiality, integrity and availability requirements.
16. IS security incident — adverse event or offence as a result of which are endangered or may be compromised IS the safety (t.sk. Or the computer network attacks, operational equipment, which result or may result in unauthorized access to the IR, denial of service).
17. IS the user – the person within the limits of the powers conferred on the IS used.
18. This provision of the IR resources-13 and the resources listed in paragraph 21.
19. ISA holders – information resources or technological resource holder.
20. Risk – IS associated with the functioning of the Organization's alleged inability fully and quality to perform some of his obligations or functions as the likelihood of unwanted event and its consequences.
21. Technological resources – IS a component that includes the sistēmprogramm, applications, utilities, sistēmfail, computer, network, hardware, and other equipment which will ensure the IR activities.
22. The technological resource holder – a person who is responsible for the technological resources and work with them on behalf of the operator.
III. Organization of the security of information systems of management accountability and 23 support 23.1. Market participants shall be responsible for the management of the IS security policy and IT strategy and implementation, staff duties and responsibilities, as well as the organisation of control adequate allocation of resources IS security and audit functions to make the ISO.
23.2. The IS security policy objective is to define market position and control of the aid IS in line with the security market and customer needs.
24. the regulations. Operators approved 24.1 the hierarchically structured set of documents that define the ISA Management, t.sk. Is security management and ISA security measures.
24.2. The market operator shall document at least the ISA management processes that can lead to failure of the IS a security risk.
24.3. The market operator shall ensure the availability of regulations and updating staff.
15.2. The market operator shall determine the employees ' liability for non-compliance with the regulations.
25. IS the security feature 25.1. The market operator shall ensure the IS a security feature, to the realization of the risk control and IR security measures.
25.2. The IS security functions within a market participant shall ensure at least: 25.2.1. security regulations ISO development and updating;
25.2.2. IS the classification and risk management process coordination;
25.2.3. management information on compliance with the safety requirements and relevant IR security incident;
25.2.4. monitoring the security measures laid down;
25.2.5. employee training and information IS security;
25.2.6. IS security incident resolution and investigation;
25.2.7. membership IS restored and continuity planning.

25.3. The market operator shall ensure IS security functions independent of the IS development and maintenance functions. If on IS security officer their duties performed in combination, then followed the principle of separation of duties – the performer may not be his to control.
26. The IS audit function 26.1. The market operator shall ensure the IS audit function to ensure the implementation of security measures IS independent examination.
26.2. The Audit function can also provide outsourcing provider.
16.3. market participants until March 1 of each year shall be transmitted to the financial and capital market Commission, for the previous year, performed with the IR security audit list, specifying the subject of the audit objectives and audit, the analyst.
27. Outsourcing Management 27.1. The market operator and the IS management, IT development or security may be provided by a third party – the outsourcing provider.
27.2. before taking a decision on the acquisition of the outsourcing market operator carries out risk assessment.
27.3. ISA security level must not be less than those rules and the market participants, if the IS develops or maintains an outsourced provider.
27.4. The market operator shall carry out the monitoring of outsourcing. Outsourcing arrival does not exempt the operator from the law or the contract with its clients determine responsibility – it is responsible for the outsourcing of work to the same extent as on your own.
IV. Information systems resource management 28. Resource ownership 28.1. The market operator shall designate in writing to the holder of the IR resources all information and technological resources.
28.2. the holders of the information is responsible for the following: 28.2.1. classify his holdings in existing information resources;
28.2.2. participate in his holdings of existing information resources and related risk analysis, ISO
28.2.3. confirm access rights IS;
28.2.4. approve the changes to ISA and implementation;
28.2.5. determine the requirements for creating an audit trail;
28.2.6. collaborate with the technological resources of the holder of the IR functionality and security.
28.3. Operator provides the holders of information to training duties.
28.4. The technological resource holder is responsible for the following: to provide technological resources 28.4.1. the physical and logical protection;
28.4.2. collaborate with the holders of information to enforce his claim on information resources and access to them;
28.4.3. participate in risk analysis, identify the resources associated with the process IS to assess the risks and likelihood of these risks;
28.4.4. ensuring ISO restore procedures, if technological resources have been damaged and disrupted the functioning of ISA or impossible;
28.4.5. collaborate with the holder of the IR information resources IS the functionality and security.
28.5. Resource holder obligations can be instructed to perform resource guardians – who ordered the holders and everyday are responsible for the relevant ISA resources or part of it.
29. The IS classification classification 29.1. the objective is to assess the importance of ICTS and ensure its protection according to the level of classification. Make all market participants IS determining the classification, IS privacy, values and level of availability, and documented.
29.2. the level of privacy IS granted by the operator depending on the damage that could be caused to the employer of the information or if the operator is allowed to access that IS not authorized.
29.3. the level of Value IS assigned by the operator depending on the damage that could be caused to the employer of the information or if the operator does not ensure the integrity of the ISO.
29.4. the level of resources available IS determined by the operator depending on the operator's operating needs (business requirements), in view of the harm which might be caused to the employer of the information or if the operator does not ensure the availability of resources, and the ISO determines the allowable time IS may not be available (Recovery time objective), and the allowable time period for which data can be lost (Recovery point objective).
29.5. The market operator IS used classification scheme which complies with these terms and with at least two levels of each classification category.
18.4. market participants according to the level of classification of information to determine use of classified information and protection requirements.
V. Risk analysis and management 30. Risk analysis and management objectives are: 30.1. establishing an acceptable or acceptable risk (risk limit);
30.2. to assess the likelihood of the hazard of the ISA, which IS the risk is intentionally (intentionally) or negligently made, action or inaction or possible events that may cause ISA security incident;
30.3. to assess the potential harm to the employer information, market participant or any other person, without the IS security;
18.9. to determine the appropriate and necessary security measures if the risk is not acceptable;
5. accept the implementation of security measures, the residual risk (compliance with specified risk limits).
31. Risk analysis is a regular process. Market participant is performed throughout the life cycle, ISO t.sk. starting the IS project through major changes to the ISA, the advent of new significant threats, the occurrence of significant incidents or increasing their total number.
32. Market risk analysis is conducted using the approved methodology. Market participant using a risk analysis methodology that allows effectively to enforce this rule 30. the objectives set out in paragraph 1.
33. A market plan and implement security measures if the risk analysis, the estimated risk is not acceptable, and planned security measures determine the marketing priorities, deadlines and responsible.
34. the security measures are designed to reduce the residual risk to an acceptable level. Operator safety measures shall be based on the costs and the possible loss of samērojamīb.
Vi. Staff role in the security of information systems 35. Market risk management carried out in the framework of the measures of employee resulting from an act or an omission IS the security risks, as well as the role of employees IS safety measures and promote the awareness of the staff IS ready and the need for protection.
36. The market operator shall ensure that the IS user level of knowledge is an appropriate use of ICT needs.
37. The market operator before the present employees with the governing documents.

38. The market operator shall determine the IS user: 38.1. the responsibility for the operation of regulatory documents IS not complied with;
38.2. the responsibility for all activities that are carried out with the ISA his user name;
38.3. the obligation to respect the obligation of confidentiality in relation to the data that comes into the person's possession, carrying out job responsibilities;
23.9. the obligation to inform the appropriate person (for example, ISA security principal) for IT security incidents and threats.
39. security awareness promotion 24.3. The market operator shall at regular intervals carry out systematic measures to promote the awareness of each employee IS the protection and promote employee awareness of common IR security (security awareness).
24.4. The market operator shall determine how and how often employees are informed and trained on IS security issues.
39.3. The market operator carries out training for the protection of classified information.
VII. Physical and environmental security management 40. Market risk management IS carried out in the framework of the measures of physical protection, which protects from unwanted ambient (fires, floods, temperature, etc.), technical (inadequate electricity supply, the electromagnetic field exposure, etc.) and human factors (intentionally or unintentionally damage, theft, etc.).
41. The IS infrastructure (technological resources, t.sk, disk array servers, network equipment and cable etc., except for the end user of technological resources) physical protection of 25.5. Market IS infrastructure operates limited access spaces, physical protection, which provides the only access to the authorised person. If it is determined by the technological necessity, then, operating outside the restricted access to the premises IS technological resources physically restrained. ISA infrastructure facilities deployed in buildings where there is less risk, the likelihood of implementation.
41.2. The market operator shall determine which persons may enter this provision in paragraph 41.1 spaces and their access to the register. This list includes only those persons who work duties require physical access to ICT infrastructure.
41.3. Third-party ISA infrastructure facilities may stay only in the presence of the persons who have the right of access to the IS infrastructure.
25.7. The market operator shall ensure the IS infrastructure indoor climate (humidity, temperature URu.tml.) IS used for the operation of the infrastructure hardware manufacturer.
25.8. The market operator shall be equipped with IR room infrastructure security alarm and detectors.
25.8. Market technological resources administering staff jobs separate limited access spaces.
42. Media physical protection of market participants will take 42.1. the necessary security measures for the physical medium of protection depending on the IS classification, but in whatever form (t.sk. dismantled drive equipment, paper, Flash memory card, URu.tml.).
26.2. The market operator shall determine the order in which used stored and safely destroy the media.
26.3. the market participant media protection within the output data apparatus of physical protection, preventing unauthorized acquisition of information resources (such as printers equipment protection, limiting the use of interfaces).
26.3. If media containing sensitive ICT resources, is designed to destroy, then players will do it in a way that would not be possible to restore data.
43. The market operator shall take additional measures of physical protection depending on the ISO classification level. If necessary, physical protection measures may be offset by logical Defense (software and processes).
VIII. Information System access rights management 44. new IS user registration, assignment of cancellation and blocking the market operator shall be carried out in accordance with documented request which confirms the information resource. Documentation for the method must be able to carry out effective current right of access control.
45. Each operator IS the user and the administrator is assigned a unique user code.
46. user authentication 46.1. authenticating the User aims to make sure that an IS classified using the authorized user code owner.
46.2. The market operator shall determine the means of authentication (for example, passwords, codes calculator, private key, biometric features, etc.), use t.sk. password (password length, complexity, duration of the repeatability limit).
46.3. The market operator shall ensure an IS password protection against unauthorized access. For this purpose you can use encryption. Enter your password, it may not be legible on the screen. Password change immediately if it could be or is unauthorised become known to another person.
46.4. by creating, delivering and enabling authentication feature, the operator shall ensure that it is available only to the owner of the user code (t.sk. secure personalization and user password creation process).
28.9. If market participants used technology permits, in addition to the built-in administrator account operator creates an individual account for each administrator who is used in the daily maintenance of the ISO. ISA administrator code and copies of passwords stored in a secure location with limited access outside network connected to engineering resources.
47. The right of access IS a market participant shall be determined in accordance with the approved documented roles or user profiles. Is a user access only to the information and functions that are necessary for the performance of his duties.
48. IS the user's or administrator's job responsibilities change or termination in the event of a market participant shall immediately change or block IS the user and administrator rights.
49. The market operator shall at regular intervals carry out current permissions check to control 47. these rules and requirements of paragraph 48.
IX. Communications and operations management 50. Employees, performing the IS maintenance, the operator determines the duties and responsibilities and ensure interchangeability and qualifications. Process control to ensure separation of duties.
51. Configuration management and control of 51.1. The market operator shall take technological resources and their current configuration.
51.2. The market operator shall determine any request, authorize, tested and technological resources.

51.3. Market risk control framework and controls the configuration of ISA maintained, taking into account the recommendations of security practices (hardening standards) and the known system vulnerabilities.
51.4. Market risk control framework and make the necessary technological changes in technological resources and reduce the standard configuration functionality to the required amount.
51.5. market participants shall promptly take the necessary IS the standard software update works (t.sk. Security fix installation).
52. the protection of computer networks 52.1. Market internal computer networks separate from the external network. The data flow between internal and external computer networks allow only those services that are necessary for the function of the market participants.
52.2. The market operator shall establish and maintain an up-to-date computer network and connection scheme.
52.3. The market operator shall conduct regular checks on the existence of any external connections and make sure that there are only those connections that meet the market's operational needs.
52.4. Market risk control framework exercises necessary and possible additional data flow restrictions (t.sk. application, site containment) between the internal and external networks.
52.5. Market operator carries out monitoring of computer networks and vulnerabilities (t.sk. of malware).
52.6. If the ISA Administration is performed from a remote location, the operator uses the cryptography features (such as a virtual private network (VPN)) and safe (at least two factor) user authentication.
52.7. If you use a wireless data transmission technology, a market risk management framework provides the additional protection to ensure only authorized the use of ICTS.
53. the protection of the personal computer market participant 53.1 determines which information resources may store personal data processing equipment, t.sk. desktop and portable computer, Smartphone URu.tml. (hereinafter PC).
53.2. Pc is installed and used only in the software and in a configuration set operators, which also lays down the procedure and take measures for protection against destructive programs (such as viruses).
53.3. Pc functionality in a market limited to the technologically possible and work required for the level of function, t.sk. control the computer's port and allow only the necessary connection equipment.
53.4. Pc is connected only to certain network operators.
13. The operator shall ensure that when a user leaves your PC unattended, to resume use of the ISA, or connect to the network operators may only when user authentication has been performed.
53.6. Personal computers that have enhanced physical security threat (t.sk. portable equipment used outside the premises, the operators at the partners URu.tml.), classified information is stored in encrypted form. In these installations the operator stores only the information resources that are required for a specific time for a specific user.
53.7. The market operator shall make all the existing personal computer for use outside the premises of operators, records to determine which person uses the equipment.
53.8. If the market allows employees to work using their own PCs, it determines the order of use. This procedure must not reduce the level of protection IS established.
54. the data reserve copying 54.1. To limit the risks to the integrity and availability of market data, backup copying.
54.2. The market operator shall develop documented data backup creation, determining what technology and operations are defined in the data backup and restoration of production information, as well as how often and to what extent you create backup copies of the data and how often you perform the copy and restore procedures.
54.3. The market operator shall ensure that at least the IR, which provide the market participant or its customers essential services, data backup copying is carried out with the method that minimizes the risks of software (from the IS physically separated data storage media, such as a tape). The data from the backup stored in the IS geographically separate location.
54.4. Depending on the intensity of the change to this entry the operator determines the data backup frequency and periodicity of the building (the rotation cycle).
54.5. Market data backup copy protected against unauthorised use and damage.
55. The remote use of services 55.1. If the operator provides customer services using external networks and transferring customer data (for example, internet banking services), it provides the customers of data integrity and privacy.
55.2. forwarding data, market participants will use cryptographic features. The operator uses the secure (at least two factor) user authentication (for example, in addition to the user name and password is also used in the code charts, calculators).
55.3. Operators may not use this provision IS set out in paragraph 55.2 security features: remote service not 55.3.1. allows you to manage funds or other assets;
55.3.2. not transferred information containing client data;
55.3.3. client is familiar with the risks and accept them.
55.4. performing a market transaction protection, determining the additional authorization and limits.
55.5. before remote service implementation and making significant changes to the IR, market participants make security checks, analyses the open vulnerability and apply the necessary safety precautions.
57.5. market participant at least 12 months stored in the audit trail of the Remoting service and refuse connections using (t.sk. source IP address, time) and user activity to identify the information you need.
55.7. Operator provides customers with full information about the remote risk of use of services and information on how to safely use IS.
56. The IS monitoring the market participant IS 56.1. monitoring for at least the following objectives – take preventive action IS a security maintenance and timely identification of the incident. Monitoring measures are applied according to the ISO classification.
56.2. The market operator shall carry out regular monitoring of ISA: 56.2.1. timely identification of both internal and external threats;
56.2.2. identifying system vulnerabilities, and fix them;

56.2.3. monitoring unauthorized use of equipment and software, and its prevention;
56.2.4. controlling an IR and equipment configuration changes;
56.2.5. monitoring IS the process, equipment and availability.
56.3. in order to identify the user actions and the IS operator error, create and analyze the audit trail.
56.4. Audit trail logging operators shall include at least all successful and unsuccessful connection to the appropriate time and user codes.
56.5. The market operator shall ensure the integrity of the audit trail.
56.6. Market it IS time to synchronize all records that are interconnected to Exchange data, or transaction processing.
57. Cryptography use 57.1. Market participants, depending on the level of confidentiality of information resource uses the cryptography features.
57.2. The market operator shall determine the cryptographic products, as well as their protection.
X. development of information systems and change management 58. The market operator manages the development and change of the ISO management processes to minimize security risks and to develop ICT for IR and other related IS.
59. The market operator shall determine the regulations IS the development, acquisition, implementation, and change management processes.
60. The IS development started a market down 60.1. than IS the person responsible for the project, t.sk. in accordance with these provisions is determined to develop the IR resource holders.
60.2. The persons responsible for conducting the project and it IS ISA, which can affect the new IR, risk analysis, as well as setting the IR security requirements and risk control measures.
60.3. the holder of the IR Resources Developed in collaboration with the employees responsible for the security, make ISA ISA security requirements.
61. The IS development operator IS 61.1. development environment separated from the environment of use.
61.2. The market operator shall document each IS. The documentation shall contain the necessary information to be able to make use of the ISO quality, maintenance and management of change (for example, ISA, ISA administrator description and user instructions, etc.).
38.1. The operator must keep and use the appropriate level of classification in this dossier.
62. IS testing Before introduction of the ISA 62.1. market participants under the plan IS carried out tests.
62.2. Market IS distinguished a test environment from the use of the environment.
38.7. Test and development environment does not use use environmental data, however, if the IS security risk mitigation purposes, a test or development environment you need to use use environmental data, then use them and apply them to the same security measures as the use of the environment (t.sk. the award, authentication, audit trail procedures).
63. the introduction of the ISO introduced ISO IS 39.2. holders of the authorization, certifying that the testing has been completed and IS ready for implementation.
39.3. before commissioning use ISA market employee training.
63.3. market participants shall ensure that is done IS version control.
64. The change management 64.1. Market IS change only IS the holder of all related resources.
64.2. The market operator shall analyse how changes will affect existing security measures and IS granted access to the available information and or changes do not diminish the IS security level.
64.3. market participants make IR documentation additions.
64.4. The market operator shall draw up guidance on the activities of the emergency (unplanned) changes in circumstances and determine who is entitled to take a decision on the emergency change. The operator determines how measures are planned to reduce the need for prevention to make emergency changes, and take measures to prevent unauthorized changes.
65. Stopping the use of ICTS by eliminating or transferring it to another person, t.sk. When the operator stops any activity that this ISA, the operator shall take the necessary security measures, t.sk. risk analysis.
XI. Incident Management Incident Management 66. the goal is to minimize the impact of security incidents IS on the market for customers and market activities and reduce their risk of recurrence.
67. The market operator shall establish and implement in practice the IS security incident management process that includes at least: 67.1. IS security incident identification;
67.2. tracking the incident incident register;
67.3. the staff of the notification;
41.9. incident mitigation and relief;
67.5. This IS a security incident analysis (t.sk., risk reduction measures);
67.6. conservation of evidence required.
68. The market operator until 1 March of each year, submit to the financial and capital market Commission last year IS recorded in a list of security incidents, including a description of the Group and the incident incident in each group.
69. ISA restore 69.1. Operator provides timely IR activities and restoring data, if the matter IS downtime.
EB 69.2. Market participants shall develop a recovery plan for the IS operating in accordance with the market participant's business continuity plan.
69.3. IR activities in the recovery plan includes operators IS to restore services in order of priority, resources are used, to do list and responsible employees.
69.4. Market in accordance with the procedure laid down above shall have regular ISA restore processes involved training and documented testing of the plan and change it back to ensure the plan is up-to-date.
XII. concluding issues 70. Regulations shall enter into force on January 1, 2011.
71. The rule 26.3. and information referred to in paragraph 68 to be provided beginning in 2012.
72. Effect of losing financial and capital market Commission of 11 October 2002, the Regulation No. 270 "financial and capital market participants in terms of security of information systems".
Financial and capital market Commission Deputy Chairman j. Brazovsk a