1. GENERAL REGULATIONS
1.1. The current Policy was developed in concordance with the law of Republic of Tajikistan and with requirements of safeguarding information security part, with regulatory acts requirements of National Bank of Tajikistan.
1.2. The current Policy is available as document for bank workers, and it’s presenting official approach of information security safeguarding, approved by direction of public corporation «Tojiksodirotbank» (hereinafter referred to as – Bank), and establish principles of building management information security system based on systematic statement of goals, processes and procedures of information security of Bank.
1.3. Bank management is realizing the importance and necessity of progress and development measures and means of information security safeguarding in context of development law and norms of banking regulations, and also development of realizable bank technologies, and exceptions of bank client and other interested sides. Observance requirements of information security will allow making competitive advantages to Bank, in order to provide finance stability, efficiency, compliance with legal, regulating and contractual requirements, and increasing the public image of Bank.
1.4. Information security requirements, which produce by Bank, are complying interests (goals) of banking and intended for risk decrease, related with information security to acceptable standard. Hazards in informational sphere of Bank bear a relation to its corporate management, organization and realization of business-procedures, relationship with partners and clients, economic activity. Hazards in informational environments of Bank are composing important part of bank operating risks, and also have a relation to other risks of major and administrative Bank activity.
1.5. The Bank Strategy in informational security and defense domain and along with other things it including the execution in practice activity requirements:
• the law of Republic Tajikistan in security, informational security technologies and information defense, defense of personal records and bank secrecy;
• normative acts of the Republic of Tajikistan, bodies of executive powers, who authorized in domain of physical security and technical defense of information domain, resistance to technical intelligences and information security and privacy providing;
• normative acts of the National Bank of Tajikistan on information security providing;
• set of rules on secure information management (International standards ISO/IEC 27002).
1.6. Necessary requirements of Bank’s informational security providing must have rigorously comply with the personal of Bank and other sides as how identifies Bank’s internal normative documents conditions, also with requirements of contracts and agreements, which is the Bank side.
1.7. The current Policy is extending on Bank’s business-processes and obligatory for using by all workers and management of Bank, and also by users of its informational resources.
1.8. The current Policy is extending as corporate document on IS First Level.
2. DESCRIPTION OF THE PROTECTION OBJECT
The main objects of protection of the information security system in the Bank are:
• information resources containing commercial secrets, banking secrets, personal data of individuals, information of limited distribution, as well as openly disseminated information necessary for the Bank's work, regardless of the form and type of presentation;
• information resources containing confidential information, including personal data of individuals, as well as openly disseminated information necessary for the work of the Bank, regardless of the form and type of presentation;
• Bank employees who are developers and users of the Bank's information systems;
• Information infrastructure including information processing and analysis systems, technical and software tools for its processing, transmission and display, including information exchange and telecommunications channels, information security systems and facilities, facilities and premises in which such systems are located.
Inventory of information assets is carried out at least once a year by the Department of System Administration. Inventory of the Bank's information assets is made in the appropriate database.
3. OBJECTIVES AND TASKS OF ACTIVITY ON SECURITY OF INFORMATION SECURITY
The objective of the Bank's information security activities is to reduce threats to information security to a level acceptable to the Bank.
The main objectives of the Bank's information security activities are:
• Identification of potential threats to information security and vulnerabilities of protection objects;
• Prevention of information security incidents;
• Exclusion or minimization of identified threats.