The Bank of Russia has approved a new version of the standard act “Information Security of Organizations of the Banking System of the Russian Federation". For the time being the act is of an advisory nature for Russian lending organizations. However, it looks exceedingly likely that within the next few years compliance with the normative act will become compulsory for all the country's banks.
On Jan. 26, 2006 the Bank of Russia approved the second version of the standard act “Information Security of Organizations of the Banking System of the Russian Federation" (STO BR IBBS-1.0-2006). It is based on the requirements of the international standards ISO/IEC 17799, ISO/IEC 27001 and CobiT. STO BR IBBS-1.0-2006 applies to Russian commercial banks and the Central Bank itself.
The standard sets out the principal requirements and the recommended policy for IT security, without contradicting legislation currently in force, and without affecting or regulating issues of information protection. The act does not extend to the protection of state secrets or restricted data either.
STO BR IBBS-1.0-2006 came into force on Jan. 1, 2006. Though the act is currently of an advisory nature, there are strong grounds to believe that the normative act will eventually become compulsory.
“Regulation is playing an ever-increasing role in business, both in Russia and throughout the world. In places like the U.S. and Europe civil servants have already been turning the regulatory screws, while Russia still has weak and disjointed state laws. The situation is changing, however. Within the next few years Russian businesses will have to seriously consider regulatory measures when implementing this or that decision. The need for standard acts like the latest on IT security introduced by the Bank of Russia are obvious. I'm sure that adherence to the document will become compulsory for all Russia's banks, and in the near future," believes Denis Zenkin, marketing director at InfoWatch.
STO BR IBBS-1.0-2006 is also one of the components of a standard for the activities of lending organizations currently being developed by the Bank of Russia and the Association of Russian Banks (ARB).
The first version of the standard was approved in December 2004, over a year ago. As a result the authors have had time to get to grips with the demands of IT security in practice. Throughout 2005 STO BR IBBS-1.0-2004 (the first version) was implemented by a number of branches of the Bank of Russia as well as several commercial banks. A number of lending organizations also applied the standard as part of their information security at their own initiative, even going as far as carrying out internal audits in compliance with the requirements of the standard.
The initial experience of applying and using the standard has shown that the banking community, including the ARB, support its adoption and view it positively on the whole. Moreover, a list of notes and recommendations has been made by the various branches of the Bank of Russia and lending organizations with experience of implementing the standard. The latest changes within the sphere of international standards focusing on information security have also been analyzed, including the transformation of IB ISO/IEC 17799 into the group of ISO/IEC 27000 standards.
The information that was gathered initiated a series of directives for the further elaboration of both the standard itself and the system for assessing the level of compliance, resulting in the publication of the new version.
“It is extremely advantageous for banks to apply the conditions of the Central Bank's new standard on IT security and to complete the certification procedure. Introducing an effective mechanism to manage the security procedures, as well as saving money by implementing the standard before it becomes compulsory, demonstrates your competitive edge to investors, partners and clients," maintains Denis Zenkin, marketing director at InfoWatch.
