Word bank ks2: Rhyming Word Bank | Teaching Resources

Abbreviations:

As can be seen from the table, if type 1 and type 2 threats are deemed irrelevant, RF BS organizations must ensure that personal data is protected according to the requirements for security level 4 or 3. The same levels will be relevant even if the bank maintains processing of biometric personal data. To meet these requirements, the Bank of Russia recommends implementing the provisions of the Standard set out in sections 7 and 8.

Only in cases where a bank processes a significant amount (more than 100,000) of special categories of personal data of subjects who are not employees of the Bank, it becomes necessary to protect personal data on the 2nd level of security. For example, in the West there is a practice when a bank’s credit strategy or scoring cards require the collection of information about the health status or nationality of the borrower in order to make a decision on issuing a loan to a certain category of citizens. But I have not yet seen such a practice in Russian banks. In other words, if the 2nd level of security in Russian banks will occur, then only in strictly exceptional cases.

However, let me remind you that in order to ensure the 2nd level of personal data security, it is necessary to fulfill the additional requirements of the Standard set out in paragraph 7. 11.6, most of which, of course, coincide with the similar requirements of FSTEC Order No. 21. The most essential requirements are: the use of intrusion detection systems, provision of trusted loading of computer equipment, integrity control, segmentation of the information system. But, despite the fact that the requirements of the Standard and the requirements of FSTEC Order No. 21 for the 2nd level of security mostly coincide, there are certain differences. For example, FSTEC Order No. 21 contains more stringent requirements for protecting the virtualization environment.

Let’s consider one more significant circumstance: regarding the use of certified information security tools, the Standard (see clause 7.11.8) does not put forward its own requirements or recommendations, but directly refers to FSTEC Order No. 21, which allows the use of non-certified information security tools to ensure 3 -th and 4th levels of security, if the threats of NDV are irrelevant.

Thus, the only advantage that STO BR IBBS-1. 0-2014 gives in terms of freedom to use non-certified means of protection is additional reasoning for the position of the Bank, which recognized threats of the 1st and 2nd types as irrelevant.

STO BR IBBS-1.0-2014 AND CIPF

It should be noted that the requirements of the Central Bank of the Russian Federation for the CIPF classes used to protect personal data are more stringent than the requirements of FSB Order No. 378. Thus, RF BS organizations that have chosen to comply with the requirements of the Bank of Russia in terms of personal data protection must always use CIPF of a class of at least KS2 . However, for RF BS organizations that have decided to adhere only to the requirements of the legislation in the field of PD, in order to ensure the 4th, 3rd and 2nd levels of security (provided that only type 3 threats are relevant) in accordance with subparagraph «c» paragraph 9, paragraph 18 and paragraph 21 of the Order of the FSB No. 378, the use of cryptographic information protection tools of class KS1 and higher is allowed.

Let me remind you that the main differences between KS2 and KS1 are that when using cryptographic information protection of the KS2 class, it is necessary to use trusted boot tools, such as PAK Sobol, Accord-AMDZ, etc., which are not always compatible with some technologies, such as blade servers, virtual infrastructure, or mobile devices. In other words, in a number of cases, the use of CIPF class KS2 is impossible or is associated with a number of serious problems.

On the other hand, although this requirement of the Standard is mandatory and more stringent, it is assessed by only one particular indicator (out of sixteen included in the M6 ​​group indicator). Thus, non-compliance with this requirement cannot drastically affect the final level of compliance. Moreover, as mentioned above, according to the requirements of the legislation, the use of CIPF class KS1 is permissible. Thus, when using CIPF of class KS1 or partial use of CIPF of class KS2 along with class KS1 and properly fulfilling the other requirements and recommendations of the Standard, RF BS organizations in any case do not violate the mandatory requirements of the law and, at the same time, have every chance of obtaining the recommended final level of compliance according to requirements of the Bank of Russia.

SIGNIFICANCE OF DOCUMENTATION

The importance of documenting IS maintenance and management procedures has noticeably changed in the Standard. So, if earlier, without having an appropriate regulatory document, the Bank nevertheless put into practice one or another process of ensuring security in accordance with the requirements of the Standard, it could get a score of 0.5 for the corresponding particular information security indicator.

Now, even if the requirement is actually perfectly met, but the normative document is not developed, the Bank will not be able to score more than 0 for this partial indicator. This applies to category 1 partial indicators, where both the degree of documentation and the degree of implementation are assessed. For private indicators of IS category 2, where only the degree of documentation of IS requirements is assessed, the situation is, of course, the same — a requirement partially established in the documents will lead to a score of 0.

If we talk about the number of documents required to comply with the requirements of the legislation on the processing and protection of personal data, and to comply with the requirements of the Standard relating to the same area, then the key difference between these two approaches is that the Bank of Russia approach uses a process character. If we compare the requirements of the legislation and STO BR IBBS-1.0-2014, we can see that in order to comply with the Standard, it is not enough just to have any document.

It is necessary to define, implement, record and control the procedure associated with such a document. For example, in accordance with PP-1119, subparagraph «c» of paragraph 13, the head of the document defining the list of persons having access to personal data must be approved, and in accordance with paragraph 7.10.7 of the Standard, a RF BS organization must define, implement, register and control procedures for accounting for persons with access to personal data. As can be seen from the above example, the requirement is essentially the same, but the number and composition of documents will be different.

Taking into account the above, the fulfillment of the requirements of the Standard for the processing and protection of personal data, in terms of documenting the protection and processing of PD, seems to be more time-consuming than the fulfillment of direct legal requirements.

ABS AS ISDN

I would like to draw attention to one more significant change. For example, in the past, RF BS organizations could not classify their core banking systems that implement bank payment processes as ISPDs, since this was explicitly stated in the previous edition of the Standard. Thus, RF BS organizations were able to exempt such ABSs from the scope of personal data legislation and, thereby, significantly reduce their resources for bringing ABSs in line with the requirements of Federal Law No. 152-FZ “On Personal Data”.

The situation has changed somewhat in the new version of the Standard. The Bank of Russia did not make direct demands on the inclusion or exclusion of the ABS from the ISPD, but vaguely wrote in clause 7.10.3 of the Standard that criteria for classifying the ABS as a ISPD should be established in RF BS organizations, i.e. The Bank of Russia leaves the choice directly to the banks themselves.

Of course, in the event of an erroneous decision to exclude ABS from the list of their PDIS, RF BS organizations will not be able to appeal to the requirements or recommendations of the Bank of Russia, and, of course, will be liable to the regulator in the field of PD protection on their own.

CONCLUSIONS

So, the BR IBBS Complex can give banks additional arguments to justify the irrelevance of threats of the 1st and 2nd type before the regulator for the protection of the rights of PD subjects.

The consequence of recognizing the threats of the 1st and 2nd types as irrelevant is the possibility of actually fulfilling the requirements only for security levels 3 or 4, and the possibility of using a wider range of information protection tools.

The negative features of the adoption of the Standard include more stringent requirements for the use of CIPF for RF BS organizations that comply with the requirements of the Standard than for organizations that comply with direct legal requirements. But, given the current Methodology for assessing compliance with the requirements of the Standard, such a feature can only be called conditionally negative.

In addition, it is worth paying attention to the disappearance of the past clear advantages of the Standard:

• the disappearance of the clear possibility of exclusion of core banking systems that implement banking payment technology processes from the composition of ISPD;
• , as of today, there is no possibility of using the Standard to replace the direct requirements of regulators for the protection of personal data, as it was before.

Of course, the Standard is advisory in nature, and to accept (or not to accept) the documents of the BR IBBS Complex as mandatory, each bank decides for itself, weighing all the pros and cons.

But in conclusion, it should be noted that the Standard was developed specifically for Banks and takes into account their industry specifics. To date, there are a large number of all kinds of legislative and industry requirements for the protection of information that banks are required to comply with. In addition to the Federal Law No. 152-FZ “On Personal Data” discussed in this article, there is, for example, Federal Law No. 161-FZ “On the National Payment System”.

Both federal laws impose a number of requirements for information protection, which overlap somewhere, somewhere they have certain nuances of joint application. During the development of the new version of the Standard, the Bank of Russia tried to take these requirements into account and harmonize them with the already familiar text of STO BR IBBS-1. 0-2010. And regardless of whether a bank accepts the IBBS BR Complex as mandatory or not, proper implementation of the requirements and recommendations of the Standard may allow RF BS organizations to meet various requirements of various regulators within one information security system.

Become a BIS Journal Author

Resume Assistant accountant, accountant for primary documentation, accountant for reconciliation acts, 1C operator, accountant for the bank-client section, archivist, Moscow, 48,000 rubles. per month

Professional skills:

— Execution of orders of the head
— Monitoring the execution of decisions
— Business correspondence
— Receiving and distributing calls
— Organization of business trips
— Attentive work with Primary Accounting documentation and other documents
— program 1C 8.2
— Expense reports
— SBS Tensor++
— Reconciliation acts and work with the balance sheet
— Bank-client (different banks)
— the «E-Staff Recruiter» program, when I worked part-time at the Recruitment Agency as a Recruitment Manager (summer 2016)

Additional information:

disciplines that I studied at the university (+ even in college before that) and took exams on them, there were also such subjects as Human Resources Management, Forecasting the development of the industry, Cost management in a service sector enterprise, Organizational, economic and regulatory support for activities, Business -planning, Project management, Anti-crisis management at the enterprise, Psychology and pedagogy, etc.
While studying at the university, he was the curator (headman) of the group on various organizational and other more serious issues, and was also the leader of his study group.
From my childhood (at different moments) and before being drafted into the army, I was engaged in the following — swimming, karate, theater, pop vocals and hand-to-hand combat.
At the moment I’m interested in playing badminton actively, playing billiards, cycling (etc.).
Intellectual games are interesting to me — «Checkers», an interesting game where my intuition and strategy is needed, analysis — «Battleship», the game «Balda» is a kind of word game.
For some time I was engaged in small-scale wholesale business in the city of Vladimir.
I have experience as a Direct Sales Manager for Personal Care/Cosmetics.
I have experience as a sales assistant in the sale of clothing (women’s and men’s, from underwear to outerwear) in St. Petersburg in 2008.
He once worked in various positions in the Pyatachok supermarket on the street.