• No results found

FINANCIAL SUPERVISORY AUTHORITY

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "FINANCIAL SUPERVISORY AUTHORITY"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

1/22 FINANCIAL SUPERVISORY AUTHORITY

RULE NO. 6/ 2015

on the management of the operational risks arising from the information systems used by the entities regulated, authorised/licensed and/or supervised by the Financial Supervisory

Authority

Based on the provisions of Art. 3 Para (1) Letter b), Art.5, Art. 6 Para (2) and Art. 14 of Government Emergency Ordinance No. 93/2012 on the establishment, organisation and operation of the Financial Supervisory Authority, approved as amended and supplemented by Law No. 113/2013, as subsequently amended and supplemented;

further to the deliberations held in the meeting of the Financial Supervisory Authority’s Board of 18 March 2015,

The Financial Supervisory Authority hereby issues this rule:

CHAPTER I General Provisions

Art. 1. – (1) This rule lays down the requirements at the level of the entities authorised/licensed, regulated and/or supervised by the Financial Supervisory Authority, hereinafter referred to as ASF, for the identification, prevention and reduction of the potentially adverse impact of the operational risks arising from the use of the information and communications technology in terms of persons, processes, system and external environments, including cybercrime acts.

(2) This rule lays down activities and operations for the assessment, supervision and control of the operational risks arising from the use of information systems and information security.

Art. 2. – This rule applies to the following categories of entities authorised/licensed, regulated and/or supervised by ASF, hereinafter referred to as entities:

a) market operators/system operators;

b) investment management companies (SAIs), self-managed undertakings for collective investment/undertakings for collective investment in transferable securities (UCI/UCITS), as follows:

1. Companies with net assets in portfolio/managed with a total, aggregate value for all managed funds exceeding EUR 250 million, the RON equivalent;

2. Companies with net assets in portfolio/managed with a total, aggregate value for all managed funds of up to EUR 250 million, the RON equivalent;

(2)

2/22 d) intermediaries – investment firms (SSIFs) under Art. 6 Para (1) of Capital Market

Law No. 297/2004, as subsequently amended and supplemented, branches of intermediaries of other non-member States and credit institutions of Romania authorised by the National Bank of Romania in accordance with the bank legislation and registered in ASF’s public registry as intermediary, i.e.:

1. intermediaries as independent operator;

2. intermediaries carrying out non-core services, referred to in Art. 5 Para (11) Letter a) of Law No. 297/2004, as subsequently amended and supplemented;

3. intermediaries using trading facilities through the Internet (ADP/AS) – platforms through which clients’ orders are taken and sent;

4. intermediaries as market makers and/or liquidity providers;

5. intermediaries dealing on own account and not covered by the categories referred to in Items 1-4;

6. intermediaries not dealing on own account and not covered by the categories referred to in Items 1-4;

e) traders;

f) Investor Compensation Fund; g) insurance/reinsurance undertakings; h) insurance/reinsurance brokers;

i) entities carrying out depository activities of the units of undertakings for collective investment and the assets of private pension funds;

j) private pension funds management companies.

Art. 3. – The terms and expressions used herein shall have the meanings indicated in Annexe No. 1.

Art. 4. – (1) The provisions of this rule shall be applied by the entities according to the risk category established by ASF in accordance with Art. 6 Para (1) and in relation to the internal risk assessment on the basis of the best practices in the field.

(2) The risk category corresponding to each type of entity shall be established by ASF depending on the nature, size and complexity of such entity’s activity, as well as on the risks they may pose, and the impact on the activity, in accordance with the provisions of Art. 6 Para (1).

(3) Entities shall participate in the collection, analysis, monitoring and reporting of information security events within the system developed by ASF.

Art. 5. – (1) Entities shall annually assess and continuously monitor the operational risks arising from the use of information systems, prioritize resources, implement information security measures and monitor their effectiveness through the application of risk management. (2) The manner of implementation of the information security measures shall be determined by each entity, depending on the risk profile, risks identified, incidents, in accordance with the applicable legal requirements.

(3)

3/22 CHAPTER II

Classification of Entities in Risk Categories

Art. 6.– (1) For the purposes of this rule, the entities referred to at Art. 2 shall be classified in four risk categories: “major risk”, “significant risk”, “medium risk”, “low risk”, as follows:

a) the entities referred to in Art. 2 Letters a), c) and d) Item 1 are the entities classified in the “major risk” category;

b) the entities referred to in Art. 2 Letter d) Items 2, 3 and 4, Letters g) and i) are the entities classified in the “significant risk” category;

c) the entities referred to in Art. 2 Letter b) Item 1, Letter d) Item 5 and Letter f) are the entities classified in the “medium risk” category;

d) the entities referred to in Art. 2 Letter b) Item 2, Letter d) Item 6, Letters e) and h) are the entities classified in the “low risk” category.

(2) The entity which carries out several types of activities authorised by ASF, thus being classified in several risk categories from among those referred to in Para (1), shall meet the requirements established for each authorised activity.

(3) The private pension funds management companies shall be individually classified in risk categories, in accordance with the provisions of Art. 44 Para (4) Letter e) and Art. 51 of Rule No 3/2014 on the internal control, internal audit and risk management in the private pension system issued by the Financial Supervisory Authority’s Board.

(4) The classification and re-classification of the entities referred to in Art. 2 Letter b) shall be made at the beginning of each year, based on the total value of the assets in the portfolio/managed on the last working day of the previous year.

(5) The classification and re-classification of the entities referred to in Art. 2 Letter d) shall be made at the beginning of each year, on the basis of the activity authorised by ASF and possession of status of market maker/liquidity provider on the last working day of the previous year

CHAPTER III

Activities carried out by entities

Art. 7. – (1) Entities shall carry out at least the mandatory activities corresponding to each risk category as referred to in Art. 6 Para (1), as listed in the table of Annexe No. 2.

(2) Within 90 days after the publication of this rule in the Official Journal of Romania, Part I, ASF shall draw up and publish on its own website the Guidelines containing details and parameters in connection with the manner of implementation of the mandatory activities referred to in Para (1). These Guidelines are given only for guidance and may be updated by ASF by reference to the good practices in the field.

Art. 8. – (1) With respect to the activity carried out, the entities shall ensure that the information systems meet at least the following requirements:

a) ensure the integrity, confidentiality, authenticity and availability of data in accordance with the risk category of the information system defined internally by

(4)

4/22 the entity, and the processing thereof in accordance with ASF’s regulations, taking

into account the possibility to update the same according to the changes in the applicable law;

b) ensure that the contents of the information indicated in the reporting forms corresponding to the entities, as provided for in the specific legislation, as well as other reports required by ASF’s regulations, are complied with;

c) ensure the reconstruction of the reports and information subject to verification; d) ensure the storage and retention of the data recorded and logged by the trading

systems and back-office for a period of time in accordance with the applicable legislation in force. The data storage system shall ensure that these data may be transmitted or made available to ASF, upon request;

e) ensure the possibility of restoration of the data archived in an external digital media, such as, but not limited to, information, data input, financial statements or other documents;

f) ensure particulars of the data subject to processing or verification. Information systems ensure precise identification of the time when entries were made and the identification of the system users at that moment;

g) ensure the confidentiality and protection of information and programs through passwords, identification codes for access to information, as well as back-ups for the programs and information held;

h) ensure security and control mechanisms of information systems, to preserve the safety of stored data and information, files and databases, including in the case of the risk events.

(2) Information systems that provide access to their intermediaries and clients to electronic trading platforms, as well as those outlining the operations of clearing, settlement and registry for financial instruments and operations with the same, shall ensure at least, but not limited to:

a) the security and integrity of the data processed through the use of a security procedure, both on the data sent to the electronic trading platforms and to the clearing, settlement and registry ones, as well as on the data received from these systems;

b) mechanisms to guarantee non-repudiation of the data sent and received;

c) the real-time logging of information about orders forwarded for execution, status of these orders, and about the modifications to the orders made by the clients and intermediaries that use these information systems;

d) mechanisms for non-repudiation of the integrity of the registration of information system operations.

(5)

5/22 CHAPTER IV

Information System’s Auditing and Testing

Section 1 IT Audit

Art. 9. - (1) The entities falling within the major risk category must externally audit the information system on an annual basis.

(2) The entities falling within the significant risk category must externally or internally, with certified resources, audit the information systems, every two years.

(3) The entities falling within the medium risk category must externally or internally, with certified resources, audit the information systems, every three years.

(4) The entities falling within the low risk category must externally or internally, with certified resources, audit the information systems, every four years.

(5) ASF shall be entitled to establish an obligation for the entity to externally audit the information system for the activities required by ASF if:

a) the findings reveal that an entity has not carried out all minimum mandatory activities according to its risk category as referred to in Art. 7, or the activities carried out have a formal character;

b) ASF considers that further investigations of the information systems are required. (6) The obligation to audit the IT system in accordance with Para (5) as established by ASF, shall be accompanied by the time frame by which the entity has the obligation to send the audit report to ASF. Such term may not exceed 90 working days.

(7) The external audit shall be carried out on the basis of a contract concluded between the entity that requested the auditing and any of the IT auditors approved by ASF according to Art. 10, Para (2). Entities may not contract the IT audit with the same IT auditor for more than 3 consecutive mandatory audits of those referred to in Paras (1) – (4).

(8) The IT audit contract referred to in Para (7) must include clauses relating to the fact that the IT auditor is required to meet the requirements necessary to carry out the information system audit, in accordance with the provisions of this rule and with the good practices in the field.

(9) The contract referred to in Para (7) must contain an express clause whereby the auditor undertakes to notify in the shortest time possible and in writing ASF of any fact or act in connection with the information and communications system used by the entity which:

a) is likely to affect the continuity of the business of the entity being audited;

b) may lead to a qualified audit opinion, to the impossibility of expressing a professional opinion or a negative opinion.

(10) The contract referred to in Para (7) must contain an express clause whereby, at the written request of ASF, the auditor undertakes to provide ASF with:

a) any report or document which has been brought to the attention of the audited entity; b) a statement of the reasons for the termination of the audit contract, regardless of their nature;

c) any other information or documents required in connection with the IT audit work engaged under the contract.

(6)

6/22 (11) Compliance with the provisions of Paras (9) and (10) is not contrary to the

provisions of the Code of Ethical and Professional Conduct in the field of financial audit, does not constitute a breach of any restriction on disclosure of information and shall not entail any liability of the person concerned. The confidentiality clause is not binding on ASF.

Art. 10. – (1) The external IT auditor, seeking to provide services to the entities to which the provisions of this rule apply, must obtain ASF’s approval.

(2) To obtain ASF’s approval, the external IT auditor shall submit to ASF an application together with documentation which must include, as appropriate, the following:

a) the auditor’s identification data:

(i) the full name/name and address/headquarters (full address-street number, block, entrance, floor, apartment, town, county/sector, postal code);

(ii) the fiscal registration data;

(iii) the address where it pursues its business; (iv) the telephone/fax, email, Website address;

(v) the proof of experience and specialisation in the field of information systems audit;

(b) the surname and first name of the natural person certified auditor and of the representative of the company, who shall sign the audit report, together with the following documents:

(i) the copy of the auditor’s identity card;

(ii) the auditor's curriculum vitae, dated and signed, including the professional experience;

(iii) the copy of the IT auditor certification, signed as true to the original;

(iv) the valid criminal record certificate and fiscal record certificate - originals;

c) the IT auditor’s copy of the contract/professional indemnity insurance policy, for the minimum insured amount of EUR 100,000;

d) the copy of the payment document of the registration fee in ASF’s public registry.

(3) Licensing and registering the IT auditor in ASF’s public registry or the reasoned refusal of licensing, shall be carried out no later than 30 calendar days after receipt of the applicant’s complete file. The reasoned refusal shall be forwarded to the IT auditor. Any modification to the documentation referred to in Para (2) shall be notified to ASF no later than 30 calendar days from the date of the modification.

(4) ASF shall withdraw the external IT auditor's license in any of the following cases: a) on request;

b) in the case of initiation of liquidation or insolvency;

c) in the case of repeated breach of the provisions of Para (3), third sentence;

d) in the case of breach of the provisions of Art. 9 Paras (9) and (10), and in the case of breach of its obligations under this rule;

(7)

7/22 (5) For all situations referred to in Para (4) Letters c)-e), ASF shall send the external

IT auditor a prior notice informing it of the facts leading to the withdrawal of ASF license. (6) Entities shall take all necessary steps to avoid conflicts of interest that may arise in the pursuit of IT audit business.

(7) The audit activity must be independent from the audited activity, so as not to compromise the objectivity of the audit activity. Auditors must be independent and objective in all aspects of the audit mission.

(8) Entities, including those who perform the IT audit with certified internal resources, are required to provide the auditor with full, relevant and appropriate information in a timely manner, in order to allow the performance of the IT audit activity in good conditions.

(9) Upon completion of the IT audit, IT auditors must draw up an audit report containing at least the following elements:

a) the title of the report, the identification and description of the audited entity, and the recipient of the report;

b) the recipients of the report and any restrictions on the content and circulation of the report;

c) the audited field, the objectives of the activity, the audited period;

d) the nature, chronology and degree of coverage of the audit procedures performed; e) any opinion qualification or limitation of the area covered by the audit;

f) the identification data of the audit team members, which shall include at least the full name, telephone, fax, email and the address where they pursue their business; g) the signature of the certified coordinator of the team audit and the signature of the

legal representative of the legal person auditor; h) the place of the audit;

I) the date of the report; j) the audit scope, including:

(i) the description of the audited systems;

(ii) the organisational measures: applicable policies and implemented procedures;

(iii) the identification of applications used and the persons involved; (iv) the components of the information systems used;

(v) a summary containing the risk analysis related to the activity, possible shortcomings of the audited information system and of the measures to reduce the associated risks, based on general or specific inspections implemented in accordance with this rule;

(vi) the reference to the correctness of the reporting made according to Art. 14, Para (4) related to the period between the two IT audit activities;

(vii) the description of how the ethical hacking/penetration test was carried out, in the case of the entities that are required to perform penetration testing in accordance with the table in Annexe No. 2. k) the detailed findings of the audit team regarding the fulfilment of the requirements

laid down in Articles 5, 8, 11, 12 and 13, for each requirement, with the remark: YES/NO, and the grounds, in the event of breach thereof;

(8)

8/22 l) the statement of conformity, reflected by the “positive opinion” regarding the

partial/total compliance of the audit objectives, indicating the points which need to be improved, reflected by the “qualified opinion/with reservations”, or failure to comply with the objectives tested/audited, reflected by the “negative opinion”; m) an annexe to the IT audit report, acknowledged by the audited entity through its

execution by a legal representative of the entity, consisting of: (i) the findings and conclusions;

(ii) the inconsistencies, the lack of controls or ineffective controls; (iii) the importance of the inconsistency or control deficiency;

(iv) the probability that these findings may have a significant impact and associated risks;

(v) the recommendations for corrective actions and the response of the audited entity’s management for each finding in the report, including the implementation deadline;

(vi) the result obtained from the ethical hacking/penetration test, in the case of the entities that are required to perform penetration testing in accordance with the table in Annexe No. 2.

n) the external IT auditor’s affidavit that the audit was conducted in accordance with this rule and with the audit standards in force upon the performance of the audit, with specification thereof;

o) the external IT auditor’s affidavit that it has no relationships with the audited entity or with the entity’s employees which may prejudice its independence or the objectivity of the audited activity.

Section 2

Requirements for External Providers and Outsourced IT Service Providers for Major Information Systems

Art. 11. - (1) Entities shall ensure that, for major information systems, the outsourced IT service providers, including by chain outsourcing, with the exception of communications, hardware and software license service providers, reported strictly for the outsourced activity:

a) comply with the same requirements for auditing as those requested to the entity by this rule;

b) present, at ASF’s request, the manner in which the requirements imposed on the entity by this rule are met;

c) allow ASF and IT auditor to verify and/or audit its information systems in accordance with this rule.

(2) Any outsourcing is carried out in compliance with the legal provisions applicable to the sector of activity.

(3) Where there are no other legal provisions applicable to the sector of activity, for the outsourcing of IT services, and in all cases where the services of external providers are used, as defined in Item 28 of Annexe No. 1, the entity is required to notify FSA of the external provider or the outsourced IT service provider within ten working days after the conclusion of the agreement with it, exclusively for major information systems.

(9)

9/22 (4) The notification referred to in Para (3) shall include the following information and

attached documents, as appropriate:

a) the description of the services provided/outsourced; b) the provider’s identification data:

(i) the company’s headquarters, the full address - street number, block, entrance, floor, apartment, town, county/sector, postal code);

(ii) the fiscal registration data;

(iii) the telephone/fax, email, Website;

c) certifications according to the type of service or activity carried out:

(i) SR ISO/IEC 27001 or certifications for equivalent standards;

(ii) for the supply and development of computer software programs-related certifications;

(iii) for the provision of outsourced services-related certifications, (iv) for the provision of hosting services or outsourcing through data

centres-technical conditions in accordance with TIA-942 level 2 or equivalent;

(v) for the provision of electronic archiving services through data centres-authorisation in accordance with the legal provisions;

(vi) for the provision of public cloud computing type outsourced services - certifications specific to outsourced activities.

(5) In the event of a change in information or documents, the copy or original of the documents modified shall be submitted to ASF, no later than 30 calendar days from the date of such change.

Section 3

Requirements for major information systems’/computer programs’ Testing Art. 12. - (1) Entities are required to identify all information systems/computer programs used and to enter them in a register which shall contain:

a) the major information systems/computer programs;

b) changes in major information systems/computer programs;

c) details of the significant changes in the major information systems/computer programs. (2) In the application of the provisions of Para (1) Letter c), significant changes may refer to:

a) the total replacement of major information systems/computer programs; b) outsourcing several IT services;

c) changing the electronic archiving, restoration processes or synchronisation of databases.

Art. 13. - (1) Entities are required to test the major information systems/computer programs before the first use and whenever there are changes in their life cycle, regardless of whether they are made with internal resources or by external providers.

(2) The result of the tests referred to in Para (1) shall be mentioned in an IT test report that contains at least the following elements:

(10)

10/22 a) the purpose of testing;

b) the period of testing;

c) the description of the tested program;

d) the identification of the applications used and the persons involved;

e) the analysis of the risks involved in the acquisition or modification of the major computer programme, possible vulnerabilities and measures to reduce the associated risks through system or computer program controls;

f) the description of the manner in which tests were conducted, test scenarios, any rules or standards applied and the result of the test;

g) the conclusion the test team;

h) the signatures of the test team members.

(3) IT test reports shall be kept at the entity’ premises, at least until the next IT audit, and shall be made available to the IT auditor and ASF, on request.

CHAPTER V Reporting Requirements

Art. 14. – (1) Entities must report the assessment referred to in Art. 5 Para (1) and the audit referred to in Art. 9, as follows:

a) the result of the internal assessment of operational risks shall be sent to ASF annually prior to 31 March of the current year, for the previous year;

b) the IT audit report shall be sent to ASF prior to 30 June of the current year, for the period subject to audit, corresponding to each risk category referred to in Art. 6 Para (1).

(2) Entities shall submit the IT audit report along with the action plan revealing the remedial manner of the vulnerabilities identified during the IT audit, where appropriate.

(3) The reports on the internal assessment of operational risks referred to in Para (1) Letter a) and the IT audit reports referred to in Para (1) Letter b) shall be submitted to ASF in hard copy or in electronic form with extended electronic signature.

(4) Entities shall submit, prior to 31 March of the current year for the previous year, an annual electronic reporting which comprises the indicators indicated in Annexe No. 3, to the extent that these indicators are applicable and related to major information systems.

(5) For the situations where data relating to certain indicators are not available for a particular entity because of its type, nature, size or complexity of the activities carried out by it, the acronym N/A (not applicable) shall be inserted in the corresponding box in the report.

(11)

11/22 CHAPTER VI

Petty Offences (Contraventions)

Art. 15. – Failure to comply with the provisions of this rule by the entities referred to in Art. 2 shall be deemed petty offence as provided by Art. 39 Para (2) Letter a) of Law No. 32/2000 on the insurance activity and supervision of insurance, as subsequently amended and supplemented, and of Art. 272 Para (1) Letter a) Item 6, Letter b) Item 5, Letter c) Item 4, Letter d) Item 4, Letter e) Item 6, Letter f) Item 3, Letter h) Item 8, Letter j) Item 17 and Letter k) Item 3 of Law No. 297/2004, as subsequently amended and supplemented, depe4nding on the entity type.

CHAPTER VII

Transitional and Final Provisions

Art. 16. – (1) The requirements laid down in this rule shall be implemented by the entities, with effect from 1 January 2016, with the exception of the provisions of Art. 11 on external providers and outsourced IT service providers applicable as of 30 September 2016 and the entities shall send the notifications referred to in Art. 11 Para (3) prior to 31 December 2016.

(2) Prior to 30 June 2016, all entities shall transmit the result of the first internal assessment of operational risks to ASF as referred to in Art. 14 Para (1) Letter a), and the first electronic reporting referred to in Art. 14 Para (4).

(3) With effect from 1 January 2017, all entities must carry out the reporting prior to the deadlines referred to in Art. 14.

(4) For all entities, the first IT audit must be conducted no later than 31 December 2016.

Art. 17. – (1) Instruction No. 2/2011 on auditing the information systems used by the entities authorised, regulated and supervised by the National Securities Commission, approved by CNVM Order No. 10/2011, published in the Official Journal of Romania, Part I, No. 118 of 16 February 2011, as subsequently amended, shall be repealed as of 30 June 2015.

(2) Upon the entry into force hereof, the following shall be repealed: a) CNVM Executive Order No. 19/20101;

b) Art. 25 of the Rules on the principles of organisation of an internal control and risk management system, as well as the organisation and conduct of the internal audit at insurers/reinsurers approved by Order No. 18/2009 issued by the Insurance Supervisory Commission, published in the Official Journal of Romania, Part I, No. 621 of 16 September 2009, as subsequently amended and supplemented;

c) any other provisions to the contrary.

Art. 18. – Annexes Nos. 1 - 3 shall be an integral part hereof.

(12)

12/22 Art. 19. - This Rule shall be published in the Official Journal of Romania, Part I, and

in ASF’s Bulletin, and shall enter into force on the date of its publication.

President of the Financial Supervisory Authority, Mișu NEGRIȚOIU

Bucharest, 23 March 2015 No. 6

(13)

13/22 Annexe No. 1

DEFINITIONS AND ABBREVIATIONS

1. agreement for the supply of the services at agreed parameters (SLA) – means an agreement between an IT service provider and a client that describes one or more IT services, documents the targeted service levels agreed and lays down the obligations of the IT service provider and of the client;

2. IT control activities – means the policies, procedures and practices applied to achieve the entity’s objectives and perform the strategies for the elimination of risks, designed to achieve each objective of control for the elimination of the identified risk;

3. electronic archiving – means the document storage in digital format;

4. threats – means the capacities, strategies, attempts or plans which threaten the infrastructures, through attitudes, gestures, acts or facts that may impact the safety of entities and the integrity of the sector in which they pursue business;

5. risk analysis – means the analysis of significant threat scenarios, in order to assess the probability of materialisation thereof and the potential impact that such event would have on the entity and its operations;

6. key employees/persons – means the persons with managerial positions/relevant persons/significant persons with planning, managing and controlling duties and responsibilities of the entity’s activity;

7. ethical hacking/penetration test – means the assessment of the security of the information system by simulating actual attacks in real life conditions on networks, information systems and computer programs used by the entity assessed or audited, as appropriate; 8. IT audit – means the collection and evaluation of samples to determine whether the

information system meets the performance and working parameters according to the design requirements, ensures the functionalities necessary for the business requirements and compliance with the legislation in the field, is secured, maintains the integrity of the processed and stored data, allows the achievement of the entity’s strategic objectives and efficient use of IT resources;

9. auditor (IT auditor) – means the authorised natural person holding an IT auditor certification or the legal person with certified staff, carrying out an auditing activity of information systems, according to the regulations and best practices in the field;

10. IT audit with internal resources – means the audit carried out by staff certified in the IT audit field, employed within the entity or within a company of the same financial group, through the application of the provisions of this rule and internationally certified methodologies;

11. database – means the structure of organisation of information in one or more fields of application, in order to make it accessible at all times by users via the computer programs as a whole;

12. good practices – means the certified activities or processes which have been successfully used in several organisations and have gained wide recognition, such as SR ISO/IEC 27002, ISO 20.002, framework and methodologies ISACA – COBIT, RiskIT, without limitation thereto;

(14)

14/22 13. data centre – means a secured space, equipped with computers and communications

equipment by means of which data in electronic form are received, stored and sent, which shall be implemented in compliance with specific standards, using the level concept or an equivalent thereof, including, but not limited to, the standards SR EN 50600 (European Standard – means Data Centres Facilities and Infrastructures) or TIA-942 (Telecommunications Industry Association);

14. level 2 data centre – means a data centre meeting the requirements of TIA-942 tier 2 or equivalent and whose infrastructure has 99.741% availability characteristics, a dedicated circuit for cooling and power supply, redundant components, raised floor, uninterruptible power sources, a generator and maximum 22 hours of non-functioning per year.

15. primary data centre – means a data centre that provides IT services and currently processes the entity’s data, transactions and operations;

16. CERT/information security emergency response team or centre – specialised organisational structure for the collection, analysis, identification, prevention and response to cyber incidents with significant impact;

17. life cycle – means all stages of a life cycle of an IT service, configuration element, incident, problem or change, without limitation thereto;

18. public cloud computing – means the IT infrastructure, with configurable computing resources that allow for the provision of IT services on request and is provided through public data centres, other than the entity’s own IT infrastructure, through an external provider, as a distributed package of computing services, computer software, access to information and data storage;

19. COBIT/Control Objectives for Information and Related Technology – means a supporting toolset and framework of the best practices for IT processes control management, being published by ISACA in collaboration with IT Governance Institute (ITGI);

20. communications/telecommunications – means transmission systems, and any other resources which permit the conveyance of signals by wire, radio, optical fibre or other electromagnetic means, and the technologies used in the communication processes, which presume the existence of an IT environment consisting of computer hardware, specialised software, and data transmission/reception electronic devices;

21. IT controls – means all policies, procedures, practices and organisational information structures designed to provide reasonable assurance that the business objectives shall be achieved and unwanted events shall be prevented or detected and corrected;

22. (computer) data – means any representation of facts, information or concepts in a form suitable for processing in an information system, including a program suitable for causing an information system to perform a function;

23. availability – means the ability of an IT service or of an IT configuration item to perform the agreed functions when necessary;

24. double validation – means the validation of an action by two users or the existence of a double information validation involving a program that verifies a specific action by different methods;

25. IT services outsourcing – means the use by an entity of an external IT services provider for the provision, on a contractual basis and on a continuing basis or for a limited period,

(15)

15/22 of the operations related to the technical support or processing, required for the

performance of such entity’s normal course of business;

26. chain outsourcing – means the outsourcing where the external provider subcontracts with other external providers components of the services provided to the entity;

27. risk factors – means the internal and external situations, circumstances, elements, conditions or times, sometimes doubled also by action, that causes or encourages the materialisation of a threat to major infrastructures, according to a particular vulnerability, thereby generating insecurity effects;

28. external provider – means the authorised natural or legal person providing goods (such as hardware, software licences, components, etc.) and IT solutions, which has expertise in specialised areas, in compliance with the applicable legal framework;

29. outsourced IT service provider – means the authorised natural or legal person with their object of activity and expertise in the field of IT services, IT service provider in compliance with the applicable legal framework and authorisation received;

30. hardware – means the collection of physical and technical elements with the help of which data may be collected, verified, processed, sent, displayed and stored, including the data storage media and auxiliary computer hardware;

31. security incident – means any event recorded and reported at the level of the entity on the information security or information systems with a high probability of compromising operations and threatening the IT security and whose consequence compromised or is likely to lead to compromise of information or information systems;

32. key performance indicators (KPI) – means the representative analytical parameters selected for monitoring key activities and processes for entities, providing an overview of the performance;

33. key risk indicators (KRI) – means the parameters that actually measure the risks related to the entity’s procedures and activities, timely providing proper alerts of the negative consequences, which may result in direct or indirect potential losses;

34. unavailability (as time duration) – means the time within the availability period of the service when an IT service or critical/significant component of the service is not available;

35. information – means the result of the processing of data through an information system representing the basis for knowledge through some new elements in relation to previous knowledge and constitutes a resource that must be protected;

36. IT infrastructure – elements of the technical basis and facilities, by components or system, supporting data collection, storage and management, and also the data integration, search and viewing, and other calculations and processing services of information by using information technologies, owned or externally contracted by the entity and required for its proper operation;

37. essential/critical infrastructure – means an information system or a component thereof that is essential for maintaining the functions of the financial infrastructure, whose disruption significantly affects its proper functioning, with a significant impact due to the inability to maintain those functions;

38. major infrastructure – means the entity’s own or outsourced information system, which ensures the functioning of the entity’s main activities and services;

(16)

16/22 39. integrity – means preserving computer data, digitised, unaltered during communication

between correspondents or during the data storage period;

40. Internet – means the global system of interconnected computer networks (Wide Area Network – WAN) independent (particular, commercial, academic or governmental), intended to facilitate the exchange of data and information between users;

41. ISACA – means the Information Systems Audit and Control Association;

42. SR ISO/IEC 27001 – means a standard that establishes the requirements for an information security management system;

43. SR ISO/IEC 27002 – means a code of international practice for the information security management, with the specification SR ISO/IEC 27001;

44. ISO/IEC 20000 – means a standard that establishes the requirements for an IT services management system, based on the set of publications of good practices of the IT Infrastructure Library – means ITIL;

45. change management – means the process responsible for checking the life cycle of all changes to allow implementation of beneficial changes with minimal disruption of IT services;

46. non-repudiation – attribute to prevent the possibility of an entity to deny an action taken in the information context;

47. (IT) control objective – means the end and means which are reflected in the control points from which the key risk indicators are extracted;

48. persons – means the investors, insurance brokers, insurance agents, external providers, other third parties or collaborators of the entity, its own employees – for an indefinite or definite period of time; participants in the private pension funds. Entities shall report broken down by each type of “persons” depending on the specifics of their activity; 49. Cooperation Plan in the field of information and network security – means a plan that

establishes the organisational roles, obligations and responsibilities within the cooperation, and the procedures for maintaining or restoring the functioning of networks and information systems where these are affected by a cyber-risk or incident with a significant impact;

50. portfolios, transactions and assets – means the accounts of the investors on the capital market or of the insurance undertakings’ clients; investor portfolios, policy holders, operations with investors’ assets, intermediary’s own assets and/or of relevant persons; 51. computer program (application) – means the set of instructions that may be executed by

an information system to obtain the envisaged result;

52. information resources – means all information and documents, in accordance with the requirements laid down by the legislation in the field;

53. network – means the equipment interconnected through transmission channels, including, but not limited to, computer network;

54. security risk – means any circumstance or event that has a potentially negative effect on the security of information systems;

55. systemic risk – means the risk of damage to an important area of the financial system or any financial market, which has the potential to result in serious negative consequences for the internal market and the real economy, instability of the financial system,

(17)

17/22 potentially catastrophic, caused or accentuated by idiosyncratic events or conditions of

entities;

56. significant risks – means the risks with serious impact on the enteritis’ financial, pecuniary and/or reputational situation;

57. IT audit report – means the tool by which the purpose of the audit, targeted objectives, applied rules/standards, period, nature, scope, procedures, findings and conclusions of the audit and any reservation of the IT auditor on the audited information system are communicated;

58. IT test report – means the tool by which the purpose of the test, targeted objectives, applied rules/standards, period, nature, scope, procedures, findings and conclusions of the test, and any reservation of the testing team on the tested information system are communicated;

59. (IT) information technology risk – means the subcomponent of the operational risk which refers to the actual or future risk of negatively affecting the entities’ or investors’ gains and capital, on the one hand, and participants and policyholders, on the other hand, caused by the inadequacy of the IT strategy and policy, information technology and processing thereof, in terms of management capacity, integrity, controllability and continuity, or improper use of the information technology;

60. (cyber) security – means the ability of a network or an information system, resulting from the application of a set of reactive and proactive measures, to withstand, at a given level of confidence, accidental or malicious actions that compromise the availability, authenticity, integrity or confidentiality of the data stored or transmitted, or of the related services offered by the network or the information system or accessible through them; 61. (digital) electronic signature – means the indispensable attribute of the electronic

document, obtained as a result of its cryptographic transformation, using the private key in accordance with Law No. 455/2001 on the electronic signature, republished;

62. IT service – means the combination of persons, processes and technologies provided within the entity or by an IT service provider, which is based on the use of information technology and providing the technical support necessary to carry out the entity’s activity, and which should be defined in an SLA;

63. information system – means the group of functionally inter-connected devices for the purposes of the automated obtaining of the information necessary for the entity’s operational and managerial activities, through the IT services, hardware equipment and software products, manual procedures, databases and mathematical models for analysis, planning, control and decision-making, using components for entering and processing data, processing components such as servers, computers, basic operating software system, computer programs, computer networks and telecommunications, storage components and users, without being exhaustive;

64. major information system/computer program (core business applications) – means the information system/computer program critical for the efficient conduct of the business authorised/licensed by the Financial Supervisory Authority and for ensuring the reporting to ASF, or used in the entity’s financial and accounting activity;

65. software – means the entire program product range, consisting of at least the following elements: operating systems, drivers or computer programs;

(18)

18/22 66. IT solution – means an information system type product, combination of products, or a

combination of IT services and products provided by an IT or telecommunication service provider or manufacturer;

67. (IT) information technology or information and communications technology – means the technology required for processing (obtaining, processing, storing, converting and transmitting) the information, in particular by using electronic computers and corresponding programs;

68. TIA-942 – means the standard that defines the infrastructure of a data centre, in particular in terms of cabling system and network design, but it also covers its location, cooling, power supply and equipping, and also any environmental aspects;

69. vulnerability – means the facts, processes and/or phenomena diminishing the information systems’ response capacity to existing or potential risks, or favouring their occurrence and development, with an impact on functionality and utility.

(19)

19/22 Annexe No. 2

Activities carried out by entities

The entities shall carry out the activities indicated in the table below, in accordance with the corresponding risk categories.

Mandatory activities of the entities, by risk categories.

Activity Entity’s risk category

Major Significant Mediu m

Low A) Internal assessment of the

operational risk and risk register x x x x B) Organisation by processes 1 Availability Management x x x 2 User Management x x x x 3 Incident Management x x x 4 Change Management

a) Computer Program Life

Cycle Management x x x x b) Version Management x x x x c) Test Management x x x x 5 Capacity Management x x x 6 Configuration Management x x 7 Service-level Management (SLA) x x x 8 Security Management a) General requirements x x x x b) Penetration Tests x x 9 Continuity Management x x x

C) Control and measuring points

a) General controls x x x

b) Computer programs

controls x x

(20)

20/22

Activity Entity’s risk category

Major Significant Mediu m

Low D) Implementation of key

performance indicators (KPI) x E)Implementation of key risk

indicators (KRI) x x

F) Information System Security Management a) Organisational Measures x x b) Security procedures x x x x c) Security assessment x d) Cooperation Plan x x x x

(21)

21/22 Annexe No. 3

Annual Electronic Reporting Indicators

For reporting the indicators in the table below, entities shall report:

a) in accordance with the provisions of Art. 14 Para (4) of ASF Rule No. 6/2015 on the management of the operational risks arising from the information systems used by the entities regulated, authorised/licensed and/or supervised by the Financial Supervisory Authority;

b) 0 “zero” – if there are no values of the indicator for the period being reported or, where appropriate, at the end of the reporting period;

c) the value of the indicator – if the indicator’s values are other than zero for the period being reported or, where appropriate, at the end of the reporting period.

Indicators to be reported:

Objective during the reporting

period

Indicator

Indicators relating to accessing online the services provided by the entity

Number of clients (total users) accessing the online services offered by the entity

Indicators relating to persons who may make modifications to the major information systems/computer programs

Number of persons (total users) who have direct access to the entity’s databases (referring to portfolios, transactions and assets) with rights to modify the same, administrator role or equivalent privileges

Number of persons (total users) who have the rights to modify the entity’s major computer programs (internal/external/online computer programs accessed via the Internet)

Indicators relating to the double validation principle through operations in major information systems

Number of operations INITIATED requiring double validation Number of operations CONFIRMED requiring double validation Number of operations CANCELLED requiring double validation Indicators relating to the access to major information systems

Number of persons (total users) who have access to major information systems which contain information relating to portfolios, transactions and assets

(22)

22/22 the credentials of the clients’ access accounts

Indicators relating to the internal information security incidents, reported Total number of internal information security incidents Total number of external information incidents

Number of breaches of security policies and procedures Number of data losses due to actions not approved

Number of reported incidents related to data loss (electronic data) Number of reported incidents resulting in accidental or deliberate destruction of documents/records/ folders

Number of reported incidents of serious breach of rules/frauds/ deceptions

Number of reported incidents of destruction in the data centre

Average number of days between the identification of a security incident and its resolution

Agreed service-levels, internally and for clients

Number of hours of uCNVMheduled downtime of major information systems to which clients have access (including, but not limited to, online trading applications, online applications for subscription of insurance policies)

Number of hours of unscheduled downtime of outsourced IT services that affect the services provided to entities’ clients

Change management

Number of major computer programs

Number of changes to major computer programs

Number of operational errors caused by deficiencies in the design of major information systems

Number of unidentified operational errors in testing major information systems

Continuity management indicators

Number of tests conducted in accordance with the business continuity plan

Number of tests conducted in accordance with the disaster recovery plan

Audits and tests

References

Download now ( PDF - 22 Page - 552.50 KB )

Related documents

A. Executive Order 12829, National Industrial Security Program. B. Executive Order 12958, as amended, Classified National Security Information.

Upon approval of an area for open storage of collateral classified information, the approval authority shall issue a memorandum to the requesting OE, citing the specific location,

Emirati Employment Report 2015 A national view of a national issue

The survey found UAE female nationals are significantly more likely than their male counterparts to want to work for organisations related to the banking & finance sector.

Services of Cloud Computing Kanusu Srinivasa Rao 2 Assistant Professor Department of MCA Yogi Vemana University Kadapa, AP India

Cloud computing is a model for providing computing power as services, on-demand network access to a shared pool of configurable computing resources such as

Complete Train Control. Run Your Trains, Not Your Track!

You can also program CVs that control momentum, 3 step and 128 step speed tables, switching speed, normal direction of travel, scalable speed stabilization and more to take

Automatic Generation of Bid Phrases for Online Advertising

This improvement can be attributed to: (a) the LM+TM system can generate candidates that are present on the landing page as well as the unseen ones via the translation model,

Nursing leadership in the Eastern Province of Saudi Arabia

Aim: The aim of this study was to identify the leadership styles of nurse managers working at Saudi Arabian hospitals located in the Eastern province and also to assess

COMMISSION STAFF WORKING PAPER SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

As regards the Policy option 1 "lodging an application for an RTP", the best sub-option is so clear and evident that lodging an application at any external border

Host-guest interactions: First-generation Filipino immigrants in New Zealand and their visiting friends and relatives (VFR) from the Philippines

In this thesis, I will explore the question: “ How are social interactions between immigrant-hosts and their visiting friends and relatives understood and interpreted by