Ссылка на старый сайт

Chapter 1. General Provisions

1. This Business Continuity Policy (hereinafter referred to as the Policy) of the Republican State Enterprise on the REU “National payment corporation of the National Bank of the Republic of Kazakhstan” (hereinafter referred to as the NPC) was developed to determine general approaches to the planning and organization of business continuity, aimed at achieving the uninterrupted implementation of the NPC assigned to its functions and tasks, as well as minimizing the impact of incidents and emergencies (hereinafter – ES) on the main activity in order to restore it as soon as possible.
2. The policy was developed in accordance with the current legislation of the Republic of Kazakhstan, the Continuity Policy of the National Bank of the Republic of Kazakhstan, Requirements for the security and continuity of information systems of banks and organizations carrying out certain types of banking operations, and the International Standard ISO 22301.
3. Ensuring the continuity of critical business processes to ensure the functioning of the payment systems of the National Bank of the Republic of Kazakhstan, in which the NPC is a member, is carried out in accordance with the Continuity Policy of the National Bank of the Republic of Kazakhstan.
4. The management of the NPC realizes the importance and manages the continuity of activities, providing the necessary conditions for the development, improvement of measures and means to ensure the continuity of activities in the context of threats of emergencies and emergencies.
5.Business continuity is achieved by ensuring constant availability of resources / sub-resources and reserve resources / sub-resources. The activation of resources / sub-resources at the recovery sites should occur as automatically as possible, without attracting additional human resources or time. The interested subdivisions of the NPC ensure the implementation of these tasks.
6. The policy is reviewed as necessary, but at least once every three years. The policy is a public document.

Chapter 2. Basic concepts used in the Policy

7. The Policy uses the following basic concepts:
1) business continuity – uninterrupted functioning of information systems of the NPC;
2) ensuring business continuity – strategic and tactical actions of the NPC units aimed at ensuring the uninterrupted operation of NPC information systems in the event of incidents and emergencies. Ensuring business continuity includes managing the recovery and continuation of operations in the event of a disruption in the normal functioning of information systems;
3) disaster recovery plans (hereinafter – Plans) – a regulated set of procedures and necessary information, which is developed, consolidated, tested at a certain frequency and maintained in constant readiness for use in the event of incidents and emergencies;
4) incident – one or more events that have led or may lead to compromise or disruption of the functioning of the NPC business processes;
5) an emergency situation is a situation of a natural, man-made or social nature, during the implementation of which the possibility of carrying out the functioning of the NPC business processes in the usual (daily) mode of operation is lost.

Chapter 3. NPC work process, ensuring business continuity

8. The activities of the NPC are subject to the negative impact of internal and external risks, the implementation of which may disrupt the continuity of its implementation.
9. Business processes and systems that have the highest priority for recovery include critical business processes of the National Bank of the Republic of Kazakhstan to ensure the functioning of payment systems, as well as related resources and sub-resources. Other business processes and information systems of the NPC are being restored secondarily.
10. Organization of the continuity of the NPC activity is to ensure the uninterrupted functioning of information systems.
11. Ensuring business continuity is carried out through:
1) ensuring measures to organize uninterrupted operation and keep up to date resources / sub-resources at recovery sites;
2) training of employees and implementation of measures to transfer systems to backup recovery sites without attracting additional human resources or time;
3) development and keeping up to date of the Plans;
4) testing, analysis and improvement of the Plans, as well as the readiness of the responsible parties to implement incidents and emergencies.
12. To ensure the continuity of operations and restoration of functioning, NPC has backup data processing centers (hereinafter referred to as DPC), which meet the needs for ensuring the functioning of information systems in the event of incidents and emergencies. The location, technical equipment, options for servicing and using the backup data center are determined by the management of the NPC based on the objectively available needs and capabilities.
13. In the event of incidents and emergencies that disrupt the continuous operation of information systems of the NPC, Plans are developed.
14. Plans are the main documents regulating the actions of the NPC responsible employees in the event of incidents and emergencies.
15. Recovery teams are formed from experienced workers who can ensure the functioning of the business process for the period of emergency.
16. Recovery team members are committed to ensuring their availability and response at any time of the day and are responsible for the improper performance of duties in accordance with the Plans.
17. The plans are subject to revision at least once a year, as well as when changing the configuration, composition of recovery groups, the list of organizations whose services may be needed, adding or removing software and hardware and other cases affecting the restoration of the functioning of information systems of the NPC.
18. The revision of the Plans is aimed at checking the sufficiency of the measures determined by these Plans, the actual conditions of the use of information systems and the existing requirements.
19. Testing and practical training, during which the actions in accordance with the Plans are partially or fully worked out, are carried out at least once every six months according to the type of the planned and other, agreed with the concerned departments and third-party organizations, the announced method of testing the Plans.
20. The plans include a list of necessary measures to restore the normal functioning of the NPC information systems in the event of an emergency. The recovery time of information systems should not exceed the time specified in the Plans.
21. The plans contain the following provisions:
1) the procedure for revision, methods and test scenarios;
2) general information (brief information about the structure and functions of the NPC to be restored, recovery sites, vital records);
3) participants in the recovery process (recovery control center, recovery groups);
4) actions in the event of an emergency (notification of management, assessment of the scale of an accident, an evacuation team, implementation of the Plans, calling leaders and members of recovery teams, organizing transport, the procedure for notifying responsible and interested subdivisions of the National Bank of the Republic of Kazakhstan, occupying recovery sites, planning and organizing work on recovery, the procedure for organizing communication, interaction with third-party recovery organizations, public relations);
5) the procedure for the recovery teams and the recovery time (recovery stages, recovery times, tasks and functions of the recovery groups);
6) the procedure for the recovery of damaged information systems after the elimination of the consequences of an emergency, the criteria for making a decision on the completion of work in a non-standard mode, and the procedure for making such a decision, as well as the procedure for returning to the normal mode of operation.
22. NPC uses various approaches and measures to ensure and maintain business continuity, such as:
1) raising awareness of employees in the field of business continuity;
2) providing a backup data center when the main data center is unavailable;
3) using reliable equipment with possible duplication, like the equipment itself, and its components;
4) the use of advanced technologies to increase fault tolerance and reliability;
5) the use of methods and procedures to ensure the protection and recovery of information that is critical for the functioning of information systems;
6) storage of backup copies of vital records necessary for the implementation continuous functioning of information systems.
22. NPC on an ongoing basis analyzes the impact of negative impacts on its production activities, based on a continuous process of risk assessment, assessment of the likelihood of an incident, damage and impact on the activities of NPC.

Chapter 4. Responsibility and control

23.The management of the NPC carries out general control and is responsible for the implementation of the main provisions of the Policy, incl. for providing conditions and resources to achieve the objectives of the Policy.
24. Responsibility for the continuity of day-to-day activities rests with the heads of structural divisions, who are personally responsible within the limits of their authority, for the implementation of the Policy, as well as for continuous monitoring of the fulfillment of the requirements and measures established by the NPC.
25. All NPC employees responsible for ensuring business continuity are personally liable for violation and / or non-compliance with established requirements and measures to ensure business continuity, and report all identified violations and incidents to the security department.
26. Job descriptions of NPC employees participating in business continuity activities contain requirements for their provision.

“Approved Business Continuity Policy of the JSC ” NPC NB RK “