Skip to main content
Articles

Resolution BC 4658: 2018 - Cybersecurity and Cloud Computing Policy

By May 25, 2018#!28Thu, 28 Feb 2019 10:40:21 -0300p2128#28Thu, 28 Feb 2019 10:40:21 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28 28am28am-28Thu, 28 Feb 2019 10:40:21 -0300p10America/Sao_Paulo2828America/Sao_Paulox282019Thu, 28 Feb 2019 10:40:21 -03004010402amThursday=904#!28Thu, 28 Feb 2019 10:40:21 -0300pAmerica/Sao_Paulo2#February 28th, 2019#!28Thu, 28 Feb 2019 10:40:21 -0300p2128#/28Thu, 28 Feb 2019 10:40:21 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28#!28Thu, 28 Feb 2019 10:40:21 -0300pAmerica/Sao_Paulo2#No Comments

By @marcospaulofreitas

THE Resolution No. 4,658 of April 26, 2018 of the Central Bank of Brazil provides for the implementation of the Cyber Security Policy and the requirements for the contracting of data processing and storage and cloud computing services, to be observed by financial institutions and other institutions authorized to operate by the Central Bank. of Brazil.

Information Security Requirements

The resolution presents requirements for Information Security (SI) to be adopted by the institutions, namely:

  • Establishment of a Cyber Security Policy, action plan and incident response, which must be approved by the Board of Directors or Board of Directors by May 6, 2019, which must be reviewed at least annually;
  • Definition of the members of the Board of Directors and / or Director responsible for ensuring the relevance and approval of the Cyber Security Policy and for the implementation of the action and incident response plan;
  •  Definition of criteria for the classification of data and information;
  • Implementation of information security (IS) and communication training programs for clients and employees;
  • Implementation of controls to ensure the confidentiality, integrity and availability of data and systems that support regular operations, taking into account the size of the institution, its risk profile, business model, products and data sensitivity.

Procedures and controls to be adopted to reduce institutions' level of incident exposure are also required. Such procedures shall cover at least:

  • Authentication;
  • Encryption;
  • Prevention, intrusion detection and possible information leaks;
  • Periodic testing and scanning for vulnerability detection;
  • Protection against malicious software;
  • Establishment of traceability mechanisms;
  • Network access and segmentation controls;
  • Maintenance of backups of data and information;
  • Development of secure systems.

Incident Management

The Resolution also mentions the Incident management process, highlighting the following controls and requirements to be implemented by institutions:

  • Need for a specific incident recording area and established process for identifying cause and impact, as well as preparing and following up incident response plans;
  • Preparation of annual report on the implementation of the action plan and incident response, containing incidents occurred in the period and result of continuity tests, considering scenarios of unavailability;
    This annual report must be submitted and approved by the Board of Directors and / or the Board.

Cloud services contracting and data processing / storage

The Resolution stipulates that financial institutions contracting data storage cloud services must adopt procedures that include:

  • Ensure that its risk management policies, strategies and structures include hiring this type of service in Brazil or abroad;
  • Verify the capacity of the service company (competence, resources) and adherence to the institution's requirements;
  • Access and evaluate audit reports received by the service provider, as well as continuously monitor the services provided;
  • Ensure physical and logical controls by the service company, to ensure the protection of the customer data of the institution;
  • Ensure that the institution is responsible for the reliability, integrity, availability in relation to the contracted services, as well as compliance with the laws and regulations in force; Communicate in advance to the Central Bank of Brazil, the contracted services and the countries and regions where the data will be stored;
  • Ensure continuity by maintaining the obligation to transfer data to a new service provider in the event of termination of contracts with current providers.

The hiring of services rendered abroad must comply with the following requirements:

  • Existence of agreement between the Central Bank of Brazil with authorities of the countries. If there is no agreement, authorization from the Central Bank of Brazil is required;
  • Definition of country and region where data will be processed and stored;
  • Business continuity in case of impossibility to provide services;
  • Country legislation allows access by institutions and the Central Bank of Brazil;
  • Measures to ensure the security of the transmission and storage of information.

Institutions that have already contracted to provide processing and data storage cloud services must submit to the Central Bank of Brazil, within 180 days from the effective date of this resolution, a schedule for compliance with the requirements. maximum term of December 31, 2019.

Conclusion

The Central Bank of Brazil's action to publish this standard is a consequence of a global movement and concern with cyber security that has become evident in recent years, for example, in discussions on World Economic Forum 2018 and after the increasing number of increasingly sophisticated incidents, threats and attacks.

Given this scenario, it is up to the institutions to have and improve identification mechanisms and security controls in order to protect their information assets.

* Marcos Paulo Freitas is an Information Security Consultant for [SAFEWAY]

Want to take a quick test?

How much do you or your company comply with the current Cyber Security Policy of BC Resolution No. 4658?

Answer below #8220; 10 Key Questions & #8221; and evaluate a company's current maturity level against BC Resolution No. 4658. Click on here or the button and start the test.

 

About [SAFEWAY]

THE [SAFEWAY] is a widely recognized company as a provider of premium information security and cybersecurity solutions. From its extensive portfolio, we highlight several solutions, including those based on platforms:

● Archer da RSA Security, considered by the institutes Gartner and Forrester and by the market itself, the most complete process integration solution for Governance, Risk Management, Compliance and Business Continuity Management;

● [SAFEWAY] Security Tower, supported by IBM Qradar (Watson technology), tailored to each organization in its security and cyber defense management needs.

● And others, involving technologies ImpervaThalesBeyondTrustManlyWatchGuard Technologies.

We await your contact: [email protected]

Leave a Reply