Type

Regulatory document

1. Purpose and scope

1.1. This Information Security Guide for ACRA clients (hereinafter, the “Guide”) is a regulatory document of the Analytical Credit Rating Agency (Joint-Stock Company) (hereinafter, “ACRA”) that is published for public access on ACRA’s official website.

1.2. This Guide has been designed to implement the provisions of ACRA’s Information Security Policy of April 19, 2019 (Meeting Minutes No. 28).

1.3. This Guide has been designed for ACRA clients in accordance with the Bank of Russia’s Regulation No. 684-P, of April 17, 2019, Setting Forth Mandatory Requirements for Nonbank Financial Institutions to Ensure Protection of Information in Financial Market Operations for the Purposes of Countering Illegal Financial Transactions.

1.4. This Guide provides recommendations for ACRA clients on mitigating the risks of malware activity or unauthorized access to information.

2.  Main terms

2.1. ACRA client / Client means an individual or a legal entity interested in the services provided by ACRA or already using those services.

2.2. Malicious software (malware) means a type of software that is able to insert its code in other programs and distribute own copies over various communication channels in order to obtain unauthorized use of the resources on the device or cause harm/damage to the information owner and/or the owner of the device, by copying, distorting, deleting or substituting information, or in order to create conditions for such actions.

2.3. Compromise means an event that gives reasons to believe that the protected information has been accessed by an outsider, which makes its continued use seem unsafe.

2.4. Device means any automated information processing device used for communication with ACRA systems and services (for example, a personal computer, cellular phone, etc.).

2.5. Password means a secret combination of characters assigned to a specific individualized account and used to confirm the authority to use information systems and resources.

3. General guidelines

3.1. You should only use licensed software on your devices, obtained from the sources that guarantee the absence of malware.

3.2. You should install, on a regular basis, the software updates released by manufacturers for your operating system, firewall, and applications.

3.3. Installation of any remote computer management software on your devices is not recommended.

3.4. Place your monitors and printers in such a way as to exclude or restrict unauthorized access of others to the information displayed or printed.

3.5. When leaving your workplace for a short time, it is recommended that you lock your computer, e.g., using a keyboard shortcut (Win + L).

4. Password protection recommendations

4.1. Do not write down your passwords on paper and do not save them in your hard disk files or on your devices in an unencrypted form. Do not use the “Save Password” function, as most programs store passwords unencrypted and an intruder gaining access to your computer will be able to use them.

4.2. Do not share passwords with other people, including your family or your company system administrators.

4.3. When accessing automated systems it is recommended to use complex passwords that meet the following requirements:

  • Password length should be minimum 12 characters;
  • The password should include characters from each of the following groups: uppercase Latin letters (A-Z), lowercase Latin letters (a-z), digits (0-9), special characters and punctuation marks (!@#$%^&*(),.?).

4.4. Do not use simple passwords such as meaningful words (e.g., the word “password”), date of birth, phone number, etc., or sequences of consecutive keyboard characters (e.g., “qwerty”) or three or more repeated characters (e.g., 77777777, 111adZZZ).

4.5. It is recommended to change the password used to access automated systems at least once in 90 days.

5. Antivirus protection recommendation

5.1. For protection against malicious software, it is recommended to use licensed antivirus software, providing comprehensive protection and running in an automatic mode.

5.2. Antivirus software must be updated regularly.

5.3. You should perform a full virus scan on your devices at least once a week. If any suspicious files are detected, they should be removed or, if removal is impossible, moved to a quarantine area.

5.4. Do not turn off anti-virus software under any circumstances.

6. Information security recommendations for Internet use

6.1. You should not go to dubious Internet sites.

6.2. Do not click on hyperlinks in emails received from unknown senders or open files attached to them. It is recommended to delete such messages immediately.

6.3. Always check that the URL of the website listed in the address bar of your browser begins with https:// (displayed as a locked padlock), and not with http://. Furthermore, the authenticity of the web address must be confirmed with an SSL-certificate issued by an international certification center.

7. Electronic signature key compromise

7.1. Please report any cases of compromising the reinforced qualified electronic signature key that is used in communication with ACRA by sending an email to IS@acra-ratings.ru or by calling us at 8 (495) 139 0480.

Print version
Download PDF

Contact persons

Alexander Kuzmin
Senior Director, Head of the Compliance and Internal Control Service
+7 (495) 139 04 80, ext. 155
We protect the personal data of users and process cookies only to personalize services. You can prevent the processing of cookies in your browser settings. Please read the terms of use of cookies on this website by clicking on more information.