2. The regulatory and legal basis of the Policy is the provisions of the legislation of the Republic of Uzbekistan on the use of information systems and information security, as well as the requirements of international information security management standards.

3. The provisions of the Policy are binding on all employees of the Bank,

4. The Policy covers all information systems and documents owned and used by the Bank. The Bank ensures the creation and operation of an information security management system, which is part of the Bank's general management system designed to manage the process of ensuring information security. Ensuring information security is one of the conditions for the successful implementation of the Bank's commercial activities. The information circulating in the Bank is one of the most important banking assets.

5. Information security (hereinafter — IB) of the Bank — the state of security of electronic information resources, information systems and information and communication infrastructure from external and internal threats that may lead to material damage, damage the reputation of the Bank or cause other damage to the Bank, its shareholders, employees or customers.

As elements of the general policy of the Bank's management, IS is based on business requirements, is developed and implemented in accordance with the general rules of risk management in the Bank. Violations in this area can lead to serious consequences, including a loss of trust on the part of customers and a decrease in competitiveness.

The provision of information security includes the use of all available means and tools within the competence of the Bank's employees aimed at protecting information and the infrastructure supporting it.

An integral part of the IB organization is the continuous monitoring of the effectiveness of the measures taken, the definition of a list of unacceptable actions (inaction), possible consequences and responsibility for employees.

The information security policy and system as a whole are based on the following regulatory legal acts and international standards (this section specifies the main regulations that directly affect the process of creating the Bank's information security system, at the same time, there are a number of documents that either describe strategic aspects of the development of information security at the state level, or regulate the rules for the information protection of individual areas of activity):

The Information Security Policy applies to all employees of the Bank, including interns, contractors and external visitors (clients, technical service personnel, etc.) who, for one reason or another, have legitimate access to the Bank's IR, its clients and correspondents. It also applies to the Bank's APM personnel, office equipment and other resources of the Bank's information structure.

The information security policy does not apply to information systems and informatization objects intended for the transmission, processing, storage of information containing state secrets. The protection of information containing state secrets is provided in accordance with the Legislation of the Republic of Uzbekistan.

The main goal, which all the provisions of the Policy are aimed at achieving, is to minimize damage from events that pose a threat to the security of information by preventing them or minimizing their consequences.

Regulatory references:

The process of creating reliable information protection is continuous. In order to ensure a sufficiently reliable information security system, it is necessary to constantly adjust its parameters, adapt to reflect new threats emanating from the external and internal environment. There should be no obstacles to making changes to standards, procedures or Policies as the need arises.

In accordance with this provision, the following stages of the information security management cycle are determined (PDCA model: Plan-Do-Check-Act):

Plan — Planning (development) — risk analysis, definition of Policies, goals, objectives, processes, procedures, software and hardware related to risk management and improvement of information security in order to obtain results in accordance with the overall strategy and objectives of the Bank;

Do — Implementation (implementation and operation) — implementation and operation of Policies, control mechanisms, processes, procedures, software and hardware;

Check — Check (monitoring and analysis) — assessment, and where applicable — measurement of the performance characteristics of processes in accordance with Policies, goals and practical experience, analysis of changes in external and internal factors affecting the security of information resources, reporting to management for analysis:

Act — Correction (maintenance and improvement) — the adoption of corrective and preventive measures based on the results of internal and external inspections of the state of the information security, management requirements, and other factors in order to ensure continuous improvement of the information security management system.

The construction of the Bank's information security management system and its functioning should be carried out in accordance with the following basic principles:

legality — any actions taken to ensure information security are carried out on the basis of current legislation with the use of all methods permitted by law for detecting, preventing, localizing and suppressing negative impacts on the Bank's information protection facilities;

focus on business information security is considered as a means of supporting the Bank's core business. Any measures to ensure information security should not entail serious obstacles to the Bank's activities:

continuity — the use of information security management systems, the implementation of any measures to ensure the information security of the Bank should be carried out without interrupting or stopping the current business processes of the Bank;

complexity — ensuring the security of information resources throughout their life cycle at all technological stages of their use in all modes of operation:

validity and economic feasibility — the capabilities and means of protection used must be implemented at the appropriate level of development of science and technology, justified from the point of view of a given level of safety and must comply with the requirements and standards. In all cases, the cost of measures and information security systems should be less than the amount of possible damage from any type of risk:

priority — categorization (ranking) of all information resources of the Bank according to the degree of importance in assessing real as well as potential threats to information security;

the necessary knowledge and the lowest level of privileges — the user receives the minimum level of privileges and access only to those data that are necessary for him to perform activities within his authority;

specialization — the operation of technical means and the implementation of information security measures should be carried out by professionally trained specialists of the Bank:

awareness and personal responsibility — managers at all levels and performers should be aware of all the requirements of the information security and are personally responsible for meeting these requirements and compliance with the established information security measures;

interaction and coordination — information security measures are carried out on the basis of the interconnection of the relevant structural units of the Bank, coordination of their efforts to achieve their goals, as well as establishing the necessary links with external organizations, professional associations and communities, government agencies, legal entities and individuals:

confirmability — important documentation and all records — documents confirming the fulfillment of the requirements for information security and the effectiveness of the system of its organization must

created and stored with the possibility of prompt access and recovery.

The IB consists of three main components:

confidentiality: a property indicating the need to impose restrictions on the range of subjects who have access to this information, and provided by the ability of the system (environment) to keep this information secret from subjects who do not have the authority to access it;

integrity: the property of information consisting in its existence

in an undistorted form (unchanged with respect to some fixed

her condition);

accessibility: a property characterized by the ability of timely, unhindered access to information of subjects who have the appropriate authority to do so.

The information security policy provides for the provision of information security through the use of a combination of organizational, regime, technical, software and other methods and means of information protection, as well as the implementation of comprehensive continuous monitoring of the effectiveness of implemented measures to ensure information security.

18.In the process of implementing the Information Security Policy, changes and additions may be made to it.

The following elements are recognized as the main objects of information security in the Bank:

information resources of the Bank, its clients and correspondents containing information classified in accordance with the current legislation and internal regulatory documents of the Bank as banking and commercial secrets, personal data, financial information, and any other information necessary to ensure the normal functioning of the Bank (hereinafter — protected information);

means and systems of informatization (computer equipment, information and computing complexes, networks, systems), on which the protected information is processed, transmitted and stored: