Regulatory Framework for Information Security
The Central Bank’s internal regulatory framework comprises high-level policies approved by the Board of Directors, which establish institutional compliance commitments. These policies result in specific policies that outline the action framework and governance implemented in order to comply with the high-level policies concerning related matters.
These policies are supported by the processes defined and approved in our quality system.
High-Level Policy
• High-Level Information Security Policy (effective as of February 4, 2025)
The Information Security Policy is developed based on the family of ISO/IEC 27000 standards.
“Information security” means “the conservation of confidentiality, integrity, and availability of information, including other properties of equal importance such as authenticity, responsibility, non-repudiation, and certainty.”
Therefore, it is necessary to establish a proper framework to manage all stages of the information cycle of life, such as generation, selection, conservation, disclosure, and use. The information and supporting processes, information systems, and telecom networks used by the Central Bank of Costa Rica (BCCR) constitute information assets of great value for the organization. These assets must be used in all processes within an adequate security environment, regardless of the supporting means and the technological environment in which they are processed.
This policy supports compliance with the legislative, regulatory, and contractual requirements applicable to the BCCR, thereby providing legal certainty. Furthermore, the BCCR is committed to the Specific Institutional Risk Assessment System (SEVRI) and to the continuous improvement of information security.
Statement: To ensure the protection of information assets of the Central Bank of Costa Rica against unauthorized use, modification, damage, or accidental or intentional destruction.
Core Deliverables:
1. Information Assets Inventory. Creation of the institution’s information assets inventory, including its respective classification according to levels of confidentiality, availability, and integrity.
2. Information Security Objectives. Establishment of information security objectives aligned with this policy, enabling the protection of information assets.
3. Definition of Specific Information Security Policies. Establishment of lower-level policies to guide efforts aimed at safeguarding information assets, as well as the implementation of appropriate controls to ensure their security.
4. Statement of Applicability of Controls. Implementation of the relevant controls based on the results of the information security risk treatment process.
5. System for Establishing, Operating, Assessing, and Improving Information Security. The system for establishing, operating, assessing, and improving information security consists of various mechanisms designed to demonstrate the conformity of the Information Security Management System, keep it aligned with the organization’s context, and continuously enhance its effectiveness.
• High-Level Business Continuity Policy (effective as of November 11, 2009)
The Business Continuity Policy is based on ISO/IEC 27001:2005, “Information Technology - Security Techniques - Information Security Management Systems,” and on BSI25999, “Business Continuity Management (BCM),” issued by the British Standards Institution.
“Business continuity” means the organization’s strategic and tactical capability to plan for and respond to incidents and business disruptions, ensuring the continuation of operations at a pre-established acceptable level.
Additionally, Business Continuity Management is a holistic management process that identifies potential threats to the organization and the impact that may result if such threats materialize. It further provides a framework that enables the organization to enhance its ability to recover from disruptions, maintain the capacity to achieve its key objectives, and deliver an effective response to safeguard the interests of its key stakeholders, as well as its reputation, brand, and value-adding activities.
Statement: To ensure that measures are adopted to establish a Business Continuity Management Model aligned with the characteristics, needs, and services of the Central Bank of Costa Rica.
Core Deliverables:
1. Identification of the Institution’s Critical Processes. To establish the necessary mechanisms to identify the institution’s critical processes that must be subject to the business continuity process.
2. Definition of the Business Continuity Policy Manual. To establish lower-level policies to ensure the continuity of the institution’s critical processes and to enhance its “Resilience,” understood as the proactive improvement of the organization’s capacity to recover from disruptions in areas that are vital to the achievement of its key objectives.
3. Establishment of Related Plans. To establish the plans that comprise the Institutional Continuity Plan, including the following:
• Recovery Plans.
• Alternate Work Plans
• Comprehensive testing plan to measure response to different events
4. Establishment of a System for Measurement, Analysis, and Improvement. The system for measurement, analysis, and improvement consists of various mechanisms designed to demonstrate the conformity of the Business Continuity Management System and to continuously enhance its effectiveness.
Related Documents
