Information Security and Personal Data Protection Policy of JSC «TAYANCH MIKROMOLIYA BANKI»

This Information Security and Personal Data Protection Policy of JSC «TAYANCH MIKROMOLIYA BANKI» (hereinafter – the Policy) defines the goals, objectives and commitments of JSC «TAYANCH MIKROMOLIYA BANKI» (hereinafter – the Bank) in the field of information security and personal data protection.

The Policy is based on the understanding of the Bank's role as a financial organization engaged in the collection, storage, processing, transmission and protection of confidential information and personal data of clients, partners, employees and other subjects of personal data.

The Policy ensures the protection of information in accordance with the purpose and development strategy of the Bank, the current legislation of the Republic of Uzbekistan, as well as the requirements of international standards for information security management and data confidentiality.

The main objective of this Policy is to ensure the sustainable functioning of the Bank by preventing security threats to its information and technical resources; preventing the disclosure, loss, leakage, distortion and destruction of Information Systems, as well as minimizing the costs of recovery and elimination of the consequences of realized threats, namely threats of violation of:

I. Confidentiality. Access to information assets should be granted only to authorized users, system objects or processes. Information processing, storage and transmission processes must be carried out in such a way as to prevent the possibility of unauthorized distribution of information.

II. Integrity. Information assets must remain unchanged under conditions of accidental or intentional distortion (destruction), or correct detected changes.

III. Availability. Information assets must be freely available to authorized users, in the form and place necessary for users, and at the time when they need them.

To achieve and implement the specified objective, the following tasks are defined in the Bank:

I. Ensuring the confidentiality, integrity and availability of information.

II. Protection of personal data at all stages of their processing.

III. Risk management in the field of information security and personal data protection.

IV. Compliance with the requirements of legislation, standards and contractual obligations in the field of information protection and personal data.

V. Increasing the awareness and competence of employees in matters of information security and personal data protection.

VI. Effective response to information security incidents and ensuring the continuity of the Bank's operations.

VII. Regular analysis, control and improvement of the information security management system and personal data protection.

To fulfill the set tasks, the Bank, represented by the Bank's Board, assumes the following obligations:

I. Defining the policy and requirements for the protection of information and personal data.

II. Determining and making decisions on changing and improving the organizational structure of information security management and data confidentiality systems.

III. Allocating sufficient technical, organizational and human resources for the effective functioning and development of information security management and data confidentiality systems.

IV. Determining the degree of responsibility and duties of the Bank's employees to ensure information security and personal data protection.

V. Evaluating the effectiveness of implemented measures to protect information and personal data.

VI. Continuous improvement of information security management and data confidentiality systems.

The Bank has the right to make changes to this Policy by posting a new version of the Policy on its website.