Page 35 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 35

ITU-T Focus Group Digital Financial Services
                                              Technology, Innovation and Competition



               R21 – Maintain a trustworthy supply chain to assure the integrity of systems supporting DFS used within
               these networks.





               4      Guidelines for protecting data confidentiality, integrity and availability

               The following are guidelines that all system and network operators, including network providers, DFS providers,
               and service providers, should follow. Proper IT security policies are crucial to the protection of DFS data. These
               guidelines are informed by NIST Special Publication 800-171 [13] and PCI DSS Requirements version 3.1 [14].


               4.1    Policies and access control

               Recommendation summary

               •    Ensure organizational support for IT security policies.
               •    Enforce physical access controls to critical information systems and networks, and maintain audit logs of
                    physical access.
               •    Enforce and maintain robust access control through least privilege assigning of permissions to roles, and
                    ensure confidentiality of information through mechanisms such as encryption.
               •    Ensure that identity is vetted before access is allowed to information systems and move to multifactor
                    authentication systems.

               Develop and document security policies and procedures

               •    Obtain executive management support for IT security policies and procedures.
               Physical security

               •    Limit physical access to organizational information systems, equipment, and the respective operating
                    environments to authorized individuals.

               •    Protect and monitor the physical facility and/or areas that contain support infrastructure.
               •    Escort and monitor visitor activity.
               •    Maintain audit logs of physical access.

               •    Control and manage physical access to critical infrastructure and devices.
               Access control

               •    Remove or reset default usernames and passwords on system and/or infrastructure devices.
               •    Limit access to information systems, ability to conduct transactions or functions, and ability to execute
                    processes on devices without authorization. Apply the principle of least privilege.
               •    Ensure personnel’s duties are separated to reduce the risk of fraudulent activities.
               •    Ensure usernames/user IDs are unique to allow system activities to be traceable to individuals.

               •    Configure password complexity, unsuccessful login attempts, password history and reuse periods, and
                    account lock-out periods to a reasonable minimal value.

               •    Enable session timeout after pre-defined inactivity.
               •    Monitor and control remote access sessions.
               •    Store and transmit only encrypted passwords.

               •    Promptly disable or remove access for terminated or transferred employees.



                                                                                                       21
   30   31   32   33   34   35   36   37   38   39   40