Page 37 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 37
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
• Prevent devices from being simultaneously connected to the organization’s trusted internal network and
untrusted external network (i.e. establishing connectivity via Ethernet adapter and wireless adapter on
the same device).
• Implement cryptographic mechanisms to prevent unauthorized disclosure of information as it traverses
public or untrusted networks.
• Terminate network connections associated with communications sessions at the end of the sessions or
after a defined period of inactivity. If communications are designed to be long-lived (e.g., API connections
that periodically exchange data), monitor these connections to ensure the detection of unauthorized
activity.
• Establish and manage cryptographic keys for cryptography employed in the information system.
Media protection
• Protect (i.e., physically control and securely store) both paper and digital information system media.
• Protect data at rest using cryptographic methodologies.
• Limit access to information system media to authorized users only.
• Sanitize or destroy data on information system media before disposal or reuse of the media.
• Control access to media and maintain accountability for media during transport outside of controlled
areas.
• Implement cryptographic mechanisms to protect the data confidentiality stored on digital media during
transport unless otherwise protected by alternative physical safeguards.
• Control the use of removable media on information system components.
• Prohibit the use of portable storage devices when such devices have no identifiable owner.
• Protect the confidentiality of backups at storage locations.
4.3 Audit and response
Recommendation summary
Develop risk management frameworks and robust audit controls within organizations and regulatory
environments. Regulators and DFS providers should both develop incident report handling mechanisms and
test capabilities, as well as performing penetration tests to ensure robustness of provider architectures and
client-side mobile money applications against attack.
Establish audit logs and monitoring
• Create, protect, and retain information system audit logs to enable the monitoring, analysis, investigation,
and reactions for inappropriate information system activity.
• Use automated mechanism to analyse, correlate and report inappropriate, suspicious or unusual activities
across systems, particularly for application level behaviour and transaction monitoring. Periodically test
to ensure control is operating effectively.
• Ensure a process is in place to respond to inappropriate, suspicious, or unusual activities.
• Use Network Time Protocol to synchronize events across systems.
• Monitor the information systems and the network perimeter (e.g., firewalls) including inbound and
outbound communications traffic, to detect attacks and indicators of potential attacks.
• Monitor information system security alerts and advisories and take appropriate actions in response.
23