Page 12 - FIGI Digital Financial Services security assurance framework
P. 12
ities facing the DFS providers (banks, non-banks measures in the document, can be included as part
providing mobile money services), mobile network of the ICT Security programme of the DFS provider.
operators, customers, payment system providers, An underlying assumption is made that organisa-
merchants, and technology services/third-par- tions have already implemented good security gov-
ty service providers. Regulators including telecom ernance principles and standards, like information
authorities, banking and payments regulators could security policy documentation, data classification,
also make use of the DFS Security Assurance Frame- allocation of information security responsibilities,
work for establishing security baselines for the DFS data privacy policies, security awareness and training
providers as well. for their staff, secure development, testing and main-
The framework when implemented would com- tenance of infrastructures, devices, applications and
plement established risk and information security processes, vulnerability management, backup pro-
management practices of the stakeholders involved cedures, incident management, business continuity
in DFS ecosystem. For example, the security control and disaster recovery processes as these are outside
the scope of this document
2 ITU-T RECOMMENDATION X�805 OVERVIEW
The Security Assurance Framework uses the ITU-T • Data integrity: Protection of the correctness and
Recommendation X.805 as its foundation for apply- accuracy of data.
ing security control measures to achieve end-to-end • Availability: Prevention of denial of authorized
network security, it also largely suggests controls access to network elements and data.
based on the recommendations in the technical report • Privacy: Protection of data information that might
“Security Aspects of Digital Financial Services” by be derived from observing network activity.
2
the ITU-T Focus group Digital Financial Services.
The end-to-end communications environment ITU-T Recommendation X.805 defines a hierar-
of the DFS ecosystem is considered in terms of the chy of network equipment and facility groupings
ITU-T Recommendation X.805 and provides a useful into three security layers. These security layers pro-
reference framework for security management. The vide comprehensive, end-to-end security solutions
ITU-T Recommendation X.805 security architecture and identify where security must be addressed in
has eight ‘security dimensions’, which are measures products and solutions because each layer may be
designed to address a particular aspect of network exposed to different types of threats and attacks.
security. The security layers are as follows:
The eight security dimensions that provide a sys-
tematic way of encountering network threats are as i. Infrastructure Security Layer: consists of the basic
follows. building blocks used to build telecommunications
networks, services and applications, and consists
• Access control: Protection against unauthorized of individual transmission links and network ele-
use of network resources. ments including their underlying hardware and
• Authentication: Methods of confirming the identi- software platforms
ties of communicating entities. ii. Services Security Layer: consists of services that
• Non-repudiation: Methods to prevent an individ- customers/end-users receive from networks.
ual or entity from denying cause of an event or These services range from basic connectivity and
action. transport
• Data confidentiality: Protection of data from iii. Applications Security Layer: focuses on net-
unauthorized disclosure. work-based applications that are accessed by
• Communication security: Assurance that infor- customers/end-users.
mation only flows between authorized endpoints
without being diverted or intercepted.
10 Digital Financial Services Security Assurance Framework
