Page 22 - FIGI Digital Financial Services security assurance framework
P. 22
and the Cyber Resilience Oversight Expectations for Financial Market Infrastructures report to read more
3
about mitigations.
6 DFS SECURITY ASSURANCE FRAMEWORK
The DFS security assurance framework follows simi- b) Assessment of threats and vulnerabilities to the
lar principles from the ISO/IEC 27000 family - Infor- underlying infrastructure, DFS applications, ser-
mation Security Management Systems, Payment vices, network operations and third-party pro-
Card Industry Data Security Standard (PCI-DSS) viders involved in the ecosystem for DFS delivery
v3.2, Payment Applications Data Security Standards (Section 8).
(PA-DSS), National Institute of Standards and Tech- c) Mitigation strategies based on the outcome of (b)
nology Special Publication 800-53, Revision 4. Tech- above (Section 8).
nical guidelines from the Centre for Internet Securi-
ty (CIS controls Version 7), the Open Web Security This framework identifies
Application Project (OWASP) commonly referred
to as OWASP Top 10 and used these as benchmarks i. The various security threats to DFS assets in each
to identify controls that are particular to the digital of the security dimensions
financial services ecosystem. ii. The related vulnerabilities that can be exploited
This framework consists of the following compo- by these threats.
nents: iii. Security control measures that can be implement-
ed by DFS stakeholders against the threats and
a) A security risk assessment based on ISO/IEC vulnerabilities are proposed. The security control
27005 –Security techniques -Information security measure can fall in one or more of the eight Secu-
risk management (Section 7). rity Dimensions in ITU-T Recommendation X.805
7 RISK ASSESSMENT METHODOLOGY
In order to ensure a security model that is sustain- rity for the DFS users or internal and external reviews
able and continuously improves DFS security, this of the DFS environment by auditors. Thus, the mon-
framework uses the Deming cycle, a four-step qual- itoring phase also deals with escalating ad reporting
ity model divided into four phases: Plan, Do, Check of the risks to the relevant stakeholders.
and Act (PDCA). In the PDCA based implementation Communicating with management during all
methodology, activities and outcomes that have to phases of the risk management process ensures
be achieved in each of the four phases are identified. understanding and ownership of the roles and
In the DFS ecosystem, multiple stakeholders are responsibilities which is key for establishing the
involved and the PDCA is designed with activities context appropriately, adequate identification of
that assure overall end to end security of the DFS risks, multi-stakeholder risk analysis and evaluation.
ecosystem, the diagram below shows the DFS secu- The communication with management gives a plat-
rity framework model based on PDCA. form for a broader consultation and process review
Monitoring and review in the DFS environment with all the DFS stakeholders which helps to secure
may take different forms depending on the stake- endorsement and support for the risk treatment
holder for example the regulator reviewing the secu- plans based on relevant and accurate view of the
rity controls set by the DFS provider to assure secu- risks within the ecosystem.
20 Digital Financial Services Security Assurance Framework