Annexure: Information Systems Security Guidelines for the Banking and Financial Sector (Part 2 of 2) - ఆర్బిఐ - Reserve Bank of India
Annexure: Information Systems Security Guidelines for the Banking and Financial Sector (Part 2 of 2)
Computer Systems and Security Controls
The computer Systems are at the centre of the information systems security policy. The computation power, provided by these systems, allows the organisations more flexibility and processing capability than ever before. The complex array of computer capabilities offers both operational advantages and at the same time, raises security concerns also. The following controls, among others, will require to be implemented to protect the integrity of the computer systems which include, among others, mainframes, mini-computers, microcomputers, laptops, notebooks, palmtops, servers, workstations and personal computers in use in the organisation.
7.1 Physical Protection :
Physical barriers to information and information processing resources can serve to control access. The "fortress computer centre" is becoming increasingly rare. However, there may be circumstances, when physical controls may be adequate. The following steps will require to be taken to protect the computer systems and the central information processing centres from physical damage:
a) To choose the site/s for the information processing centres away from the flight paths, geological fault lines, power lines, potential terrorist targets etc.
b) To define a security perimeter around the central processing facilities as a basis for physical controls.
c) To limit physical access strictly to the authorized personnel. A record of entry and exit should be kept. Positive identification should be made prior to any entry. All staff should be instructed to challenge or report unrecognised or unauthorized persons.
d) To implement an inventory or property control program.
e) To monitor the movement of all computer resources/components/ parts from the organisation’s sites.
f) To build rooms or areas containing information processing equipment which conform to all building and fire codes of the local jurisdiction and to the manufacturer’s specifications.
g) To provide adequate air-conditioning for cooling of the equipment i.e. for maintenance of room temperature and humidity at levels, specified by the manufacturer/s under the worst-case conditions.
h) To provide clean and adequate power supply. The installation of the uninterrupted power supply (UPS), generators and execution of agreements with the related parties/agencies for priority restoration of such services should be done.
i) To provide adequate fire and water protection.
j) To have engineering diagrams which have been reviewed for single-point-of-failure and evaluated for ways to eliminate those failures.
k) To prohibit storage of hazardous or combustible material within the perimeter of the processing site/s.
l) To consider an intermediate holding area for deliveries to the processing rooms.
m) To escort visitors, if any, within the premises at all times.
n) The building and the computer equipment meet the insurer’s requirements.
7.2) The following steps will require to be implemented to protect the personal computers, when used off-site:
a) To prohibit the use of the personal computers off-site unless virus controls have been installed.
b) The personal computers are not left unattended in the public places.
c) The personal computers are carried as hand luggage while travelling.
d) To prohibit the use of the personal computers off-site unless they have adequate access protection controls, commensurate with the classification of the information.
e) To apply all other controls as appropriate.
f) All the manufacturer’s instructions regarding the protection of the computer equipment are followed.
7.3 Logical Access Control :
The logical access control for all the computer systems will be implemented to prevent unauthorized modifications, disclosures or destruction of information residing in the computer systems.
7.4 Change Control :
The established change control procedures will be followed to ensure the maintenance of the integrity of the computer systems and that of information, as and when changes are made.
7.5 Maintenance of Equipment :
The following steps will require to be followed to ensure the integrity of the security controls in place during the maintenance of the equipment :
a) Allow modifications to be made only by authorized personnel within the established maintenance procedures.
b) The testing of the security controls in place, both before and after the maintenance service.
c) Maintain a record of all faults or suspected faults.
d) Appropriate virus checks are made.
e) Tamper-protection of the components which store sensitive information.
7.6 Casual Viewing :
Privacy shields may be installed to minimize the disclosure of SENSITIVE or HIGHLY SENSITIVE information on the computer terminals.
7.7 Emulation Concerns :
To ensure that all appropriate controls are implemented, it is required to ensure that the controls which apply to a specific transaction or process should also apply to the computer systems which support that transaction or process.
7.8 Business Continuity :
The organisation should include computer systems as part of the contingency and disaster recovery plan to ensure that the organisation can continue to function in case of major disruption, caused by natural disasters, power failures or other factors.
7.9 Audit Trails :
The maintenance of the audit trails is essential to ensure quality of security controls.
7.10 Disposal of Equipment :
The following steps will require to be implemented to prevent the disclosure of sensitive information :
a) To check all equipment containing storage media for sensitive information prior to disposal.
b) To perform a risk assessment on the damaged equipment to determine if it should be destroyed, repaired or discarded. The process of destruction should be defined, if it has to be discarded.
c) To ensure that the storage media goes through a secure erasure procedure prior to disposal.
Change Control Mechanism
8.1 To protect the integrity of the information processing systems, a change control procedure is essential. The change control procedures will relate to hardware changes, software changes and changes in manual procedures. The change control procedure will also have to address emergency changes. To prevent unauthorized changes in the production environment, a change control procedure that manages all changes, regardless of the magnitude, whether scheduled or emergency, will require to be established. The following steps should be implemented to ensure that the change control procedure, put in place, remains effective:
a) Establish a formal change request and the authorization process therefor.
b) Establish a test and system acceptance procedure for each change.
c) All changes are scheduled and fully documented.
d) All changes have viable back-up procedures, well defined and documented, to take care of failure during or after the implementation of the change.
e) Virus checks are made before and after the implementation of the changes.
8.2 Emergency Problems :
The following steps will be taken to ensure maintenance of integrity of the computer systems during emergencies:
a) Allow emergency fixes only to resolve production problems.
b) Return to normal change procedures expeditiously.
c) Emergency support personnel to document the changes implemented.
d) Review all emergency changes.
Network and Security Controls
A network is the collection of information processing and communication resources, which enable the computer systems or the individuals to access and transmit information. Networks may be as simple as two personal computers connected to each other or as complex as a world-wide, multi-organisational funds transfer network. Access to both internal and external network and services should be controlled. This is necessary to ensure that the users who have access to networks and network services do not compromise the security of these network services by ensuring;
a. appropriate interfaces between the organization’s and the public networks, with adequate security controls in place ;
b. appropriate authentication mechanisms for the users and the equipment; and
c. control of users access to the information services.
9.1 Policy on Use of Network and Network Services :
Insecure connections to network services can affect the whole organization. Users should only be provided with direct access to the services that they have been specifically authorized to use. This control is particularly important for network connections to sensitive or critical business applications or to users in high-risk locations e.g. public or external areas that are outside the organization’s security management and control. A policy should be put in place concerning the use of the networks and the network services. This policy should cover the following :
a. the networks and network services which are allowed to be accessed;
b. authorization procedures for determining who is allowed to access which networks and network services;
c. management controls and procedures to protect the access to network connections and network services ;
d. consistency with the access control policy of the organisation ;
e. enabling network services for business reasons only ;
f. the removal or disabling of the unused or unwanted network services ;
g. documented procedures including all critical parameter settings, scripts and configuration files for installation and operationalisation of a network operating system ;
h. regular updation of the security related software ;
i. identification of the types of information which need to be logged ;
j. limiting the Users to a single concurrent session ;and
k. preventing IP Spoofing – all in-bound IP packets with a source address originating from the organisation’s internal network and all out-bound IP packets with source addresses other than the internal network to be dropped.
9.2 Enforced Path :
The path from the user terminal to the computer service may need to be controlled. Networks are designed to allow maximum scope for sharing of resources and flexibility of routing. These features may provide opportunities for unauthorized access to business applications or unauthorized use of the information facilities. Incorporating controls that restrict the route between a user terminal and the computer services, the user is authorized to access e.g. creating an enforced path, can reduce such risks. The objective of an enforced path is to prevent any user selecting routes outside the route between the user terminal and the service, that the user is authorized to access. This requires the implementation of a number of controls at different points in the route. The principle is to limit the routing options at each point in the network through predefined and authorised routes, as described hereunder:
a. allocating dedicated lines or telephone numbers:
b. automatically connecting ports to specified application systems or security gateways;
c. limiting menu and sub-menu options for individual users;
d. preventing unlimited network roaming;
e. enforcing the use of specified application systems and/or security gateways for external network users;
f. actively controlling allowed source to destination communications via security gateways e.g. firewalls;
g. restricting network access by setting up separate logical domains e.g. virtual private networks, for user groups within the organization; and
h. ensuring consistency between the requirements for an enforced path and the access control policy.
9.3 User Authentication for External Connections :
External connections provide a potential for unauthorized access to business information e.g. access by dial-up methods. Therefore, access by remote users should be subject to authentication. There are different types of authentication methods, some of these provide a greater level of protection than others e.g. methods based on the use of cryptographic techniques can provide strong authentication. It is important to determine on the basis of risk assessment the level of protection required. This is needed for the appropriate selection of an authentication method. Authentication of remote users can be achieved using eg. a cryptographic based technique, hardware tokens or a challenge/ response protocol. Dedicated private lines or a network user address checking facility can also be used to provide assurance about the source of connections. Dial-back procedures and controls e.g. use of dial-back modems, can provide protection against unauthorized and unwanted connections to an organization’s information processing facilities. This type of control authenticates the users trying to establish a connection to an organization’s network from remote locations. When using this control, an organization should not use network services which include call forwarding or, if they do, they should disable the use of such features to avoid weaknesses associated with call forwarding. It is also important that the call back process includes ensuring that an actual disconnection on the organization’s side occurs. Otherwise, the remote user could hold the line open pretending that call back verification has occurred. Call back procedures and controls should be thoroughly tested for this possibility.
9.4 Node Authentication :
A facility for automatic connection to a remote computer could provide a way of gaining unauthorized access to a business application. Connections to remote computer systems should, therefore, be authenticated. This is especially important if the connection uses a network that is outside the control of the organization’s security management. Node authentication can serve as an alternative means of authenticating groups of remote users, where they are connected to a secure, shared computer facility.
9.5 Remote Diagnostic Port Protection :
Access to diagnostic ports should be securely controlled. Many computers and communication systems could be installed with a dial-up remote diagnostic facility for use by the engineers. If unprotected, these diagnostic ports provide a means of unauthorized access. They should, therefore, be protected by appropriate security mechanism e.g. a key lock and procedure to ensure that they are only accessible by an arrangement between the manager of the computer services and the hardware/software support personnel requiring access.
9.6 Segregation of Networks :
Networks are increasingly being extended beyond the traditional organizational boundaries, as business partnerships are formed that may require the interconnection or sharing of information processing and networking facilities. Such extensions might increase the risk of unauthorized access to already existing information systems that use the network, some of which might require protection from other network users because of their sensitivity or criticality. In such circumstances, the introduction of controls within the network to segregate groups of information services, users and information systems, should be considered. One method of controlling the security of large networks is to divide them into separate logical network domains e.g. an organization’s internal network domains and external network domains, each protected by a denied security perimeter. Such a perimeter can be implemented by installing a secure gateway i.e. firewall, between the two networks to be interconnected to control access and information flow between the two domains. This gateway should be configured to filter traffic between these domains and to block unauthorized access in accordance with the organization’s access control policy and on the basis of cost and performance impact of incorporating suitable network routing or gateway technology .
9.7 Network Connection Control :
Access control policy requirements for shared networks, especially those extending across organizational boundaries, may require the incorporation of controls to restrict the connection capability of the users. Such controls can be implemented through network gateways that filter traffic by means of pre-defined tables or rules. The restrictions applied should be based on the access policy and requirements of the business applications and should be maintained and updated accordingly. The applications to which restrictions should be applied are as under :
a) electronic mail;
b) one-way file transfer;
c) both ways file transfer ;
d) interactive access; and
e) network access lined to method of day or date.
9.8 Network Routing Control :
Shared networks, especially those extending across organizational boundaries, may require the incorporation of routing controls to ensure that computer connections and information flows do not breach the access control policy of the organisation. This control is often essential for networks shared with third party users. Routing controls should be based on the positive source and destination address checking mechanisms. Network Address Translation (NAT) is a very useful mechanism for isolating networks and preventing routes to propagate from the network of one organization into the network of another.
9.9 Security of Network Services :
Network services may have unique or complex security characteristics. Organizations using network services should ensure that a clear description of the security attributes of all services used is provided.
9.10 Network Controls :
A range of controls is required to be implemented to achieve and maintain security in computer networks. Network managers should implement controls to ensure the security of data in networks and the protection of the connected services from unauthorized access. For the purpose. the following steps should be taken :
a) Operational responsibility for networks should be separate from computer operations, where appropriate.
b) Responsibilities and procedures for the management of remote equipment, including equipment in user areas, should be established.
c) Special controls should be established to safeguard the confidentiality and integrity of the data passing over public networks and to protect the connected systems.
d) Special controls should also be established to maintain the availability of the network services and the computers connected.
9.11 Network Integrity :
The following steps will require to be taken to prevent the capture of a session during accidental or intentional communication line drops.
a) Provide network controls for the detection and reporting of dropped communications lines and timely termination of all associated computer sessions.
b) Re-authentication when the line drops occur.
9.12 Access Control :
The communication access requires to be granted only on a need-to-use basis to protect against modifications, destruction or disclosures of information through unauthorized access or use of the communication facilities.
9.13 Dial-in :
Dial-in is the capability to access information processing resources via public or private networks. The following steps require to be implemented to ensure that access control is not compromised through misuse of the dial-in facility.
a) Establish a policy setting out the conditions under which dial-in is permissible. Dial-in phone numbers should not be published or provided to other employees or third party.
b) Implement, where business needs dictate, additional controls such as, card/token based authentication devices, security modems etc. which can provide password and dial-back controls or remote computing software that can provide password controls.
9.14 The following steps require to be taken to ensure that dial-in by the vendors, customers etc. (if such facility has been made available to them) does not compromise the security controls in place.
a) Execute a written agreement/contract with the vendors, suppliers, customers etc. identifying their respective role and responsibilities regarding security including the penalties in the event of breach of contract by such parties.
b) Establish a procedure which requires the intervention of an authorized employee to enable a dial-in access session. It must be ensured to disable the dial-in session on completion thereof .
c) Review the activity log of each such third party session.
9.15 Network Equipment :
The following steps require to be taken to prevent unauthorized use or interruption of the network equipment :
a) Control access to network equipment by logical access controls.
b) Locate network equipment in physically secure environment.
c) Wiring of the closets to be physically secure with only authorized personnel being permitted access.
d) Route cabling underground or through conduits.
e) Maintain an inventory of network equipment.
9.16 Change Control Procedure :
It should be ensured to limit the network changes to those made in accordance with the established change management procedures to preserve the integrity and availability of information and information resources during changes to the network.
9.17 Connection with other Networks :
The following steps require to be implemented to ensure that the information system security is not compromised because of the security problems in networks external to the organisation:
a) Specific authorization is obtained from the Information Systems Security Manager, prior to establishing connection with the external networks, which are outside the security management of the organisation. Further, policies and procedures, well documented, require to be established, to be followed for connection with the external networks.
b) The security policy of the service provider of the external network verifiably be as strong as the organisation’s security policy for its network.
9.18 Network Monitoring :
The following steps require to be taken for monitoring the network with the use of monitoring devices to protect against information disclosures, modifications or destruction :
a) Implement the use and storage controls over the devices, which monitor or record information being transmitted over a network (e.g. protocol analysers and other diagnostic equipment).
b) The employees are made aware, as part of the terms and conditions of employment as also by way of the management’s directives in this regard, that the use of the organisation’s information processing assets constitute consent to monitoring the same also.
9.19 Protection during Transmission :
The following steps should be taken to protect sensitive and highly sensitive information from disclosure during transmission:
a) Encrypt sensitive and highly sensitive information during electronic transmission.
b) Protect passwords by encryption during transmission.
To detect corruption or modification of highly sensitive information during transmission, it is required to authenticate the information with digital signature and the same has to be verified at the destination.
9.20 Network Availability :
It is required to protect the network equipment by use of Uninterrupted Power Supplies (UPS) to protect against information loss in situations, where power fluctuations or outages occur.
9.21 The following steps require to be taken to protect against the destruction or modifications of information residing in the network resources:
a) Establish and enforce a periodic back-up of information on network resources.
b) Test the recovery of the backed-up data periodically.
It requires to be ensured that the Disaster Recovery Plan includes disaster recovery in respect of the network services also to protect against losses due to the unavailability of the network resources.
9.22 Audit Trails :
Audit trails will require to be maintained to ensure continuity in the quality of security controls.
Separation of Development and (Production) Operational Facilities and Information Handling and Back-up
10.1 Development and Test activities, co-existent with the Operational activities, can cause serious problems e.g. unwanted modifications of the files or the system environment, resulting in system disruption/failure. Where development and test staff have access to the operational system and its information, they may be able to introduce unauthorized and untested code or alter operational data. On some systems, this capability could be misused to commit fraud or introduce untested or malicious code. Untested or malicious code can cause serious operational problems. Developers and testers may also pose a threat to the confidentiality of the operational information.
10.2 Separating the development, test and operational facilities from one another is essential to achieve segregation of the roles and responsibilities involved and to ensure non-interference of the development and testing activities with the operational facilities. This will reduce the risk of accidental change or unauthorized access to operational software and business data. The level of separation among the operational, test and development environments should be decided as necessary. A similar separation should also be ensured between the development and the test functions, as it is also important to maintain a known and stable environment in which to carry out the test activities and at the same time, preventing inappropriate developer access. Rules and procedures for the transfer of software from the development to operational status should be well defined and documented. The following controls should be considered for separating the development, test and operational facilities.
a) Development and operational software should, where possible, be resident in different domains or directories and use different computer processors.
b) Development and testing activities should be separated as far as possible.
c) Compilers, editors and other system utilities should not be accessible from the operational systems, when not required and the availability thereof to be ensured after completion of due authorisation process.
d) Different log-on procedures should be used for operational and test systems to reduce the risk of errors. Users should use different passwords for these systems and the menus should display appropriate identification messages.
e) Development staff may have access to operational passwords, where controls are in place for issuing such passwords and that too, for supporting the operational systems only. Security controls should ensure that such passwords are changed or withdrawn after their use for the specific purposes is over.
10.3 Information Handling Procedures :
Rules and procedures should be established for the handling and storage of information, consistent with its classification relating to documents, computing systems, networks, mobile computing etc., in order to protect such information from unauthorized disclosures or misuse, considering the following :
a) Vulnerabilities of information in office systems e.g. recording phone calls or conference calls, confidentiality of calls, storage of faxes and opening & distribution of mails ;
b) Policy and appropriate controls to manage information sharing e.g. the use of corporate electronic bulletin boards ;
c) Restricting access to diary information relating to selected individuals e.g. staff working on sensitive projects ;
d) Suitability or otherwise of the system to support business applications, such as communicating orders or authorizations ;
e) Categories of staff, contractors or business partners, allowed to use the information systems and services and the locations from which they may be accessed ;
f) Restricting the use of selected facilities to specific categories of users only ;
g) Identification of the status of the users e.g. employees of the organization or those of the contractors, service providers etc. in directories for the benefit of other users;
h) Retention and back-up of information held on the information systems ;
i) Sensitive/Highly Sensitive documents (hard copy) to be marked accordingly on each page and the pages to be numbered
j) Fallback requirements and arrangements therefor .
10.4 Information Back-up :
Back-up copies of the essential business information and software should be taken regularly. Adequate back-up facilities should be provided to ensure that all essential business information and software can be recovered following a disaster or media failure. Back-up arrangements for individual systems should be regularly tested to ensure that they meet the requirements of business continuity plans. The following steps should be considered for the purpose.
a. A minimum level of back-up information, togetherwith accurate and complete records of procedures, should be stored in a remote location, easily accessible and to be turned to in case of disaster at the main site.
b. Back-up information should be given an appropriate level of physical and environmental protection, consistent with the standards applied at the main site. The controls applied to media at the main site should be extended to cover the back-up site.
c. Back-up media should be regularly tested, where practicable, to ensure that they can be relied upon for emergency use when necessary.
d. Restoration procedures should be regularly checked and tested to ensure that they are effective and that they can be completed within the time, allotted in the operational procedures for recovery.
e. The retention period for essential business information and also any requirement for archiving copies, to be permanently retained, should be determined on the basis of business requirements and compliance with legal and regulatory requirements.
10.5 Housekeeping :
To maintain the integrity and the availability of the information processing and communication services, appropriate rules and procedures should be established for taking back-up copies of data and rehearsing their timely restoration, logging events and faults and where appropriate, monitoring the system environment.
Chapter 11
Security Controls and Media Handling
Media should be controlled and physically protected to prevent damage to assets and interruptions to business activities. Appropriate operating procedures should be established to protect documents, computer media (tapes, disks, cassettes), input/output data and system documentation from damage, theft and unauthorized access.
11.1 Security Controls for Media in Transit :
Information can be vulnerable to unauthorized access, misuse or corruption during physical transport e.g. while sending media through the postal service or courier. The following controls should be applied to safeguard the computer media while being transported between sites.
a) Reliable transport or couriers should be used. A list of the authorized couriers should be agreed with management and a procedure to check the identification of couriers implemented.
b) Packaging should be sufficient to protect the contents from any physical damage likely to arise during transit and in accordance with manufacturers’ specifications.
c) Special controls should be adopted, where necessary, to protect sensitive information from unauthorized disclosures or modifications, which should include the following:
- use of locked containers ;
- delivery by hand;
- tamper evident packaging (which reveals any attempt to gain access); and
- in exceptional cases, splitting of the consignment and dispatch by different routes.
11.2 Management of Removable Computer Media :
Procedures should be established for the management of removable computer media such as tapes, disks, cassettes and printed reports, considering the following :
a. If no longer required, the previous contents of any re-usable media, to be removed from the organization, should be erased.
b. Authorisation should be required for all media, to be removed from the organization and a record of all such removals to be maintained.
c. All media should be stored in safe and secure environment in accordance with the manufacturers’ specifications.
d. All procedures and authorization levels should be documented.
11.3 Disposal of Media :
Media should be disposed of securely and safely, when no longer required. Sensitive information could be leaked to outside persons through careless disposal of media. Procedures should be established for the secure disposal of media, considering the following:
a) Media containing sensitive information should be stored and disposed of securely and safely e.g. by incineration or shredding or emptied of data for use by another application within the organization.
b) The following list identifies the items that might require secure disposal :
- paper documents;
- voice or other recordings;
- output reports;
- one-time-use printer ribbons;
- magnetic tapes;
- removable disks or cassettes;
- optical storage media (all forms including the manufacturer’s software distribution media);
- program listings;
- test data; and
- system documentation.
c) There may be organizations which offer collection and disposal services for papers, equipment and media. Care should be taken to select suitable contractors for the purpose with adequate controls and experience.
d) Disposal of sensitive items should be logged, where possible, in order to maintain an audit trail.
When accumulating media for disposal, consideration should be given to the aggregation effect, which may cause a large quantity of unclassified information to become more sensitive than a small quantity of classified information.
Telecommuting/Teleworking, Mobile Computing and Security Controls
12.1 Telecommuting/Tele-working is generally thought to be working from home or from a fixed location outside the organization, using communications technology. A virtual office can be anywhere that is an extension of the workplace. Telecommuting equipment may include phone, fax and computers, usually laptops or desktops. The telecommuters benefit through the reduction in commuting costs, time and the avoidance of stress and fatigue. The policy of allowing the individuals to work from their homes or a fixed location outside the traditional office may be beneficial to the organisation also. However, care should be taken to determine if the functions performed by such employees can be properly carried out away from the traditional office.
12.2 All the security controls, listed in this document, apply to the telecommuting environment also. In addition, Human Resource issues also arise in respect of the employees who telecommute. Further, care has also to be taken with respect to the remote access to information resources of the organisation. Suitable protection of the telecommuting / teleworking site should be in place against the security hazards e.g. theft of equipment and information, unauthorized disclosures of information, unauthorized remote access to the organization’s internal systems or misuse of facilities. It is important that telecommuting/teleworking is both authorized and controlled by the management of the organisation and that suitable arrangements are put in place for this way of working.
12.3 Organizations should consider developing policy and procedures and standards to control teleworking activities, authorizing teleworking activities only if they are satisfied that appropriate security arrangements and controls are in place and that these comply with the organization’s information systems security requirements.
12.4 To prevent loss of control over the personal computers and the systems to which they may be connected because of capture through remote access software, it should be ensured that the remote access software is not allowed to remain resident on the computer systems. It should be loaded only as required, with specific concurrency from both the parties at the time and then be removed when the session is completed. At that time, complete disk scan should be done to check for viruses, including any diskettes used in the session.
12.5 The security issues concerning telecommuting/teleworking should be addressed as under :
a) Allow an employee to telecommute only after consideration is given to the employee’s interpersonal skills, communication skills and ability to work in an unsupervised environment.
b) Establish and distribute a clear written policy on telecommuting.
c) Ensure that any employee, who wishes to telecommute, executes a written agreement with the organisation, which addresses the following issues :
- Equipment to be used: bank’s or employee’s
- Phone lines: separate or employee’s
- Maintenance of the equipment
- Cost and reimbursement
- Supervision
- Liability for personal injury, fire, etc.
- Physical and logical access controls to include protection of equipment, information (transmitted or stored), hardcopy, backup of information, disposal of hardcopy and diskettes and protection of networks.
12.6 The physical and logical security requirements of the teleworking site should be addressed, considering the existing physical security arrangements for the building and the local environment vis-a-vis the requirements, as under ;
the proposed teleworking environment; o the communications security requirements, taking into account the need for remote access to the organization’s internal systems, the sensitivity of the information that will be accessed and passed over the communication link and the sensitivity of the internal systems; and the threat of unauthorized access to information or resources from other people using the accommodation e.g. family and friends.
12.7 In addition to the above security controls and arrangements, the following should also be considered in this regard :
a) Provision of suitable equipment and storage furniture for the teleworking activities;
b) Definition of the work permitted, the hours of work, the classification of information that may be held and the internal systems and services that the teleworker is authorized to access;
c) Provision of suitable communication equipment, including methods for securing remote access;
d) Rules and guidance on family and visitor access to equipment and information;
e) Procedures for back-up and business continuity;
f) Audit and security monitoring ;
g) Revocation of authority, access rights and the return of the equipment when the teleworking activities cease or as decided by the organisation.
12.8 Mobile Computing :
12.8.1 When using mobile computing facilities e.g. notebooks, palmtops, laptops and mobile phones, special care should be taken to ensure that the business information is not compromised. Policy should be established that takes into account the risk of working with mobile computing facilities, particularly in unprotected environment. The policy should include the requirements for physical protection, access controls, cryptographic techniques, back-ups and virus protection. The policy should also include rules and advice on the connectivity of the mobile computing facilities to the networks and the guidance on the use of these facilities in public places. Care should be taken while using the mobile computing facilities in public places, meeting rooms and other unprotected areas, outside the organization’s premises. Adequate security controls should be in place e.g. use of cryptographic techniques, to prevent unauthorized access to or disclosures of the information, stored and processed by these facilities.
12.8.2 It is important that when such facilities are used in public places, care is taken to avoid the risk of overlooking by unauthorized persons. Procedures against malicious software should be in place and be kept up to date. Equipment should be available to enable quick and easy back-up of information. These back-ups should be given adequate protection against safety hazards e.g. theft or loss of information.
12.8.3 Suitable protection should be given to the mobile computing facilities, connected to networks. Remote access to business information and information systems across public network using mobile computing facilities should take place only after successful identification and authentication of the user under suitable access control mechanisms in place.
12.8.4 Mobile computing facilities should be physically protected against theft especially when left, for example, in cars and other forms of transport, hotel rooms, conference centres and meeting places. Equipment carrying important, sensitive and/or critical business information should not be left unattended and, where possible, should be physically locked away or special locks should be used to secure the equipment.
12.8.5 Training should be arranged for the staff using mobile computing facilities to raise their awareness about the additional risks to business operations, which may result from this way of working and the security controls which will have to be implemented.
Voice, Telephone and related Equipment and Security Controls
13.1 Information is carried frequently by voice media. Security controls require to apply to voice as well as the carrier/medium of transmission of the voice. This applies to the voice related information, used in the conduct of business only and does not cover social conversation. The organisations which utilize the Voice Mail Systems will be subject to a variety of potential threats and exposures including disclosure of messages, liability for substantial long distance charges and even loss of service due to unauthorized accesses. It is important for the information Systems Security Administrator to be involved in the review and implementation of appropriate controls, offered by the vendor in order to reduce or eliminate these exposures. Controls which should be used to protect voice and related information are discussed hereunder.
13.2 Access to Voice Mail system :
To preserve the integrity of information residing on Voice Mail and to limit expenses and liability for unauthorized use of Voice Mail services, the access to Voice Mail service should be controlled with physical controls and with logical access controls, as discussed in this document.
13.3 Private Branch Exchange (PBX) :
A PBX is an internal switch for attached telephone units within an organisation that usually supports connections to outside telephone lines and may also support electronic switching of information to the attached computer devices. To protect the PBX systems from being used to place outside calls by unauthorized sources and to protect the information that passes through electronic PBX systems from unauthorized disclosures, modifications or destruction, the following steps should be implemented:
a) Maintain close liaison with the PBX supplier and the network service providers concerning frauds and other problems.
b) Provide physical access controls that restrict access to the PBX to authorized individuals only.
c) Protect any maintenance or administrative ports that are accessible via remote dial-up with passwords meeting the access control criteria, as discussed in this document. This may require secure call-back or challenge/response procedures.
d) Produce an audit trail of all the administrative and maintenance accesses.
e) Change all default password settings immediately upon installation of a PBX.
f) Follow the approved change control procedures, documenting all changes, as discussed in this document.
g) Use call accounting software.
h) Prevent access to local "hot numbers" or other expensive services.
i) Follow the least privilege on the setting up of facilities for particular extensions e.g. deny international access unless explicitly authorized.
13.4 Spoken Word :
To educate the employees to the sensitivity of information being discussed regardless of the circumstances, it should be ensured to advise the employees periodically to be aware of who is present during conversations involving sensitive or highly sensitive information. Whenever sensitive or highly sensitive information is to be discussed, an announcement to that effect should be made unless it is clear that the persons who are party to the conversation or the meeting are aware of the sensitivity of the information.
13.5 Interception :
It may be easy to intercept the cellular and the cordless telephonic conversations. To protect against interception of highly sensitive information during telephonic conversations, the following steps should be taken :
a) Consider encrypting the telephone calls in which highly sensitive information will be discussed.
b) Prohibit the use of the cordless or the unencrypted cellular telephones for the transmission of HIGHLY SENSITIVE information, except in emergencies.
13.6 Business Continuity :
To ensure the continued availability of the Voice Mail and telephone services, it should be ensured to include the continuation of the telephone and the Voice Mail services as part of the contingency and disaster recovery plans of the organisation.
13.7 Documentation :
To preserve a record of telephone transaction requests and to prevent action on unauthenticated requests, it should be ensured to verify the requests for transaction, received from outside the organisation via telephone or Voice Mail or by call back, using the Cryptographic Authentication or other means, as approved under the Information Systems Security Programme. However, the telephone transaction requests which are part of the business activities, traditionally conducted over the telephones, such as foreign exchange or arbitrage, should be conducted on the recorded telephone lines. The recordings should be retained at least as long as and as required under the statute of limitations for any legal action or crime that may arise from the transactions in question.
13.8 Voice Response Units (VRU) :
The Voice Response Units may be used as a means to allow the customers effective and efficient telephone access to their accounts without human intervention. This access may be as simple as an account balance inquiry or may include a wide range of capabilities such as the transfer of funds between accounts, making loan payments etc. To provide a high degree of assurance that the accounts will only be accessed by the true owners and no one else, the following steps should be taken:
a) Use of the customer selected Personal Identification Numbers (PINs). The PINs, used in a low risk application and which may not require encryption, should be limited to that application only.
However, normal security practice requires encryption.
b) Notify to all the account owners the PIN selection process.
c) Provide the ability to the owner to block the account from service/ operation.
e) Protect the customers’ PINs after they are acquired by the VRU, the PINs, once received by the VRU, should be encrypted prior to validation by the VRU or any other system to which such PINs may be transmitted.
f) Limit the opportunity for unauthorised attempts to sign on to the system, it should be ensured to allow the callers at least two, but no more than three, consecutive attempts to enter a valid identification or authentication code or account number before either transferring the caller to a human operator or terminating the call. In addition, these entries should be logged and reviewed on a regular basis, so that suspicious behaviour could be identified.
13.9 Facsimile and Image :
An image is a pictorial representation of a physical document. The physical document may or may not exist on paper. Image technology may be as simple as a fax machine creating a copy of a letter at a remote site or a sophisticated totally paperless image processing system with image files transmitted via e-mail. Where possible in an organisation to prevent unauthorised access, the use of a Central Fax Server should be considered. The following controls should be implemented.
13.9.1 Modification :
To prevent possible payment on fraudulently altered facsimile images, it should be ensured to have independent verification by prearranged method of the authenticity of the source and the contents of such transaction requests, received via facsimile or image system, prior to action being taken.
13.9.2 Repudiation :
To prevent false claims of the communication of messages or for the denial of message delivery, it should be ensured to apply non-repudiation controls such as digital signatures.
13.9.3 Misdirection of Messages :
To reduce the disclosure of sensitive or highly sensitive information through misdirected facsimile transmission, it should be ensured to exercise care in dialing fax numbers. A check of the fax display of the identity of the receiver should be done. To detect fax messages which were misdirected and to assist in the retrieval of information, it should be ensured to display warning notices on the fax coversheets to the effect that the message is meant for the addressee only, for his information and use and that the use of the message by any other party will be deemed illegal and shall be punishable under law.
13.9.4 Disclosure :
To prevent disclosure of information during transmission, it should be ensured to encrypt fax and image transmissions carrying highly sensitive information. To prevent disclosure of information by unauthorised viewing of unattended facsimile equipment, the following steps should be taken :
a) Locate the facsimile machines and the image processing terminals within areas under physical access control.
b) Prohibit fax transmissions carrying sensitive or highly sensitive information, unless it is verified by independent means that a properly authorized person is present at the receiving terminal.
c) One method of doing this is to send the cover sheet only, wait for telephonic acknowledgement of its receipt and then to resend the entire package using the redial button on the fax device.
d) Classify and label the documents in the image systems or received via fax using the same criteria used for paper documents.
Documents should bear markings appropriate to their classification.
e) The use of cellular facsimile raises potential disclosure concerns.To protect against disclosure of fax sent via cellular connection, the transmission of cellular fax of sensitive or highly sensitive information should be prohibited, unless encryption is in use.
13.9.5 Business Continuity :
To ensure against business interruption due to loss of image systems, it should be ensured to include image systems and fax capability as part of the contingency and disaster recovery plan.
13.9.6 Denial of Service :
To minimize the loss of service caused by junk fax or unsolicited and unwelcome messages, it should be ensured to block disclosure of fax numbers outside the organisation, except on a need-to-know basis. It should be adopted as a practice that the fax lines that the organisation may want to establish for its business should not be used for other purposes.
13.9.7 Retention of Documents :
To prevent the loss of necessary business records including fax on thermal paper and stored image where source documents are not available, it should be ensured to store image or fax information, if required as a source document, on media which prevent its modification. It should then be stored or a separate copy thereof made, kept off-line and retained.
Electronic Mail and Security Controls
14.1 Electronic Mail (e-mail) is store and forward message system for transporting information between two or more parties. The e-mail was originally developed to support informal communications over the computer systems. It has now been integrated with the word processing systems, so that a sender can compose a formal letter and have it instantly transmitted. The e-mail may also incorporate digitised voice, messages and images. It may operate over public or private networks. It is being used for business communications, replacing traditional forms of communication such as telex and letters. The e-mail differs from traditional forms of business communications by, for example, its speed, message structure, degree of informality and vulnerability to unauthorized actions. The following controls should be implemented to protect e-mail :
14.1.1 Authorized Users :
To ensure that only authorized users access e-mail, it should be ensured to restrict access to e-mail facility by logical access control, as discussed in this document. E-mail facility will have to be used as approved by the organisation and necessary steps to be taken to ensure the same.
14.1.2 Physical Protection :
To prevent modifications, disclosures or destruction of information and information processing capabilities through access to equipment providing e-mail services, it should be ensured to restrict physical access to information processing resources providing e-mail services to those personnel necessary for the operation of the system. A record of the entry and exit to the facility should be maintained.
14.1.3 Integrity of Transactions :
To prevent unauthorized transactions or repudiation of transactions, it should be ensured to obtain independent verification of authenticity as to the source and content, prior to the completion of such transactions requested via e-mail.
14.1.4 Disclosure :
To protect against the disclosures of sensitive or highly sensitive Information, using the same criteria as used for the paper documents, it should be ensured to prohibit the transmission of highly sensitive information over e-mail, unless encrypted. To minimize the chances of wrong delivery and the consequences thereof, the following steps should be taken :
a) The e-mail messages carrying sensitive or highly sensitive information be checked for correct addressing and routing information. Use of warning messages, similar to those as in case of fax, should be considered.
b) Select public network providers from those who provide protection against wrong delivery.
14.1.5 Business Continuity :
To ensure business continuation in case of loss of e-mail service, it should be ensured to include the continuation of e-mail service as part of the contingency and disaster recovery plan, as discussed in this document.
14.1.6 Message Retention :
To ensure that the messages, required for business and regulatory reasons, are safely stored and easily retrievable, it should be ensured to implement a record retention programme, appropriate to business and regulatory requirements. To ensure that the messages archived can be properly reconstructed and authenticated, the public key certificates or authentication keys, used during the processing of such messages, should be archived.
14.1.7 Message Reception :
To ensure that all the messages are received and action taken thereon, the senders should ensure that their messages are received and read. The organisation should consider using an automated status checking facility for the purpose.
14.2 Policy on Electronic Mail :
Policy should be established regarding the use of electronic mail, including the following:
a) attacks on electronic mail e.g. viruses, interception;
b) protection of electronic mail attachments;
c) guidelines on when not to use electronic mail;
d) employee responsibility not to compromise the company e.g. sending defamatory electronic mail, use of electronic mail for harassment etc.;
e) use of cryptographic techniques to protect the confidentiality and integrity of electronic messages ;
f) retention of messages which, if stored, could be discovered in case of litigation; and
g) additional controls for vetting messaging which cannot be authenticated.
14.3 Paper Documents :
Cheques and currency notes are outside the purview of the discussion in this sub-section. Much of the information used for decision making is first captured on paper. The pre-printed forms such as deposit slips, loan applications and memoranda of telephone transfer requests are useful for a variety of financial operations. Regulators also require certain reports to be submitted in writing. The following controls should be used for protection of paper resources.
14.3.1 Modification :
To prevent the modifications of information, received or stored on paper documents, the following steps should be taken :
a) Prohibit the use of pencils or other erasable implements for the preparation of documents, used as source for payments, loans or other transactions.
b) Require the use of erasure detection paper for high value documents.
c) Reject document as source document for any transaction that contains Strike-outs, correction fluid marks or typed over text, unless such corrections or additions are initialled/authenticated by all the signatories to the document.
14.3.3 Viewing :
To protect against unauthorized viewing of sensitive or highly sensitive information on documents, it should be ensured to make the employees aware of the importance of information security. Leaving paperwork containing sensitive or highly sensitive information open to view by others should be pointed out as an example of an unacceptable security practice.
14.3.4 Storage Facilities :
To ensure the safe storage of documents containing critical, sensitive or highly sensitive information. However, such information remaining open to view should be pointed out as an example of an unacceptable security practice.
14.3.5 Destruction :
To ensure that information is not disclosed because of improper disposal of the documents, the following steps should be taken :
a) The sensitive or highly sensitive documents are securely destroyed.
b) Establish a policy covering the destruction of records. The type of record, its sensitivity, statutory limitations and other applicable regulations should be used to determine a destruction date. This policy should be reviewed periodically.
Firewall - A Security Control Measure
15.1 The increased use of the Internet has simultaneously made computer technology more useful and at the same time, more risky. The universal connectivity, which is nothing short of a miracle, also presents unprecedented risks/opportunities for attack. Any person with a computer can subscribe to an Internet service provider and become a true network "node." As a result, there is no control over who can be on the Internet or what they are using it for. There is, therefore, a need to protect systems on the Internet from against both known and unknown assaults from a vast pool of attackers/hackers. This protection is generally provided in the form of a Firewall. A Firewall is defined as a collection of electronic components placed between two networks that collectively have the following properties:
a) All traffic from inside to outside and vice-versa must pass through the firewall.
b) Only authorized traffic, as defined by the information systems security policy, will be allowed to pass through the firewall.
c) The firewall is itself immune to penetration.
A well-designed firewall protects the organisation’s network against attacks from sources external to its network and the network to which it is connected by the firewall. The attacks from within the organisation’s network or from its communicating partner/s will require to be addressed by other security services.
15.2 The firewalls require to be designed for the following considerations :
15.2.1 Strong Authentication and Identification :
A high degree of confidence of knowing with whom an organisation has been dealing is required. "Know your Customer" could be a regulatory requirement and must precede any authorization to conduct business. The ability to identify who is using a system is required to prevent unauthorized use as also to assist in the investigation of attacks.
15.2.2 Audit and Archival Requirements :
The organisations are required by regulation to maintain certain records. The activity through a firewall will often contain information which must be archived to prove that the transactions had taken place. Auditable security-related events must also be properly captured.
15.2.3 Non-repudiation :
Payment instructions will require to be sufficiently protected to support a collection action.
15.2.4 Availability :
Unless a service can be reliably offered, it should not be offered. The frustration of the customer over the banking systems which do not work on demand, on the introduction of Information Technology based products, may result in loss of business.
15.2.5 Confidentiality of Records :
The confidence that the banking organisation’s records will remain protected is a customer’s assumption. Loss of this confidence will result in loss of business. Further, it can be presumed that causing embarrassment to a big organisation is a powerful motivator to the hacker community.
15.2.6 As the Internet environment is constantly changing, it is difficult to exhaustively specify all the requirements for the firewalls. However, the following suggestions should form the basis of proper firewall selection and implementation.
15.2.6.1 Design Axioms : The following basic requirements should be complied with.
a) Any interface of the internet to the organisation’s networks must be properly controlled.
b) IP packets will be exchanged between the organisation’s network and the Internet through connection/s established through the firewall.
c) Traffic is exchanged through the firewall at the application layer only.
d) Organisation’s hosts, which support incoming service requests from the public Internet, will sit "outside" any firewall with suitable security controls, preferably in a DMZ zone, separate from the internal ‘trusted network’.
e) Firewall systems will be implemented to work within the constraints of internal network routing.
15.2.6.2 The technical features to be met are as under :
a) The firewall must enforce a protocol discontinuity at the transport layer.
b) The firewall must hide the structure of the protected network.
c) The firewall must provide an audit trail of all communications to or through the firewall system and will generate alarms when suspicious activity is detected.
d) The firewall system must use a "proxy server" to provide application gateway function through the firewall.
e) The routes through the firewall must be statically defined.
f) The firewall must not accept session initiation from the Public Internet.
g) The firewall system must defend itself against direct attack.
h) The firewall must be structured, so that there is no way to bypass any firewall component.
j) The firewall must include an application "launch server" to support application connections from the user systems to Internet services.
k) The firewall must deny all in-bound and out-bound services unless specifically permitted.
l) The firewall must be so configured as to log all reports on daily, weekly and monthly basis. Software tools or such utilities to be used for programatically summarising the log entries or the associate actions with the log file entries.
m) The firewall administrator will have to be notified of security alarms by e-mail, pager or other means. The alarms, among others, may relate to ‘N’ failed attempts to connect to any service port within a time span of ‘N’ minutes, ‘N’ consecutive failed attempts to utilise Proxy Services etc. The failed attempts to be directly logged into the firewall system.
15.2.6.3 The Proxy Server, configured on the firewall, should have the following features:
a) The proxy server acts as an application gateway.
b) The proxy server hides Internet details of the protected network from the public Internet.
c) The proxy server does not switch any network level packets. d) The proxy server logs all activities in which it is involved. e) There are no user accounts on the proxy server itself.
15.2.6.4 The ‘Launch Server’ should have the following features :
a) The launch server houses only client applications.
b) User logins on the launch server must be different from the user’s "home account."
c) The launch server should be based on a different hardware and software platform than on the user "home" systems.
Implementation of Cryptographic Controls
The growth in information technology has made the traditional methods of controlling information much more challenging. The popularisation and extensive use of cryptographic devices has provided the financial organisations with the opportunity to maintain high level of security in business operations, while reaping benefits from the increased use of Information Technology. The organisations should bear the following factors in view while taking decision on the selection, use and evaluation of their cryptography-based controls.
16.1 Cryptographic Controls :
Cryptographic systems and techniques should be used for the protection of the confidentiality, authenticity and integrity of information that is considered at risk and for which other security controls do not provide adequate protection.
16.2 Policy on the Use of cryptographic Controls :
Making a decision as to whether a cryptographic solution is appropriate should be seen as part of a wider process of assessing risks and selecting security controls. A risk assessment should be carried out to determine the level of protection that information should be given. This assessment can then be used to determine whether a cryptographic control is appropriate, what type of control should be applied and for what purpose and which business process. An organization should develop a policy on its use of cryptographic controls for protection of its information. Such a policy is necessary to maximize benefits and minimize the risks of using cryptographic techniques and to avoid inappropriate or incorrect use. When developing a policy for the purpose, the following should be considered :
a) the management approach towards the use of cryptographic controls across the organization including the general principles under which business information should be protected;
b) the approach to key management, including methods to deal with the recovery of the encrypted information in the case of lost, compromised or damaged keys;
c) Roles and responsibilities e.g. who is responsible for :
l the implementation of the policy; and l the key management;
d) how the appropriate level of cryptographic protection is to be determined; and
e) the standards to be adopted for the effective implementation throughout the organization (which cryptographic solution is used for which business process).
16.3 Encryption :
Encryption is a cryptographic technique that can be used to protect the confidentiality of information. It should be considered for the protection of sensitive or critical information.
Based on a risk assessment, the required level of protection should be identified, taking into account the type and quality of the encryption algorithms and the length of the cryptographic keys to be used. When implementing the organization’s policy on cryptography, consideration should be given to the regulations and national restrictions that might apply to the use of cryptographic techniques in different parts of the world and to the issues of trans-border flow of encrypted information. In addition, consideration should also be given to the controls that apply to the export and import of cryptographic technology. Specialist advice should be sought to identify the appropriate level of protection, to select suitable cryptographic products that will provide the required protection and the implementation of a secure key management. In addition, legal advice may need to be sought regarding the laws and regulations that might apply to the organization’s intended use of encryption.
16.4 Applying Encryption :
16.4.1 What to Encrypt?
Information requiring confidentiality protection should be encrypted if
a) the information will be appearing outside the direct control of the organisation;
b) the information is to be stored or transported on removable media; and
c) the information is to be transmitted over telephone, fax or computer networks.
Information not requiring confidentiality protection should not be separately encrypted.
16.4.2 How to Encrypt ? :
Several issues will have to be considered to determine how best to encrypt. These issues relate to hardware versus software encryption products, end-to-end or local encryption, placement in the OSI model and key management issues.
16.4.2.1Hardware Versus Software Encryption Products :
Encryption products exist in either hardware or software form. Hardware devices can be stand-alone devices which attach to a communications port or an electronic equipment with in-built microcircuit. Software encryption products can be individual products which encrypt any file which may be sent or can be integrated into other applications. The hardware encryption products should be used to address the following requirements :
a) when assurance is required that the encryption product is operating as specified ; and
b) whenever possible.
The software encryption products should be used to address the following requirements :
a) the cost as a major factor ;
b) assurance that the encryption product operates as specified ; and
c) compensating controls can verify that the software is operating as specified. For example, customers who will not accept additional hardware in their systems may request cryptographic services within a software package. In this case, a certain amount of assurance can be achieved, if these applications communicate with the hardware cryptographic devices.
16.4.2.2 End-to-End, Link or Local Encryption:
End-to-end encryption is the encryption of information from its source with decryption at the destination. Protection is provided along the entire transmission path. Each potential user must have encryption capabilities and be supplied with key management services. Link encryption operates on all traffic passing between two facilities. The link encryption should be used to address the following requirements :
a) significant communications exist between the facilities;
b) other controls protect information within a building or campus ; or
c) controls are in place to ensure that information in need of protection will be routed over the designated links.
The end-to-end encryption should be used to address the following requirements :
a) communication between one or more central facilities and individual users ;
b) a small number of users are involved within a given enterprise ;
c) protection is required end-to-end ; or
d) link encryption is not warranted.
The encryption should be used in local mode to address the following requirements :
a) information is to be protected in storage by an individual user ; or
b) key management prevents unauthorized use of the encryption facility.
16.4.2.3 The Open Systems Interconnection (OSI) Layer :
If the organisation has organized its information processing system according to the OSI interconnection model, placement of encryption services is determined by selecting a layer. The OSI model divides information processing as follows :
Layer 7 |
Application |
Layer 6 |
Presentation |
Layer 5 |
Session |
Layer 4 |
Transport |
Layer 3 |
Network |
Layer 2 |
Link |
Layer 1 |
Physical |
The encryption capability should be placed at Layer 2 when link encryption is specified.
The encryption capability should be placed at Layer 4 when all traffic from a given terminal is to be encrypted.
The encryption capability should be placed at Layer 6 when encryption is to be treated as a service to be called from multiple applications.
The encryption capability should be placed at Layer 7 when the protection of an application is specified.
16.4.3 Who Controls Encryption ? :
Organisations employing encryption must determine who can control the use of the encryption services. Encryption is a two-edged sword. It can protect the organisation’s information. It can also assist a dishonest employee in stealing the organisation’s assets or holding a database at ransom. To ensure that encryption is properly controlled, the following steps should be implemented :
- To establish corporate policies on the use and control of encryption.
- To limit control of encryption services to the most trustworthy individuals in the organisation.
- To establish positive organisational control over all cryptographic keying material.
- To ensure that no single individual can access keys or change keys to a value chosen by that individual.
- To ensure proper key management.
16.4.4 Physical and Logical Security of Encryption Products :
The organisation has to ensure that proper physical and logical security controls, as discussed in this document, are applied to cryptographic products.
16.4.5 Choice of Encryption Algorithms :
To ensure the highest quality of encryption, the algorithms contained in ISO developed standards or such other standards, accepted internationally, should be considered for use by financial organisations.
Chapter 17
Digital Signatures - A Security Control Measure
17.1 Why Digital Signatures are required ?
As the information processing systems are automated, it is observed that the paper based documents are being stored and processed in electronic form. Documents in electronic form facilitates rapid processing and transmission and thereby improves the overall efficiency of the information systems and the business processes. However, approval of a written document has traditionally been indicated by written signatures. There is a need for an electronic equivalent to the written signatures, which would be recognized to have the desired legal status. Merely digitizing the written signatures - converting the signature into a series of numbers - is not an acceptable alternative, since the digitized signatures bear no relationship to the data that is being signed.
Paper based documents offer some resistance to alteration and forgery. To modify a paper document, one has to erase and replace the text without being detected. To forge a written document requires a certain amount of skills and practice. An electronic document with a digitized written signature would provide no such protection. The contents of a document could be altered without changing the signature and the digitized signature could be replicated on other documents without detection.
Digital signatures provide a means of protecting the authenticity and integrity of the electronic documents. For example, they can be used in electronic commerce where there is a need to verify who has signed an electronic document and to check whether the contents of the signed document have been changed in transit. Digital signatures can be applied to any form of document being processed electronically e.g. they can be used to sign electronic payments, funds transfers, contracts and agreements.
Digital signatures can be implemented using a cryptographic technique based on a uniquely related pair of keys, where one key is used to create a signature (the private key) and the other to check the signature (the public key). Care should be taken to protect the confidentiality of the private key. This key should be kept secret, since anyone having access to this key can sign documents e.g. payments, contracts, and thereby forging the signature of the owner of that key. In addition, protecting the integrity of the public key is important. Consideration needs to be given to the type and quality of the signature algorithms used and the length of the keys to be used. Cryptographic keys used for Digital signatures should be different from those used for encryption. When using Digital signatures, consideration should be given to any relevant legislation that describes the conditions under which a digital signature is legally binding.
Non-repudiation services should be used where it might be necessary to resolve disputes about the occurrence or the non-occurrence of an event or action e.g. dispute involving the use of a digital signature on an electronic contract or payment. They can help establish evidence to substantiate whether a particular event or action has taken place e.g. denial of sending a digitally signed instruction using electronic mail. These services are based on the use of encryption and digital signature techniques.
17.2 How to generate Digital Signatures?
Security architectures have emerged, based on public key cryptography, that facilitate authentication via digital signature implementation in smart cards or PCMCIA (Personal Computer Memory Card Industry Association) cards. These cards contain the private key associated with the individual. Thus, the transactions ‘signed’ with the private key can be validated by anyone with access to the individual’s public key. This provides a close association between a document and an individual who possesses the authority to bind the organisation to the contents of a document. Furthermore, these cards can also contain secret encryption keys used in symmetric encryption operations. As with tokens, card systems should provide PIN number entry services. To assure that the digital signatures, used by the organisation, deliver proper non-repudiation, the following steps should be taken:
a) Limit the signature authority to those individuals who have been authorised/entrusted to bind the organisation.
b) Use digital signature standards, accepted by ISO or by competent national authorities.
c) The parameters and the keying materials are properly generated and used.
17.3 Certification :
A digital signature is a value derived from the message being signed by an appropriate cryptographic algorithm and the ‘secret’ key half of an asymmetric key pair. Any party who holds the ‘public’ half of the key pair can verify that the holder of the ‘secret’ key half was the party signing the message. The party verifying must have some assurance that the ‘public’ key half is indeed the one associated with the signing party. This assurance is accorded by the Certification Authorities, mutually trusted third parties, who can cryptographically bind an individual to his ‘public’ key. The Certification Authorities can exist in a hierarchy. All that is required is for both the parties to a transaction to have at least one common authority in its set of relationships, the Certification Authorities could be different with proper agreement between them for facilitating, among others, cross verification. If the two parties have identified a common Certification Authority, that authority’s public key must be well known or delivered with integrity protection to preclude system compromise.
17.4 Legal standing of Digital Signatures :
The Information Technology Act, 2000 recognises the legal validity of digital signatures for the purpose of authentication and non-repudiation. The parties conducting business under a pre-existing contract may suitably modify the same and use digital signature for the purpose of authentication and non-repudiation.
17.5 Certificate (Key) Management :
As with any technology, there are elements which are relatively easy to implement and segments which pose major efforts to accomplish. One such area that requires careful planning, education and precise implementation is cryptographic key management.
Key management is that part of cryptography that provides the methods for the secure generation, exchange, use, storage and the discontinuation of the cryptographic keys, used by the cryptographic techniques like encryption and authentication. However, these techniques are of no value without the secure management of the cryptographic keys. The major functions of key management are to provide the cryptographic keys, required by the cryptographic techniques and to protect these keys from any form of compromise. The specific procedures and security requirements for key management depend on the type of crypto-system upon which the cryptographic techniques are based, the nature of the cryptographic techniques themselves and the characteristics and the security requirements of the computer system or network being protected. The most important element is that key management must be flexible enough for efficient use within the computer system or network, but maintaining the security requirements of the system.
Key management services must be available when and where they are needed, including at the back-up sites. Key management must be a part of an organisation's disaster recovery plan.
17.5.1 Protection of Cryptographic Keys :
The management of cryptographic keys is essential to the effective use of cryptographic techniques. Any compromise or loss of cryptographic keys may lead to a compromise of the confidentiality, authenticity and/or integrity of information. A management system should be in place to support the organization’s use of the two types of cryptographic techniques, which are as discussed hereunder :
a) secret key techniques, where two or more parties share the same key and this key is used both to encrypt and decrypt information.
This key has to be kept secret since anyone having access to it is able to decrypt all information being encrypted with that key or to introduce unauthorized information.
b) Public key techniques, where each user has a key pair, a public key (which can be revealed to any one) and a private key (which has to be kept secret). Public key techniques can be used for encryption and to produce digital signatures.
All keys should be protected against modifications and destruction and secret and the private keys need protection against unauthorized disclosures. Cryptographic technique can also be used for this purpose. Physical protection should be used to protect equipment used to generate, store and archive keys.
17.5.2 Standards, Procedures and Methods :
A key management system should be based on an agreed set of standards, procedures and secure methods for :
a) generating keys for different cryptographic systems and different applications;
b) generating and obtaining public key certificates;
c) distributing keys to intended users, including how keys should be activated when received;
d) storing keys, including how authorized users obtain access to keys;
e) changing or updating keys including rules on when keys should be changed and how this will be done;
f) dealing with compromised keys;
g) revoking keys including how keys should be withdrawn or deactivated e.g. when keys have been compromised or when a user leaves an organization (in which case keys should also be archived);
h) recovering keys that are lost or corrupted as part of business continuity management e.g. for recovery of encrypted information;
i) Archiving keys e.g. for information archived or backed up;
j) Destroying keys; and
k) Logging and auditing of key management related activities.
17.5.3 In order to reduce the likelihood of compromise, keys should have defined activation and deactivation dates, so they can only be used for limited period of time. This period of time should be dependent on the circumstances under which the cryptographic control is being used and the perceived risk. Procedures may need to be considered for handling legal requests for access to cryptographic keys e.g. encrypted information may need to be made available in an unencrypted form as evidence in a court case.
In addition to the issue of the securely managed secret and private keys, the protection of the public keys should also be considered. This problem is addressed by the use of a public key certificate. These certificates should be produced in a way that uniquely binds the information related to the owner of the public/private key pair to the public key. It is, therefore, important that the management process that generates these certificates can be trusted. This process is normally carried out by a Certification Authority, which should be a recognized organization with suitable controls and procedures in place to provide the required degree of trust.
The terms and conditions of the service level agreements or contracts with external suppliers of cryptographic services e.g. with a Certification Authority, should cover issues of liability, reliability of services and response time for the provision of services.
17.5.4 In implementing non-repudiation service, the generation, control and distribution of the keying material must be accomplished in a way to maintain the desired security. Digital signatures require rather long keys. These keys will normally be stored in a smart card, security token or personal computer. Access to these keys and access to the signing mechanism must be carefully controlled, as the digital signatures will result in binding the organisation.
In order to prove the ownership of a public key, a binding association between the owner of a public key and that function must be documented. This binding is called a "Certificate". The Certificates are generated by a Trusted Third Party (TTP) called a Certification Authority (CA).
To ensure that the non-repudiation service is properly used, the following steps should be taken :
a) Address non-repudiation in the overall information security policy for the organisation.
b) Select personnel who may be authorized to digitally sign the messages in the same manner as the selection of personnel who may sign paper documents of a similar nature.
c) Select a Certification Authority with extreme care.
d) Establish a Certification Authority for the organisation.
17.6 Choice of Algorithm :
To ensure proper digital signature operation, it should be ensured to allow only ISO specified algorithms or those accepted internationally, to be used.
17.7 Generation of Cryptographic Keys :
To ensure that the cryptographic keys are not predictable, the following steps should be taken :
a) Generate sector keys using random or pseudo random generation techniques, such as found in ISO or in those other internationally accepted standards.
b) Consider central generation using a single high-quality random or pseudo random source and to monitor for continuing quality of output.
To assure that the asymmetric keys are properly generated, the required tests for the primality or other requirements that yield low probability of error should be performed.
17.8 Distribution of Cryptographic Keys :
The Key distribution involves the secure movement of the cryptographic keys from the point they are generated to where they are to be used. The requirements for key distribution will depend on the nature of the service to be provided and the algorithms to be used.
17.8.1 Distribution of Secret Keys :
The Keys which must be kept secret include symmetric keys and the secret ‘private’ key in asymmetric crypto-systems. To protect cryptographic keys during distribution, it should be ensured to observe all the requirements of ISO or such other internationally accepted products for the transport of keys.
17.8.2 Distribution of Public Keys :
To ensure the validity of the public keys in an asymmetric crypto system, the following steps should be taken ;
a) Protect the keys which are used for the verification of a signature or to encrypt information for ultimate decryption with a recipient’s secret ‘private’ key against unauthorized modification or substitution.
b) Enforce the use of the key certificates.
17.9 Storage of the Cryptographic Keys :
Another area of concern is the storage of the back-up copies of the keys in use including the future and the discontinued keys. Both require the ability to protect these keys from disclosures or substitution, but, at the same time, must also be available for access and audit by the authorized personnel. To ensure safe storage and retrieval of the cryptographic keys, it should be ensured to enforce the requirements of ISO security standards or such other internationally accepted standards for the storage and archiving of the keys.
17.10 Public Key Certification and Standards :
To ensure that asymmetric-algorithm based crypto systems deliver the full measure of security for which they are intended, the following steps should be taken:
a) The use of a Certification Authority which operates using ISO approved standards or such other nationally approved standards.
b) Address the issues of liability in service contract with external Certification Authorities.
c) Reference to the Certificate Revocation Lists (CRLs) periodically or before transactions involving amounts in excess of a given limit.
d) Incorporate certification service with data recovery services.
Certification Authorities(CA)/Trusted Third Parties (TTP)
18.1 Many markets have recognized the need for enhanced security services, provided by an entity, mutually trusted by the other entities. These services range from increasing trust or business confidence in specific transactions to provision for the recovery of information for which encryption keys are not otherwise available to authorized entities. Trusted Third Parties (TTP) are the vehicles for the delivery of such services. For the banking and financial services industry, TTP technology offers a vehicle by which an organisation can deliver assurances between its sub-divisions, between itself and its customers and between itself and its correspondent organisations. An organisation may choose to set up an internal TTP function or subscribe to an external provider for TTP services. The banking and financial organisations desiring to use the TTP services should consider the following :
18.1.1 Assurance :
A TTP function, whether internally or externally provided can only add value when the users of the services are assured of its quality. Before a contract is executed with a provider or the operations of an internal system begin, the organisation must satisfy itself that the following issues have been addressed.
a) Trust : Is the TTP organized, controlled and regulated in such a way that its operation can be relied upon, checked and verified?
b) Accreditation : Is the TTP accredited by the recognized national, regional or international groups?
c) Compliance : Is the TTP operating in compliance with accepted industry standards and all relevant regulations?
d) Contract : Is there a legally binding contract in place covering the provisions of the service and addressing of all the issues in this list? Are there contracts with co-operating TTPs which also address these concerns?
e) Liability : Is there a clear understanding as to the issues of liability? Under what circumstances is the TTP liable for damages? Does the TTP have sufficient resources or insurance to meet its potential liabilities?
f) Policy Statement : Does the TTP have a security policy covering technical, administrative and organizational requirements?
18.2 Services of a TTP :
The services which a TTP can provide include as under :
a) Issue of Digital Certificates
b) Key Management for symmetric crypto-systems
c) Key Management for asymmetric crypto-systems
d) Key Recovery
e) Authentication and Identification
f) Access Control
g) Non-repudiation
Key recovery is the ability of the TTP to recover either mathematically or through secure storage or through other procedures, the proper cryptographic key used for encryption of information using the organisation’s information processing resources. This function would assure an organisation that it can always have access to information within its information processing resources. Such recovery services may be essential in disaster recovery.
18.3 Network of TTPs :
A network of co-operating TTPs require to be developed before the full potential of the TTPs can be realized. The competition between the TTPs may reduce cost at the risk of offering reduced levels of service or assurances. However, the confidence in the organisation and the financial services sector has to be preserved.
18.4 Legal Issues :
Banking and financial organisations generally have higher level of requirements for record retrieval. The contract with a TTP should, among others, address the issues relating to the maintenance of the keys, used for encryption, authentication and digital signatures, as these may need to be reproduced many years after the transactions for which they were used.
Liability for the misfeasance, malfeasance or non-feasance of the TTP including direct and consequential damages must also be fully understood and agreed upon. The TTP must have adequate financial reserves or insurance to meet any liability.
Banking and financial organisations in many jurisdictions are obliged to protect the privacy rights of their customers, especially the safeguarding of the personal data. These obligations are sometimes at odds with the requirements under law relating to access to information. The contract with an external TTP or the operating procedures of an internal TTP should address both these concerns.
Business Continuity Planning Framework/Disaster Recovery Planning (DRP)
19.1 A business continuity management process should be implemented to reduce the disruption, caused by disasters and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures and deliberate actions) to an acceptable level through a combination of preventative and recovery controls. The consequences of disasters, security failures and loss of service should be analyzed. Contingency plans should be developed and implemented to ensure that business processes can be restored within the required time-scales. Such plans should be maintained and practiced to become an integral part of all other management processes. Business continuity management should include controls to identify and reduce risks, limit the consequences of damaging incidents and ensure the timely resumption of essential operations.
A single framework of business continuity plans should be maintained to ensure that all plans are consistent and to identify priorities for testing and maintenance. Each business continuity plan should specify clearly the conditions for its activation, as well as the individuals responsible for executing each component of the plan. When new requirements are identified, the established emergency procedures e.g. evacuation plans or any existing fallback arrangements, should be amended as appropriate. A business continuity planning framework should consider the following :
a) the conditions for activating the plans which describe the process to be followed (how to assess the situation, who is to be involved, etc.) before each plan is activated;
b) emergency procedures, which describe the actions to be taken following an incident which jeopardizes business operations and/ or human life. This should include arrangements for public relations management and for effective liaison with appropriate public authorities e.g. police, fire service and local government;
c) fall back procedures which describe the actions to be taken to move essential business activities or support services to alternative temporary locations and to bring business processes back into operation in the required time-scales;
d) resumption procedures which describe the actions to be taken to return to normal business operations;
e) a maintenance schedule which specifies how and when the plan will be tested and the process for maintaining the plan;
f) awareness and education activities which are designed to create understanding of the business continuity processes and ensure that the processes continue to be effective;
g) the responsibilities of the individuals, describing who is responsible for executing which component of the plan. Alternatives should be nominated as required.
Each plan should have a specific owner. Emergency procedures, manual fallback plans and resumption plans should be within the responsibility of the owners of the appropriate business resources or processes involved. Fallback arrangements for alternative technical services such as the information processing and communications facilities should be carried out in co-ordination with the service providers/contractors/ suppliers under written agreement/contract, setting out the roles and responsibilities of each party for meeting the emergency situations as also the imposition of penalties including legal actions, to be initiated by the organisation against the service providers/contractors/suppliers in the event of non-compliance/non-co-operation on their part.
19.2 Business Continuity Management Process :
There should be a managed process in place for developing and maintaining business continuity throughout the organization. It should bring together the following key elements of business continuity management.
a) understanding the risks the organization is facing in terms of their likelihood and their impact, including an identification and prioritization of critical business processes;
b) understanding the impact which interruptions are likely to have on the business (it is important that solutions are found that will handle smaller incidents as well as serious incidents that could threaten the viability of the organization) and establishing the business objectives of the information processing facilities;
c) Considering the purchase of suitable insurance which may form part of the business continuity process;
d) Formulating and documenting a business continuity strategy consistent with the agreed business objectives and priorities;
e) Formulating and documenting business continuity plans in line with the agreed strategy;
f) Regular testing and updating of the plans and processes put in place; and
g) The management of business continuity is incorporated in the organization’s processes and structure.
19.3 Business Continuity and Impact Analysis :
Business continuity should begin by identifying the events that can cause interruptions to business processes e.g. equipment failure, flood and fire. This should be followed by a risk assessment to determine the impact of those interruptions (both in terms of damage scale and recovery period). Both of these activities should be carried out with full involvement from owners of business resources and processes. This assessment considers all business processes and is not limited to the information processing facilities. Depending on the results of the risk assessment, a strategic plan should be developed to determine the overall approach to business continuity. Once this plan has been created, it should be approved by management.
19.4 Writing and Implementing Business Continuity Plans :
Plans should be developed to maintain or restore business operations in the required time scales following interruption to, or failure of, critical business processes. The business continuity planning process should consider the following:
a) identification and agreement of all responsibilities and emergency procedures;
b) implementation of the emergency procedures to allow recovery and restoration in required time-scales. Particular attention needs to be given to the assessment of the external business dependencies and the contracts in place;
c) documentation of the agreed procedures and processes ;
d) Appropriate education of staff in the agreed emergency procedures and processes including crisis management;
e) Testing and updating of the plans.
Examples of situations that might necessitate updating the plans include the acquisition of new equipment or the upgradation of the operational systems and changes in :
a) personal;
b) addresses or telephone numbers;
c) business strategy ;
d) location, facilities and resources;
e) legislation;
f) contractors, suppliers and key customers;
g) processes - new/withdrawn ones; and
h) risk (operational and financial)
19.5 Testing, Maintenance and Re-assessment of Business Continuity Plans :
19.5.1 Testing the Plans :
Business continuity plans may fail on being tested, often because of incorrect assumptions, oversights or changes in equipment or personnel. They should, therefore, be tested regularly to ensure that they are up to date and effective. Such tests should also ensure that all members of the recovery team and other relevant staff are aware of the plans. The test schedule for business continuity plans(s) should indicate how and when each component of the plan should be tested. It is recommended to test the individual components of the plans(s) frequently. A variety of techniques should be used in order to provide assurance that the plan(s) will operate in real life. These should include:
a) table-top testing for various scenarios (discussing the business recovery arrangements using example interruptions) ;
b) simulations (particularly for training people in their post-incident/ crisis management roles);
c) technical recovery testing (ensuring information systems can be restored effectively);
d) testing recovery at an alternate site (running business processes in parallel with recovery operations away from the main site) ;
e) tests of supplier facilities and services (ensuring externally provided services and products will meet the contracted commitment); and
f) complete rehearsals (testing that the organization, personnel, equipment, facilities and processes can cope with interruptions).
The techniques can be used by any organization and should reflect the nature of the specific recovery plan.
19.5.2 Maintenance and Re-assessment of the Plans :
Business continuity plans should be maintained by regular reviews and updates to ensure their continuing effectiveness. Procedures should be included within the organization’s change management programme to ensure that business continuity matters are appropriately addressed. Responsibility should be assigned for regular reviews of each business continuity plan. The identification of changes in business arrangements, not yet reflected in the business continuity plans, should be followed by an appropriate update of the plan. This formal change control process should ensure that the updated plans are distributed and reinforced by regular reviews of the complete plan. Consideration should be given to the possibility of degradation of media used for storage of records. Storage and handling procedures should be implemented in accordance with manufacture’s recommendations.
Where electronic storage media are chosen, procedures to ensure the ability to access data (both media and format readability) throughout the retention period should be included, to safeguard against loss due to future technology change. Data storage systems should be chosen such that the required data can be retrieved in a manner acceptable to a court of law e.g. all records required can be retrieved in an acceptable timeframe and in an acceptable format. The system of storage and handling should ensure clear identification of records and of their statutory or regulatory retention period. It should permit appropriate destruction of records after that period if they are not needed by the organization.
To meet these obligations, the following steps should be taken within an organization.
a) Guidelines should be issued on the retention, storage, handling and disposal of records and information.
b) A retention schedule should be drawn up identifying essential record types and then the period of time for which they should be retained.
c) An inventory of the sources of key information should be maintained.
d) Appropriate controls should be implemented to protect essential records and information from loss, destruction and falsification.
19.6 Business Continuity :
To ensure that vital business records are not lost through destruction or loss of paper documents, the paper documents and the media storage should be included as part of the contingency and disaster recovery plan, discussed in this document.
19.7 Preservation of Evidence :
To ensure that transaction source documents can be located when needed, the following steps should be taken :
a) The documents that are necessary as source for transactions be uniquely numbered, with all parts of a multi-part form bearing the same number. A tracking system should be used that will enable appropriate personnel to locate document parts at anytime.
b) The use of electronic article surveillance for areas containing a concentration of documents that are processed frequently by several authorised personnel.
19.8 Labelling :
To further identify documents with HIGHLY SENSITIVE information, the organisation should establish a policy for the labelling of the documents. However, while deciding on the policy, the organisation should keep in view the factors whether the benefits of providing the notice of sensitivity are outweighed by the cost of doing so.
19.9 Forged Documents :
To prevent the acceptance of forged documents, the organisation should train the personnel, responsible for the processing of value-bearing documents or documents, which are used as the basis of transactions, to refer the documents to their supervisor immediately, if any irregularity is detected or suspected.
19.10 Output Distribution Schemes :
There is a trend to replace the paper documents such as reports, prospectuses and statements with on-line access to computer systems and in the event of the adoption of such a system/practice in the organisation, it has to be ensured that all the relevant controls, as discussed in this document, apply to these computer systems.
19.11 Microfilm and other Media Storage :
The microfilm, microfiche and mass storage media pose special concerns because of the vast quantity of information they can store and the relative inability to readily ascertain their contents. The following controls should be put in place for the protection of this media.
19.11.1 Disclosure :
To procure greater security for HIGHLY SENSITIVIE information stored on magnetic media, it is to be ensured to encrypt the storage media containing HIGHLY SENSITIVE information or to physically protect the media from unauthorized access or removal. To prevent the disclosure of sensitive or HIGHLY SENSITIVE information on microfilm or microfiche, it is to be ensured to attach labels indicating the highest classifications of information that is stored on a microfilm or microfiche. This label should be clearly visible.
19.11.2 Destruction :
To prevent destruction or disclosure of information through unauthorized removal of storage media, it is to be ensured to control access to areas containing a concentration of information storage media. In addition, consideration should be given to the use of electronic article surveillance security systems.
19.11.3 Business Continuity :
To ensure the continued availability of the information stored on microfilm, microfiche or mass storage media, it is to be ensured to include microfilm, microfiche and mass storage media as part of the contingency and disaster recovery plan, as discussed in this document.
19.11.4 Environmental :
To prevent the destruction of information through loss of storage media due to environmental problems, it is to be ensured to provide adequate fire protection and environment control for storage sites.
Disaster Recovery Planning and Cryptographic Disasters
Disaster Recovery Planning (DRP), also called business resumption/continuity planning, is an on-going requirement in any financial organisation. Its main purpose is to assure that the business functions continue to function during and after disasters, such as fire, flood, power failures, disruption in operations etc. DRP and cryptography interact in two basic ways in the matter.
20.1 Disaster Cryptography :
From the DRP perspective, the cryptographic facilities such as the key management centres and the Certification Authorities are one class of functions which must be brought back on-line following disruption. It has to be ensured that the keying material remains secure while it is made available at the backup sites. For example, the keys for MAC of fund transfer messages may be replicated and securely stored at a back-up site. Split knowledge and dual control could be adequate. However, the back-up site for a Certification Authority should use a separate certification root, since the integrity of the signature system derives from the non-disclosure of the root key outside of the Certification Authority’s key generation device. The continued operation of the cryptographic facilities must be part of the organisation’s DRP.
20.2 Cryptographic Disasters :
DRP must also cover how to deal with the events caused by or complicated by the cryptographic services, especially unforeseen failures. For example, an organisation may have implemented a state-of-the-art access control system. However, there might have been noticed clear signs of an intruder in the system. One possibility could be that the cryptography facilities have failed. DRP must contain clear instructions regarding how to handle such situations from the point of view plugging the loopholes in the system and containing damage, if any.
The Information Systems Security and the Disaster Recovery Programme of an organisation must address cryptographic threats, at least in generic form and implement the following steps therefor :
a) Establish a system for regular monitoring of the information processing system for abnormal behaviour ;
b) Establish the procedures to be followed for determining the cause of the abnormal behaviour and guidelines on how to respond to a threat, intruder etc.;
c) Establish the procedures for dealing with the failure of any cryptographic control; and
d) The availability of the cryptographic services, keying material and other related services following business interruption.
Financial Services/Products and Security Controls
21.1 Financial Transaction Cards :
Financial transaction cards are a means to access an existing account or a pre-approved line of credit. The terms debit card and credit card are used for account access and line-of-credit access respectively. They may be used in the purchase of goods from merchants who have agreed to accept the card in exchange for goods or as a means to acquire cash. Financial transaction cards may be magnetic stripe cards, which may store information on magnetic media or "smart cards" which may process information as well as to store it.
Financial Card Associations, as a corporate policy, maintain their own minimum security standards for financial organisations and contractors. In addition to those security programs, organisations using financial transaction cards should employ the controls listed below.
21.1.1 Physical Security :
To protect against the destruction, disclosures or modifications of transaction card information during the processing stages, it is to be ensured to locate the local facility in an area regularly, patrolled by the public law enforcement services and by fire protection services. Further, it is also to be ensured that the local facility should be protected by an intrusion (detection) alarm system with auxiliary power.
21.1.2 Insider Abuse :
To prevent fraudulent transactions being made through access to card information, the following steps should be taken :
a) Store all media containing valid account information, including account numbers, PIN numbers, credit limits and account balances in an area limited to selected personnel.
b) Keep the production and issuing function for cards physically separate from the production and issuing function for PINs.
21.1.3 Transportation of PINs :
To prevent losses through the use of PINs having been intercepted by unauthorised persons, it is to be ensured to handle the PINs, Personal Identification Number (PIN) Management and Security, as appropriate and required.
21.1.4 Personnel :
To prevent the assignment of unsuitable personnel to credit card processing duty, it is to be ensured to conduct credit and criminal record checks for all employees handling embossed or unembossed cards.
21.1.5 Audit :
To ensure the integrity of control and audit information, it should be ensured that the controls and audit logs are maintained for the printed plastic sheets, plates, embossing and encoding equipment, signature panel foil, honograms, magnetic tape, semi-finished and finished cards, simple cards, information on cardholder account numbers and equipment for disposal of waste.
21.1.6 Enforcement :
To ensure continued compliance with the security standards and the maintenance of the Audit Control Logs, it should be ensured to appoint at least one person to serve as the prime security officer responsible for performing the security functions.
21.1.7 Prevention of Counterfeit Card :
To prevent information, disclosed on the sale of drafts from being used to produce counterfeit magnetic stripe cards, it should be ensured to encode cryptographic check digits on the magnetic stripe and validate these digits on as many transactions as possible. To prevent the intercepted information, if any, from being used to produce counterfeit cards, it should be ensured to use the physical Card Authentication Method (CAM) to validate the authenticity of cards.
21.2 Automated Teller Machines :
Automated Teller Machines (ATM) are those devices that allow a customer to check account balances, make cash withdrawals, make deposits, pay bills or perform other functions which are generally associated with the tellers. These devices may be located inside an organisation’s buildings, attached to the outside of any such buildings or be away from the organisation’s office.
Additional precautions should be taken to reduce robbery and vandalism to the machines e.g. through installation of CCTV etc. The manufacturers of these devices and the ATM network providers supply general public security guidelines for the use of ATMs. These guidelines should be kept in view while deciding on the location of ATM and use thereof.
21.2.1 User Identification :
To provide assurance to the authorised users of the ATMs, the following steps should be taken:
a) Require the use of Personal Identification Numbers (PINs) to activate the ATM.
b) Educate the users to understand that the maintenance of the secrecy of the PIN is their responsibility.
To prevent unauthorized transactions, caused by guessing the PIN of a card being used by an unauthorized person, it should be ensured to limit the number of attempts for the entry of a PIN to three attempts only. Further, the mechanism should be such that the card used in such an attempt should be captured, so that the owner of such a card could be contacted to ascertain the nature of the problem.
21.2.2 Authenticity of Information :
To prevent the unauthorized modification of the information transmitted to and from the ATMs, it should be ensured to use a Message Authentication Code (MAC) for each such transmission.
To prevent unauthorized modifications, destruction or disclosures of information residing in an ATM, it should be ensured that the physical access controls to the interior of the ATMs are consistent with the physical protection controls to the containers of currency.
21.2.3 Disclosure of Information :
To prevent the unauthorized use of ATMs or the Point of Sale Terminals through the unauthorized disclosure of information, the following steps should be taken:
a) Encrypt within the ATM or to use smart card for introducing any PIN into the ATM prior to transmisison.
b) Consider encrypting all information transmitted from the ATM.
c) Manage PINs in accordance with relevant International standards.
21.2.4 Fraud Prevention :
To detect and prevent fraudulent use of the ATMs such as the kitting schemes, empty envelope deposits and disallowed transactions, the following steps should be taken:
a) Limit the number of transactions and the amount of funds which can be withdrawn per day per account.
b) Balance the ATM under dual control daily.
c) Install video cameras at the site for capturing the images of all the users of the ATM.
d) Maintain the operation of the ATMs on-line i.e. the ATMs should have the ability to check the account balances prior to the completion of the transaction.
If on-line operation is not possible, it should be ensured to establish more stringent card issuance requirements which would be used for on-line operation of the ATM.
21.2.5 Maintenance and Service :
To prevent unauthorized access to information during the maintenance and the servicing of the ATMs, the following steps should be taken :
a) ATMs as placed "out of service" to customers, prior to any maintenance being performed.
b) Establish dual control procedures for the servicing of the ATMs involving opening of the vault.
21.3 Electronic Funds Transfers :
In addition to the security issues relating to Electronic Funds Transfers, as discussed under various clauses in this document, this sub-clause reexamines the probable threats and the required controls, as under, from the perspective of fund transfer applications, independent of the technology used.
21.3.1 Unauthorised Source :
To prevent loss through the acceptance of a payment request from an unauthorized source, it should be ensured to authenticate the source of messages requesting funds transfer, using a security procedure, as specified in the customer or correspondent agreement. The Cryptographic Authentication should be implemented, whenever feasible. Digital signature should be used. Successful decryption of a message may be used to establish the authenticity of the source of the message.
21.3.2 Unauthorized Changes :
To prevent an improper payment due to changed message contents, whether intentional or accidental, it should be ensured to authenticate at least the CRITICAL contents of a message, using a security procedure, specified in a customer or correspondent agreement. Full text authentication should be used whenever practical. Cryptographic Authentication should be used.
21.3.3 Replay of Messages :
To prevent an unauthorized repeated payment caused by a replayed message, it should be ensured to use and verify unique message identification. Further, this identification should be included in any authentication performed.
21.3.4 Retention of Record :
To preserve evidence that may be needed to prove authorization in making a payment, it should be ensured to record the messages requesting for transfer of funds regardless of the media used to transmit the messages. The material messages to prove authentication including the supporting cryptographic material should be preserved, as required for the purpose.
21.3.5 Legal Basis for Payments:
To ensure that payments are being made in accordance with a signed agreement. It should be ensured to see that the agreement for the EFT is quickly standardised with the provision for change control to take care of the future growth.
21.4 Cheques :
The Cheques, also known as Negotiable Orders of Withdrawal or Drafts, which are written orders directing a bank to pay money. Several new approaches to the processing of cheques raise security concerns to be addressed by the financial organisations. The use of the Cheque Image and Cheque Truncation are techniques which raise security concerns. The transmission and use of the cheque image should be done under encryption and digital signature.
21.5 Electronic Commerce :
Electronic commerce, the provision of financial services over the Internet, is an emerging area of security concerns in the business operations of the financial organisations. Whether the financial services over the Internet are provided directly or with the assistance of a service provider, all usual security concerns must be addressed. Some security areas, which may be of special concern, are discussed hereunder :
21.5.1 New Customers :
The requirement to "Know Your Customer" poses several challenges when the services are delivered through the cyberspace. While it may be desirable to advertise the services using a Homepage or other electronic medium, a personal visit to a financial organisation’s place of business should be insisted for the opening a new account. Normal customer qualification procedures should be observed.
21.5.2 Integrity Issues :
Each transaction should be protected to ensure the identification of the user, authenticity of the user, authenticity of the message, confidentiality of sensitive information and the non-repudiation of instructions. The Transaction requests should be digitally signed, using a key authenticated for the purpose by the Organisation’s Certification Authority. This will provide the required assurance that the user is identified, the integrity of the message contents is maintained and the user is legally bound to his or her actions. It should be ensured that the Account Numbers, PINs or other information which, if revealed, may allow unauthorized use of an account, should be protected with encryption and digital signature.
21.6 Electronic Money :
To prevent against attacks on electronic money systems, the following steps should be taken:
a) Employ devices to ensure tamper-protection against analysis and unauthorized changes.
b) Employ cryptographic authentication of devices and transactions.
c) Employ cryptographic protection for data confidentiality and integrity.
To detect attacks against an electronic money system, the following steps should be taken :
a) Collect the transaction details for verification of financial and security data.
b) Connection with the central system, at least periodically, to collect and verify the transaction logs.
c) Limit the transferability of the stored-value balances to minimise fraud.
d) Analyse payment flow statistics on a regular basis.
e) Maintain suspicious/invalid card lists and make them available to the merchants.
To contain overall security, the following steps should be taken :
a) Establish strict manufacturing and software development procedures.
b) Have contract for third-party security evaluation of components and procedures.
c) Clearly define the responsibilities of all the participants.
d) Strictly control the initialisation, personalization and distribution of the devices.
e) Audit the system regularly.
21.6.1 Duplication of Devices:
To prevent the duplication of devices and to protect information on the software and hardware design, the following steps should be taken:
a) Employ the devices, whose essential parts are physically protected against optical and electrical reading.
b) Logically protect secret data in the token through encryption.
To detect the duplication of devices, the following steps should be taken :
a) Register the devices.
b) Assign a unique identification number and cryptographic key to each device.
c) Authenticate each transaction.
d) Monitor devices whenever connected to the central operator.
To contain losses due to duplicated devices, the following steps should be taken:
a) Publish the list of suspicious/invalid cards and make list available to the merchants.
b) Permit the blocking of devices from the central system.
To provide additional protection due to duplication threats, the following steps should be taken :
a) Separate the manufacturing process from the intialization, personalization and distribution of the devices.
b) Establish a separation of duties with each organisation.
c) Have contract for third-party security evaluation of the devices.
21.6.2 Alteration or Duplication of Data or Software :
To protect against alteration or duplication of data or software, the following steps should be taken :
a) Store data and software in tamper-resistant devices.
b) Monitor tamper-evidence.
c) On-line authorization or detection of suspicious messages.
d) Have the ability to block devices from the central system.
e) Allow the loading of the security software from the central system.
To detect duplication of electronic notes, the central verification of such notes should be ensured.
To prevent or detect creation of unauthorized electronic notes, the following steps should be taken :
a) Establish a system to ensure that the electronic notes are cryptographically certified by the issuer.
b) Establish a system to ensure on-line verification.
To prevent or detect unauthorized creation of transactions, the following steps should be taken :
a) Establish a system to ensure that the transactions are digitally signed by a key unique to device.
b) Establish a system to ensure on-line authorization of transactions.
c) Authentication of the devices.
d) Verify the transaction sequence numbers.
e) Maintain shadow accounts.
f) Establish a system to regularly monitor unusual payment patterns.
To protect or detect unauthorized alteration of the operating system software or static data, the following steps should be taken :
a) Store critical software and data in physically protected memory and to logically protect the same with encryption.
b) Establish a system to ensure to create and verify software checksums.
To prevent or detect unauthorized alteration of the electronic value balance, the following steps should be taken :
a) Modification of the balance is performed only by the authorized devices.
b) Maintain shadow balance.
21.7 Alteration of Messages :
To prevent unauthorized modification of messages, the following steps should be taken :
a) Have challenge-response mechanisms to initiate transactions.
b) Use of the derived sessions key to exchange messages.
c) Verify the message integrity by hash.
d) Authenticate messages by digital signature.
To detect unauthorized modification of messages, the following steps should be taken :
a) Verify the electronic signatures.
b) Verify transaction sequence numbers.
d) Verify time-stamps.
21.8 Replay or Duplication of Transactions :
To prevent or detect the replay or duplication of transactions, the following steps should be taken :
a) Use of unique session keys. b) Use of PIN for load and deposit truncations. c) Verify the transaction sequence numbers. d) Verify the time-stamps. e) Maintain shadow balances. f) Establish a system to regularly monitor unusual payment patterns.
21.9 Theft of Devices :
To prevent theft of devices and to contain losses from theft, the following steps should be taken :
a) Use of PIN for load transactions.
b) Polling of cards.
c) Establish a system to allow the users to lock cards with PIN.
d) Establish a system to allow the cards to be blocked by the issuer.
e) Set transaction or card value limits.
21.10 Repudiation :
To prevent truncations from being repudiated, the following steps should be taken:
a) Establish a system for the issuer to log transactions.
b) Allow the cardholder to check the number of transactions from the card.
c) Time-stamping and sequence numbering of the transactions.
d) Establish a system to ensure that the merchant and the client cryptographically sign the transactions.
e) Employ a reputable Certification Authority.
21.11 Malfunction :
To protect against loss due to malfunction, the following steps should be taken :
a) Structure the protocols such that the transactions are either successfully carried out or cancelled.
b) Establish a system for the cards and the devices to log any errors detected.
c) Set a maximum number of errors after which the card will be forced to connect to the central operator.
21.12 Cryptographic Issues :
To prevent theft of cryptographic keys, the following steps should be taken :
a) Employ tamper resistant devices.
b) Generate secret keys in secured environment.
c) Encryption of any secret key, which is transported over the network or to use asymmetric crypto systems for the purpose.
To protect against the consequences of theft, the following steps should be taken :
a) Maintain the list of the compromised keys.
b) Allow for periodic and emergency change of keys.
c) Establish expiration date for all keys.
d) Employment of strict key management.
e) Third party evaluation of the crypto systems implemented.
f) Subject the system to external audit.
g) Use published algorithms.
21.13 Criminal Activities :
To detect criminal activities and to contain damage from such activities, the following steps should be taken :
a) Uniquely identify truncations.
b) Establish a system to ensure digital signature of truncations.
c) Verify and authorize load or payment transactions on-line.
d) Force the devices to interact with the banking system. e) Investigate specific payment patterns. f) Set limits for transferability of value. g) Set limits for truncations.
h) Establish a system for the devices, holding value, to be registered and linked to an account.
i) Establish a system to know your customer.
j) Establish a system to check the criminal records of the customers and merchants (wherever possible and relevant).
k) Establish a system to monitor organisations participating in electronic money systems.
21.14 Miscellaneous :
No matter how carefully one plans, there is always a security concern that is not obvious until it becomes a problem. The Steganography is one such security concern, which should be addressed as discussed hereunder :
21.14.1 Steganography - Covert Channels :
Steganography is the hiding of information within another media. It is a practice that can be traced back in history. With the advent of bandwidth, multimedia transfers of digitised pictures, movies, sound bites etc. raise the possibility of moving information of all sorts through a covert channel.
While many existing financial applications may make efficient use of bandwidth, leaving little redundancy for covert transmission, new technologies may introduce the opportunity for steganographic activity. The existence of a vehicle for covert channel exposes the organisation to several concerns. Among them are the unauthorized release and transmission of business information, unauthorized loading of malicious code into the processing system etc.
To prevent the use of steganographic tools on the organisation’s information processing system, the organisation should employ digital signatures, wherever possible, to detect changes in graphic, voice and multimedia files. It should be ensured that the digital signatures are applied before the opportunity to apply the steganographic tools. The organisation should also implement the following steps in this regard.
a) Maintain strict configuration control on all the information processing platforms.
b) Conduct periodic checking for the presence of steganographic tools.
c) Establish and maintain a policy on the use of multimedia files or any other file with high degree of redundancy and ensure that the possibility of steganographic usage is considered in risk analysis.
Compliance with Legal Requirements
The design, operation, use and management of the information systems should be subject to the statutory, regulatory and contractual security requirements to avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. Advice on specific legal requirements should be sought from the organization’s legal advisers or suitably qualified legal practitioners.
All relevant statutory, regulatory and contractual requirements should be explicitly defined and documented for each information system. The specific controls and individual responsibilities to meet these requirements should be similarly defined and documented.
Intellectual Property Rights
To minimize concerns over the intellectual property rights to software, a written policy on intellectual property rights should be adopted. The employees and the contractors involved in the development of the software should be made aware of this policy.
23.1 Copyright :
Appropriate procedures should be implemented to ensure compliance with legal restrictions on the use of material in respect of which there may be intellectual property rights such as copyright, design rights or trade marks. Copyright infringement can lead to legal action which may involve criminal proceedings.
Legislative, regulatory and contractual requirements may place restrictions on the copying of proprietary material. In particular, they may require that only material that is developed by the organization or that is licensed or provided by the developer to the organization can be used.
23.2 Software Copyright :
Proprietary software products are usually supplied under a license agreement that limits the use of the products to specified machines and may limit copying to the creation of back-up copies only. The following controls should be considered.
a) publishing a software copyright compliance policy which defines the legal use of software and information products;
b) issuing standards for the procedures for acquisition of software products;
c) maintaining awareness of the software copyright and acquisition policies and giving notice of the intent to take disciplinary action against staff who breach them ;
d) Maintaining appropriate asset registers;
e) Maintaining proof and evidence of ownership of licenses, master disks, manuals, etc;
f) Implementing controls to ensure that any maximum number of users permitted for using the software is not exceeded;
g) Carrying out checks that only authorized software and licensed products are installed;
h) Providing a policy for maintaining appropriate licence conditions; i) Providing a policy for disposing of or transferring software to others; j) Using appropriate audit tools;
k) Complying with terms and conditions for software and information obtained from software vendors and public networks ; and
l) Network Management Software or Server Management Software should be used to detect unauthorised software in the network.
Review of Information Systems Security policy and Technical Compliance
The security of the information systems should be regularly reviewed to ensure compliance of the information systems with the organizational information systems security policy and standards. Such reviews should be performed against the appropriate security policy and the technical platforms and the information systems should be audited for compliance with security implementation standards.
24.1 Compliance with the Information Systems Security Policy :
Information Systems Security Officers and the Business Managers should ensure that all security procedures within their area of responsibility are carried out correctly. In addition, all the areas within the organization should be considered for regular review to ensure compliance with the information systems security policy and standards. This should include the following:
a) information systems ;
b) systems providers;
c) owners of information and information assets;
d) users;
e) Third Parties ; and
f) management.
Owners of the information systems should support regular reviews of the compliance of their systems with the security policy, standards and any other security requirements, put in place by the organisation.
24.2 Technical Compliance Checking :
Information systems should be regularly checked for compliance with security implementation standards. Technical compliance checking involves the examination of the operational systems to ensure that the hardware and software controls have been correctly implemented. This type of compliance checking requires specialist technical assistance. It should be performed manually (supported by appropriate software tools, if necessary) by an experienced system engineer or by an automated software package which generates a technical report for subsequent interpretation by a technical specialist.
Compliance checking also covers, for example, penetration testing, which might be carried out by independent experts, specifically contracted for this purpose. This can be useful in detecting vulnerabilities in the system and for checking how effective the controls are in preventing unauthorized access due to these vulnerabilities. Caution should be exercised in case success of a penetration test could lead to a compromise of the security of the system and inadvertently exploit other vulnerabilities.
Any technical compliance check should only be carried out by or under the supervision of competent, authorized persons.
System Audit Considerations
There should be controls to safeguard operational systems and audit tools during system audits to maximize the effectiveness of and to minimize interference to/ from the system audit process. Protection is also required to safeguard the integrity of the information systems and prevent misuse of the audit tools.
25.1 System Audit Controls :
Audit requirements and the activities involving checks on operational systems should be carefully planned and agreed to minimize the risk of disruption to the business processes. The following should be observed :
a) Audit requirements should be agreed with the appropriate management.
b) The scope of the checks should be agreed and controlled.
c) The checks should be limited to read-only access to software and data.
d) Access other than read-only should only be allowed for isolated copies of system files, which should be erased when the audit is completed.
e) IT resources for performing the checks should be explicitly identified and made available.
f) Requirements for special or additional processing should be identified and agreed.
g) All accesses should be monitored and logged to produce a reference trail.
h) All procedures, requirements and responsibilities should be documented.
25.2 Protection of System Audit Tools :
Access to system audit tools i.e. software or data files, should be protected to prevent any possible misuse or compromise. Such tools should be separated from development and operational systems and not held in tape libraries or user areas, unless given an appropriate level of additional protection.
Human Resources
The work force is one of the most important assets of any organisation and more particularly, of a financial organisation. In a service sector, where quality management is accorded top priority, the human resources are of critical importance for the success of the organisation. The organisations in the banking and financial sector should encourage their employees to acquire, develop and sharpen Information Systems skills.
Human resources are essential ingredients in any successful information security programme. They are the first line of defence, helping to make the technology function as it should, sensing security breaches signals and helping in creating security awareness to succeed.
It is equally correct that the staff members also commit computer crimes. They can misuse the technology. The organisations should optimally mobilize their human resources to build up the required level of security in all areas of the organisation, while developing techniques to minimize the opportunities for people to commit security breach related crimes.
Certain positions in an organisation may be sensitive due to the imminent sharing of sensitive information or "key area" because of certain privileges, associated with the position. The selection of personnel for such positions should be through rigorous screening.
The controls, listed below, represent the controls relating to the employees, which an organisation should apply.
26.1 Awareness :
To educate employees in their information security duties and to impress upon them the importance of information security, the following steps should be taken:
a) Inform all the directors, officers, managers, employees and contractors that information in any form is an asset of the organisation and shall only be used to conduct official business.
b) Establish, as part of the information security programme, the communications and awareness programme to create awareness among the employees of the importance and the seriousness of information security in the organisation.
c) Establish the policies that assign and enforce responsibilities for information security issues. The employees should be made aware of the fact that the security violations may invite disciplinary measures by the organisation.
d) The employees understand their responsibilities.
To further minimize risk of loss, a "clear desk" policy for papers and diskettes should be established and implemented. Any material not in use should be properly destroyed.
26.2 Management :
To utilize the managers as a part of the sound information security awareness programme, the following steps should be taken:
a) Encourage the managers to treat information security concerns of the employees seriously in order to encourage their participation.
b) Encourage the managers to make the employees security conscious as also aware of the sensitivity of the information they use on the job.
c) Encourage the managers to be aware of unusual behaviour by the employees and seek assistance from the human resource department in the matter.
d) Consider the effects of setting employment and management policies.
e) Make the managers and the employees aware of the downsizing, merger or acquisition plans and have a proper mechanism to counteract destructive rumours.
26.3 Unauthorized use of Information Resources :
To prevent disclosures, destruction or modifications of information through unauthorized use of information resources, the policies covering the authorised uses of the personal computers and other information resources should be made available to all personnel in the organisation. The policy on the removal of information or equipment from the premises should be clearly spelt out and adhered to.
26.4 Hiring Practices :
To ensure that hiring practices are consistent with the information security programme, the organisation should employ prudent hiring practices including periodical checking for possible security exposure.
26.5 Policy on Ethical Behaviour :
To avoid conflict of interest and to ensure ethical behaviour, the following steps should be taken :
a) Establish an ethics policy consistent with the information security programme of the organisation.
b) Monitor compliance with special attention to employees in sensitive positions.
26.6 Disciplinary Policy :
To ensure that the employees understand the consequences of any deviation from the security policy or standards, adopted by the organisation, a written disciplinary policy should be established.
26.7 Fraud Detection :
To assist in detecting on-going defalcation, if any, the following steps should be taken :
a) Every year, when employees are away on leave for a sufficiently long period, say one/two weeks, as per the policy on leave of the organisation, the USERIDs of the employees should be suspended during this time. The persons replacing such employees should notify the management of the security-related abnormalities, if any, observed in respect of the employees on leave.
b) Perform unannounced rotation of the personnel involved in sensitive or highly sensitive activities from time to time.
c) Implement strong controls over the fire-end points through which embezzlers may use to remove the proceeds of fraud. These endpoints are official cheques, wire transfers, credit to account or avoidance of debits, cash and items of value, received or delivered.
26.8 Know your Employee :
To assist the employees in handling personal problems that might result in possible information security exposures, the organisation should periodically interact/share some of the personal problems of these employees to infuse the required level of confidence in them.
26.9 Former Employees :
To prevent unauthorized access by former employees, the following steps should be taken :
a) Terminate all access that an employee possessed immediately on dismissal, retirement, resignation or other forms of permanent departure. The USERID, assigned to the employee, should not be re-issued.
b) Retrieve all identification, badges, keys, access control tokens and other security-related items as well as the equipment supplied by the organisation.
GLOSSARY OF TERMS
A term is listed in this Glossary only if it is used in this document with a connotation different from normal English usage.
Access Control : Functions which limit access to information or information processing resources to persons or applications.
- Physical access controls are those which are based on placing physical barriers between unauthorized persons and the information resource being protected.
- Logical access controls are those which employ other means.
Alarm : Indication of an unusual or dangerous condition or security violation which may require immediate attention.
Application : Task or set of tasks to be accomplished by the information processing system.
Audit : Function which seeks to validate that controls are in place, adequate for their purposes and report inadequacies to the appropriate levels of management.
Audit Trail : Collection of records from an information processing facility indicating the occurrence of certain actions, used to determine if unauthorized use or attempted use of the facilities has taken place.
Authentication : Process which seeks to validate identity or to prove the integrity of the information.
Authentication Token : Device which performs dynamic authentication.
Back-up : The saving of business information to assure business continuity in case of loss of resources at the production site.
Bio-metrics : Methods of authenticating the identity of a person by measurement/ identification/matching of some physical characteristics, such as fingerprint, retinal pattern or voice.
Call-back : Manual or automatic procedure of contacting the originator of a request to verify that request was authentic.
Card Authentication Method : Concept which allows unique machine-reading/ identification of a financial transaction card and which prevents copying of the cards.
Classification : Scheme which separates information into categories so that appropriate controls may be applied. Separation may be by type of information, criticality, fraud potential or sensitivity.
Code :
1. System of principles or rules such as fire codes or building codes.
2. Result of cryptographic process such as message authentication code.
3. Software computer instructions such as object code (the instructions the computer executes) or sort code (the instructions the programmer writes).
Contingency Plan : Procedure which, when followed, allows an organisation to resume operations after natural or other disasters.
Control : Measure taken to assure the integrity and quality of process.
Criticality : Requirements that certain information or information processing resources be available to conduct business.
Cryptography : Mathematical process used for encryption or authentication of information.
Cryptographic Authentication : Authentication based on a digital signature, as generated under ISO with a cryptographic key distributed under ISO or inferred through successful decryption of a message, encrypted under ISO with a key distributed under ISO.
Cryptographic Key : A value which is used to control a cryptographic process such as encryption or authentication. Knowledge of an appropriate key allows correct decryption or validation of a message.
Customer Agreement : Contract with a customer which sets forth the customer’s responsibilities and governs which security process will be used in the conduct of business between the organisation and the customer.
Destruction (of information) : Any condition which renders information unusable, regardless of the cause.
Digital Signature : Value which can serve in place of a handwritten signature. Normally, a digital signature is the function of the contents of the message, the identity of the sender and some cryptographic information.
Disclosure of Information : Unauthorized viewing or potential viewing of information.
Dual Control : Method of preserving the integrity of a process by requiring that two individuals independently take some action before certain transactions are completed. Whenever dual control is required, care should be taken to assure that individuals are independent of each other.
Dynamic Authentication : Technique which authenticates the identity of an individual based upon something which the individual knows on a one-time basis.
Electronic Article Surveillance : Technique which controls the movement of physical objects by means of electronic tags and sensors.
Electronic Money : The scheme under which value is created, stored or transferred in an electronic form. Conceptually, it is a replacement for coins and currency.
Encryption : Process of converting information so as to render it into a form unintelligible to all except the holders of a specific cryptographic key. Use of encryption protects information between the encryption process and the decryption process (the inverse of encryption) against unauthorized disclosure.
Firewall : A Firewall is a collection of components placed between two networks that collectively have the following properties :
1. All traffic from inside to outside and vice-versa must pass through the firewall.
2. Only authorized traffic, as defined by local security policy, will be allowed to pass.
3. The firewall is itself immune to penetration.
Freeware : Software made generally available, which does not require a license agreement for use thereof.
Guideline : Recommendation for information security controls to be implemented against given threats. Guidelines should not be ignored unless sound business and security reasons exist for doing so.
Image : Representation of a document for manipulation or storage within an information processing system. Digital representations are implied.
Information : Any data, whether in an electronic form, written on paper, spoken at a meeting or on any other medium, which is used by a financial organisation to make decisions, move funds, set rates, advance loans, process transactions and the like. This definition includes software components of the processing system.
Information Asset : Information or information processing resources of an organisation.
Information Resources : Equipment which is used to manipulate, communicate or store information whether they are inside or outside the organisation. Telephones, facsimiles and computers are examples of information processing resources.
Integrity : Quality of information or a process which is free from error, whether induced accidentally or intentionally.
Irreversible Encryption : Encryption process which allows text to be transformed into encrypted form but does not allow the encrypted form to be returned into the original text.
Key : Cryptographic key, as discussed in this document.
"Know your Customer" : Phrase used to indicate a desired attitude by the financial organisations with respect to knowledge of customer activities.
"Know your Employee" : Attitude of an organisation which demonstrates a concern for employees’ attitudes toward their duties and possible problems such as substance abuse, gambling, financial difficulties etc., which may lead to security concerns.
Letter of Assurance : Document setting forth the information security controls which are in place for the protection of information, held on behalf of the recipient of the letter.
Modification of Information : The unauthorized or accidental change in information, whether detected or undetected.
Need-to-Know : Security concept which limits access to such information and information processing resources as are required to perform one’s duties.
Owner (of information) : Person or function responsible for the collection and maintenance of a given set of information.
Network : Collection of communication and information processing systems, which may be shared among several users.
Password : String of characters which serves as an authenticator of the user.
Prudent Business Practice : Set of practices which have been generally accepted as necessary in business operations.
Risk : Possibility of loss due to occurrence of one or more threats to information. This is not to be confused with financial or business risk.
Risk Acceptance : Identification and acceptance of risk associated with an exception to the information security policy.
Server : Computer which acts as a provider of some service to other computers, such as processing of communications, interfacing with file storage or printing facility.
Shareware : Software which is generally available and which carry a moral, though not a legal, obligation for payment.
Sign-on : Completion of identification and authentication of an user.
Software Integrity : Confidence that the software being used performs only the functions for which it was purchased or developed.
Split Knowledge : The division of CRITICAL information into multiple parts in such a way as to require a minimum number of parts to be present before an action can take place. Split knowledge is often used to enforce dual control.
Standard :
1. Definition of acceptance practices to meet a particular defined policy.
2. A document published by a standards setting body, which provides industry wide methods of performing certain functions.
Stored Value Card : A token which is capable of storing and transferring electronic money.
Tamper Evident Packaging : Protective packaging which will preserve an indication of attempts to access its contents.
Threat : Condition which may cause information or information processing resources to be intentionally or accidentally lost, modified, exposed, made inaccessible or otherwise affected to the detriment of the organisation.
Trusted Computer System : Computer system which employs hardware and software integrity measures to allow it to be used for simultaneous processing of information having a wide range of sensitivities or classification levels.
Unavailability of Service : Inability to access information or information processing resources for any reason i.e. disaster, power failure or malicious actions.
USER ID : A character string which is used to uniquely identify each user of a system.
REFERENCES
Voice Mail : Systems which record and retrieve voice messages.
1. Technical Report - Banking and related Financial Services - Information Security Guidelines - ISO TR 13569
2. Information Security Management - Code of Practice for Information Security Management - BS 7799-1:1999
3. Information Technology Security Guidelines - September, 1999 -Infocomm Development Authority of Singapore
4. IT Governance Institute - CoBIT - Control Objectives - July, 2000
5. IT Governance Institute - CoBIT - Management Guidelines - July, 2000
6. Information Technology Act, 2000 dated the 17th October, 2000 –Government of India
7. Information Technology (Certifying Authorities) Rules, 2000 dated the 17th October, 2000 – Government of India