ISO/TR 13569:1997

TECHNICAL ISOKR
REPORT 13569
Second edition
1997-1 0-01
Banking and related financial services -
Information security guidelines
Banque et services financiers liés aux opérations bancaires - Lignes
directrices pour la sécurité de l’information
Reference number
ISOflR 13569:1997(E)
ISO/TR 13569: 1997(E)
Con tents
6.9 Cryptographic operations
1 INTRODUCTION 1
6.10 Privacy
2 REFERENCES 1
7 CONTROL OBJECTIVES AND
3 EXECUTIVE SUMMARY 1
SUGGESTED SOLUTIONS
7.1 Information classification
NOTE ON SECOND EDITION 2
7.2 Logical access control
7.2.1 Identification of users
4 HOW TO USE THIS TECHNICAL
7.2.2 Authentication of users
REPORT
7.2.3 Limiting sign-on attempts 14
7.2.4 Unattended terminals
7.2.5 Operating system access control
5 ENSURING SECURITY
features
7.2.6 Warning
7.2.7 External Users 15
6 INFORMATION SECURITY
PROGRAM COMPONENTS
7.3 Audit trails
6.1 General duties 4
7.4 Change control 15
6.1.1 Directors 4
7.4.1 Emergency problems 16
6.1.2 Chief Executive Officer 4
6.1.3 Managers 4
7.5 Computers
6.1.4 Employees, vendors, and contractors
7.5.1 Physical protection
should: 5
7.5.2
Logical access control 17
6.1.5 Legal fbnction
7.5.3 Change 17
6.1.6 Information Security Officers
7.5.4 Equipment maintenance 17
6.1.7 Information Systems Security
7.5.5 Casual viewing 17
Administration 6
7.5.6
Emulation concerns 17
7.5.7 Business continuity 17
6.2 Risk acceptance 6
7.5.8 Audit trails 17
7.5.9 Disposal of equipment 17
6.3 Insurance 7
7.6 Networks
6.4 Audit 7
7.6.1 Network integrity
7.6.2 Access control
6.5 Regulatory compliance 7
7.6.3 Dial-in 18
7.6.4 Network equipment 18
6.6 Disaster recovery planning 7
7.6.5 Change 18
7.6.6 Connection with other networks 18
6.7 Information security awareness
7.6.7 Network monitoring 18
7.6.8 Protection during transmission 19
6.8 External Service Providers
7.6.9 Network availability
6.8.1 Internet Service Providers
7.6.10 Audit trails 19
6.8.2 Red-Teams
7.6.1 1 Firewalls 19
6.8.3 Electronic Money 10
O IS0 1997
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any
means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the publisher.
International Organization for Standardization
Case postale 56 CH-121 1 Genève 20 Switzerland
Internet central Oiso.ch
X.400 c=ch; a400net; p=iso; o=isocs; s=central
Printed in Switzerland
..
O IS0
20 7.12 Paper documents
7.7 Software
20 7.12.1 Modification
7.7.1 Applications
21 7.12.2 Viewing 30
7.7.2 Databases
7.12.3 Storage facilities 30
7.7.3 Artificial Intelligence(A1) 21
21 7.12.4 Destruction
7.7.4 System software
7.12.5 Business continuity
7.7.5 Application testing 21
22 7.12.6 Preservation of evidence 30
7.7.6 Defective software
7.7.7 Change 22 7.12.7 Labelling
22 7.12.8 Forged documents
7.7.8 Availability of software code
22 7.12.9 Output distribution schemes
7.7.9 Unlicensed software
7.7.1 O Property rights
22 7.13 Microform and other media storage 30
7.7.1 1 Viruses
23 7.13.1 Disclosure 30
7.7.12 Memory resident programs
23 7.13.2 Destruction 31
7.7.13 Telecommuting
23 7.13.3 Business continuity 31
7.7.14 Software provided to customers
7.7.15 Software used to contact customers 23 7.13.4 Environmental 31
7.7.16 Applets, JAVA, and Software lî-om
External Sources 7.14 Financial transaction cards 31
7.14.1 Physical security 31
24 7.14.2 Insider abuse 31
7.8 Human factors
24 7.14.3 Transportation of PINS 31
7.8.1 Awareness
24 7.14.4 Personnel 31
7.8.2 Management
7.14.5 Audit 31
7.8.3 Unauthorized use of information
25 7.14.6 Enforcement 31
resources
25 7.14.7 Counterfeit card prevention 32
7.8.4 Hiring practices
7.8.5 Ethics policy
7.8.6 Disciplinary Policy 25
7.15 Automated Teller Machines 32
25 7.15.1 User identification 32
7.8.7 Fraud detection
7.8.8 Know your employee 7.15.2 Authenticity of information 32
7.8.9 Former employees 7.15.3 Disclosure of information 32
7.8.10 Telecommuting 25 7.15.4 Fraud prevention 32
7.15.5 Maintenance and service 32
7.9 Voice, telephone, and related equipment 26
7.9.1 Access to VoiceMail system 26 7.16 Electronic Fund Transfers 33
7.9.2 Private Branch Exchange (PBX) 26
7.16.1 Unauthorized source 33
7.9.3 Spoken word 26 7.16.2 Unauthorized changes 33
7.9.4 Intercept 27 7.16.3 Replay of messages 33
7.9.5 Business continuity 27 7.16.4 Record retention 33
7.9.6 Documentation 27 33
7.16.5 Legal basis for payments
7.9.7 Voice Response Units (VRU) 27
7.17 Checks 33
7.10 Facsimile and image
7.1 O. 1 Modification
7.18 Electronic Commerce 33
7.10.2 Repudiation
7.18.1 New Customers 33
7.10.3 Misdirection of messages 28
7.18.2 Integrity Issues 33
7.10.4 Disclosure
7.10.5 Business continuity 28
7.19 Electronic Money 34
7.10.6 Denial of service
7.19.1 Duplication of Devices 34
7.10.7 Retention of documents
7.19.2 Alteration or duplication of data or
software 34
7.1 1 Electronic Mail 28 7.19.3 Alteration of messages 35
7.1 1.1 Authorized users 28 35
7.19.4 Replay or duplication of transactions
7.1 1.2 Physical protection 29
7.19.5 Theft of devices 35
7.1 1.3 Integrity of transactions 29
7.19.6 Repudiation 35
7.1 1.4 Disclosure 29
7.19.7 Malfunction 35
7.1 1.5 Business continuity 29
7.19.8 Cryptographic Issues 35
7.1 1.6 Message retention 29
7.19.9 Criminal Activity 35
7.11.7 Message Reception 29
7.20 Miscellaneous 36
7.20.1 Year 2000 36
7.20.2 Steganography - Covert Channels 36
...
O IS0
8 IMPLEMENTING
GLOSSARY OF TERMS 44
CRYPTOGRAPHIC CONTROLS 36
ANNEX A 49
8.1 Applying Encryption 37
8.1.1 What To Encrypt
Sample Documents 49
8.1.2 How To Encrypt 37
A.l Sample Board of Directors Resolution on
8.2 Implementing Message Authentication
Information Security 49
Codes (MAC) 38
8.2.2 Control of MAC 38
A.2 Sample Information Security Policy
to Apply MAC 38
8.2.3 When
(High Level) 50
8.2.4 Selection of Algorithm
A.3 Sample Employee Awareness Form
8.3 Implementing Digital Signatures 38
8.3.1 How to generate digital signatures 39
A.4 Sample Sign-On Warning Screens 52
8.3.2 Certification 39
8.3.3 Legal standing of digital signatures
A.5 Sample Facsimile Warnings 53
8.3.4 Certificate (Key) management 39
8.3.5 Choice of algorithm 40
A.6 Sample Information Security Bulletin 54
8.4 Key Management
A.7 Sample Risk Acceptance Form
8.4.1 Generation 40 56
8.4.2 Distribution
8.4.3 Storage A.8 Telecommuter Agreement & Work
8.4.4 Public-Key Certification And Standards 40 Assignment 58
8.5 Trusted Third Parties 41
ANNEX B 63
8.5.1 Assurance 41
8.5.2 Services of a TTP
Basic Principles For Data Protection 63
8.5.3 Network of TTPs
8.5.4 Legal Issues
ANNEX C 66
8.6. Disaster Cryptography and
Cryptographic Disasters 42
Names and Addresses of National
8.6.1 Disaster cryptography 42
Organisations 66
8.6.2 Cryptographic disasters
ANNEX D 76
9 SOURCES OF FURTHER
ASSISTANCE
Other security standards
Cryptographic Standards
9.1 Financial Services institutions
Secure Session Protocols 76
Secure Message Formats
9.2 Standards bodies
Key Management
Payment Protocols
9.3 Building, fire, and electrical codes.
9.4 Government regulators
43 ANNEX E 80
Information Security Risk Assessment 80
INDEX
iv
O IS0 ISO/TR 13569: 1997(E)
Foreword
IS0 (the International Organization for Standardization) is a worldwide federation of national standards bodies
(IS0 member bodies). The work of preparing International Standards is normally carried out through IS0
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. IS0 collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The main task of technical committees is to prepare International Standards, but in exceptional circumstances a
technical committee may propose the publication of a Technical Report of one of the following types:
- type 1, when the required support cannot be obtained for the publication of an International Standard, despite
repeated efforts;
- type 2, when the subject is still under technical development or where for any other reason there is the future
but not immediate possibility of an agreement on an International Standard;
- type 3, when a technical committee has collected data of a different kind from that which is normally
published as an International Standard ("state of the art", for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether
they can be transformed into Intemational Standards. Technical Reports of type 3 do not necessarily have to be
reviewed until the data they provide are considered to be no longer valid or useful.
ISO/TR 13569, which is a Technical Report of type 3, was prepared by IS0 Technical Committee ISO/TC 68,
Banking, securities and otherjinancial services, Subcommittee SC 2, Security management and general
banking operations.
This second edition cancels and replaces the first edition (ISO/TR 13569: 1996), of which it constitutes a
technical revision.
V
TECHNICAL REPORT O IS0 ISO/TR 13569: 1997(E)
Banking and related financial services -
Information security guidelines
IS0 8732, Banking - Key management
1 INTRODUCTION
(wholesale).
Financial institutions increasingly rely on
Information Technology (IT) for the efficient
IS0 9564 (all parts), Personal Identlfication
conduct of business.
Number (PIN) management and security.
Management of risk is central to the financial
IS0 10126 (all parts), Banking - Procedures for
service sector. Financial institutions manage risk
message encipherment (wholesale).
through prudent business practice, careful
contracting, insurance, and use of appropriate
IS0 10202 (all parts), Financial transaction cards
security mechanisms.
- Security architecture offlnancial transaction
systems using integrated circuit cards.
There is a need to manage information security
within financial institutions in a comprehensive
National Standards:
manner.
ANSI X9/TG-2, Understanding and Designing
Checks (USA).
This Technical Report is not intended to provide a
generic solution for all situations. Each case must
ANSI X9/TG-8, Check Security Guideline (USA).
be examined on its own merits and appropriate
actions selected. This Technical Report is to
Regulations:
provide guidance, not solutions.
US Ofice of the Comptroller of the Currency,
Banking Circular BC-226 Policy Statement.
The objectives of this Technical Report are:
Other documents:
to present an information security programme
Institute of Internal Auditors Standards for the
structure.
Professional Practice of Internal Auditing.
to present a selection guide to security controls
Code of Practice for Information Security
that represent accepted prudent business
Management.
practice.
Federal Information Protection Standard (FIPS)
to be consistent with existing standards, as well
PUB 140- 1, Security Requirements for
as emerging work in objective and accreditable
Cryptographic Modules, National Institute for
security criteria.
Standards and Technology (USA).
This Technical Report is intended for use by
Security of Electronic Money, published by the
financial institutions of all sizes and types that wish
Bank of International Settlement, Basle, August
to employ a prudent and commercially reasonable
1996.
information security programme. It is also useful to
providers of service to financial institutions. This
3 EXECUTIVE SUMMARY
Technical Report may also serve as a source
document for educators and publishers serving the Financial institutions and their senior management
financial industry. have always been accountable for the
implementation of effective controls for protecting
information assets. The confidentiality, integrity,
2 REFERENCES
authenticity, and availability of that information are
NOTE - Annex C contains references to national
paramount to the business. As such, it is imperative
regulations, standards, and codes. The list below
includes only those documents referenced in the main that these assets be available and protected from
body of this Technical Report.
disclosure, modification, fabrication, replication,
and destruction, whether accidental or intentional.
International Standards:
It is imperative for a financial institution to protect
IS0 8730, Banking - Requirements for message
the transfer of its assets which are encoded in the
authentication (wholesale).
form of trusted information.
O IS0
This Technical Report includes a guideline for
Business depends more and more on computerized
building a comprehensive information security
information systems. It is becoming impossible to
program.
separate technology from the business of finance.
There is increasing use of personal computers and
networks, and a greater need than ever for these to NOTE ON SECOND EDITION
work together. In many institutions, more work is
done on personal computers and local area
Since the publication of the first edition of this
networks than on the large mainframes. Security
Technical Report, much has changed. Change has
controls for these local computers are not as well not simplified matters. Virtually no threat or
developed as controls over mainframes. The control listed in the first edition has been made
security needed for all information systems is
obsolete. New threats have surfaced, along with
growing dramatically. Image systems, digital
new opportunities for improving delivery of
voice/data systems, distributed processing systems, service to customers. Banking over the Internet,
and other new technologies, such as the Internet,
electronic money, revolutionary information
are being used increasingly by financial institutions.
technology discoveries and rediscoveries make
This makes information security even more these exciting times. Wherever possible this
important to the commercial success or even the
Technical Report addresses the environment as it is
survival of an institution.
known. Our experience over the last four years
dictate that constant vigilance is the minimum
Security controls are required to limit the requirement for sound security.
vulnerability of information and information
processing systems. The level of protective control
4 HOW TO USE THIS TECHNICAL
must be cost effective, i.e., consistent with the
REPORT
degree of exposure and the impact of loss to the
This Technical Report was designed to serve many
institution. Exposures include financial loss,
purposes. This clause provides a "road map" to the
competitive disadvantage, damaged reputation,
remainder of the Technical Report.
improper disclosure, lawsuit, or regulator sanctions.
Well thought out security standards, policies and
Clause 5: Requirements: This clause defines a
guidelines are the foundation for good information
starting point in building a security program. It sets
security.
out minimum requirements for an adequate
information security program. It may also serve as
Work is ongoing within the US, Canada and the
a measure against which an institution can evaluate
European Community to establish a Common
the state of its information security program.
Criteria for the evaluation of information
technology products. These criteria coupled with
Clause 6: Information security program
financial sector pre-defined functionality classes
components: This clause contains more specific
will enable financial institutions to achieve uniform,
information on how an Information Security
trusted, security facilities. This Technical Report
Program should operate. Specific responsibilities
should be used as an input to that process.
are suggested for various officers and functions of
an institution. Lines of communication between
With the continuing expansion of distributed
functions, that are considered helpful for sound
information there is growing interest and pressure
security practice are identified. This clause can be
to provide reasonable assurance that financial
used by senior officials to ensure that structural
institutions have adequate controls in place. This
impediments to sound security practice are
interest is demonstrated in laws and regulations.
minimized. Information security personnel may
Examples in the form of excerpts are as follows:
also use this clause to evaluate the effectiveness of
the information security program.
1. Office of the Comptroller of the Currency,
Banking Circular BC-226 Policy Statement
Clause 7: Control Objectives and Suggested
(Joint issuance of the Federal Financial
Solutions: This clause is the heart of this Technical
Institutions Examination Council)
Report. It discusses threats to information in terms
specific enough to enable financial personnel to
"It is the responsibility of the Board of Directors to
ascertain if a problem exists at their institution,
ensure that appropriate corporate policies, which
without educating criminals. The first four
identify management responsibilities and control
subclauses address controls common to many
practices for all areas of information processing
delivery platforms: classification, logical access
activities, have been established. The existence of
control, change control, and audit trails.
such a 'corporate information security policy,' the
Subsequent subclauses address security concerns
adequacy of its standards, and the management
for information processing equipment, human
supervision of such activities will be evaluated by
resources, and those specific to the delivery
the examiners during the regular supervisory
platform used. Electronic fund transfers and check
reviews of the institution."
processing subclauses finish this clause.
O IS0 ISO/TR 13569:1997(E)
Clause 8: Implementing Cryptographic Controls: The basic recommendation of this Technical Report
is the establishment of an information security
This clause provides information helpful in assuring
program that:
that cryptographic controls are implemented in an
effective fashion.
a. includes an institution-wide information
Clause 9: Sources of further assistance: This clause security policy and statement, containing:
lists the types of organizations which may be of i. a statement that the institution
assistance eo information security professionals. It considers information in any form
to be an asset of the institution.
is intended that this clause be used with Annex C.
Annex A: Sample Documents: This Annex is a ii. an identification of risks and
the requirement for
collection of ready-to-use sample forms for a
variety of information security related purposes. implementation of controls to
provide assurance that
Annex B: Privacy Principles: This Annex presents information assets are protected.
Clause 7 of this Technical Report
a sample set of Privacy Principles.
discusses suitable controls.
Annex C: Names and Addresses of National
iii. a definition of information
Organizations: This annex lists the names and
contact information for national organizations security position responsibilities
which can be of assistance to Information Security for each manager, employee and
personnel. contractor. Clause 6 of this
Technical Report lists suggested
responsibilities.
Annex D: Security Standards Outside the Financial
Community: A comprehensive list of security
iv. a commitment to security
standards developed by standards groups other than
ASC X9 (US) or IS0 TC68. awareness and education.
Annex E: Risk and Vulnerability Assessment b. establishes one or more officer(s)
provides a methodology for identification of risk in responsible for the information security
an institution. program,
c. provides for the designation of
5 ENSURING SECURITY
individuals responsible for the protection
At the highest level, the acceptance of ethical
of information assets and the specification
values and control imperatives must be
of appropriate levels of security,
communicated and periodically reinforced with
management and staff. Information is an asset that
d. includes an awareness or education
requires a system of control, just as do other assets
program to ensure that employees and
more readily reducible to monetary terms. Prudent
contractors are aware of their information
control over the information assets of the institution
security responsibilities,
is good business practice.
e. provides for the resolution and reporting
The protection of information should be centered
of information security incidents,
around the protection of key business processes.
The notion of information and its attributes change
f. establishes written plans for business
within the context of a business process and
resumption following disasters,
security requirements should be examined at each
stage of that process.
g. provides identification of, and
procedures for addressing exceptions or
Developing, maintaining, and monitoring of an
deviations from the information security
information security program requires participation
policy or derivative documents,
by multiple disciplines in the organization. Close
coordination is required between the business
h. encourages coordination with
manager and the information security staff.
appropriate parties, such as audit,
Disciplines such as audit, insurance, regulatory
insurance, and regulatory compliance
compliance, physical security, training, personnel,
officers,
legal, and others should be used to support the
information security program. Information security
i. establishes responsibility to measure
is a team effort and an individual responsibility.
compliance with, and soundness of, the
security program,
O IS0
ensure that employees, vendors, and
j. provides for the review and update of
contractors also understand, support and abide
the program in light of new threats and
by information security policy, standards, and
technology. For example, the emergence
directives, for example, the Code of Practice
of IT evaluation criteria should assist
for Information Security Management,
security professionals in the selection and
implementation of standardized security
implement information security controls
controls.
consistent with the requirements of business
k. provides for the production of audit and prudent business practice,
records where necessary and the
create a positive atmosphere that encourages
monitoring of audit trails.
employees, vendors, and contractors to report
information security concerns,
6 INFORMATION SECURITY
PROGRAM COMPONENTS
report any information security concerns to the
Subclause 6.1 addresses the information security
Information Security Officer immediately,
responsibilities within the institution. Subclauses
6.2 and beyond addresses hnctions related to
participate in the information security
information security. The controls suggested in this
communication and awareness program,
Technical Report are those which enforce or
support protection of information and information
apply sound business and security principles in
processing resources. While some of these controls
preparing exception requests,
may address other areas of bank governance, this
Technical Report should not be viewed as a
define realistic business "need-to-know" or
complete checklist of management controls.
"need-to-restrict'' criteria to implement and
maintain appropriate access control,
6.1 General duties
Identify and obtain resources necessary to
6.1.1 Directors
implement these tasks.
Directors of financial institutions have a duty to the
institution and its shareholders to oversee the
ensure that information security reviews are
management of the institution. Effective
performed whenever required by internal
information security practices constitute prudent
policy, regulations, or information security
business practice, and demonstrates a concern for
concerns. Examples of circumstances that
establishing the public trust. Directors should
should trigger such a review include:
communicate the idea that information security is
an important objective and support an information
large loss from a security failure,
security program.
preparation of an annual report to the
Board of Directors and Audit
6.1.2 Chief Executive Officer
Committee,
The Chief Executive Officer, or Managing
Director, as the most senior officer of the
acquisition of a financial institution,
institution, has ultimate responsibility for the
operation of the institution. The CEO should
purchase or upgrade of computer
authorize the establishment of, and provide support
systems or software,
for, an information security program consistent with
recognized standards, oversee major risk
acquisition of new communications
assessment decisions, and participate in
services,
communicating the importance of information
security.
introduction of a new financial
product,
6.1.3 Managers
Managers serve as supervisory and monitoring
introduction of new out-source
agents for the institution and the employees. This
processing vendor,
makes them key players in information security
programs. Each manager should:
discovery of a new threat, or a change
in a threat's direction, scope, or intent.
understand, support, and abide by institution's
information security policy, standards, and
Additionally, managers who are "owners' of
directives,
information should:
O IS0
be responsible for the classification of
6.1.6 Information Security Officers
information or information processing systems For the purpose of this Technical Report, we define
under their control.
an Information Security Officer as the senior
define the security requirements for his
official or group of officials charged with
information or information processing systems.
developing, implementing, and maintaining the
program for protecting the information assets of the
authorize access to information or information
institution.
processing systems under his control.
The Information Security Officers should:
inform the Information System Security Officer manage the overall information security
of access rights and keep such access
program,
information up-to-date.
0 have responsibility for developing
NOTE - All business information should have an
Information Security Policies and Standards
identified "owner." A procedure for establishing
for use throughout the organization. These
ownership is required to ensure that all business
policies and standards should be kept
information will receive appropriate protection.
up-to-date, reflecting changes in technology,
business direction, and potential threats,
whether accidental or intentional,
6.1.4 Employees, vendors, and contractors
should:
assist business units in the development of
0 understand, support, and abide by
specific standards or guidelines that meet
organizational and business unit information
information security policies for specific
security policies, standards and directives,
products within the business unit. This includes
working with business managers to ensure that
be aware of the security implications of
an effective process for implementing and
their actions,
maintaining controls is in place,
0 promptly report any suspicious behavior or
ensure that when exceptions to policy are
circumstance that may threaten the integrity of
required, the risk acceptance process is
information assets or processing resources,
completed, and the exception is reviewed and
reassessed periodically,
0 keep each institution's information
confidential. This especially applies to
remain current on threats against financial
contractors and vendors with several
information assets. Attending information
institutions as customers. This includes
security meetings, reading trade publications,
internal confidentiality requirements, e.g.
and participation in work groups are some
compartmentalization.
ways of staying current with new
developments,
NOTE - Security program components should be
incorporated into service agreements and employees'
employment contracts. understand the current information
processing technologies and the most current
information protection methods and controls by
6.1.5 Legal function
receiving internal education, attending
Institutions may wish to include the following
information security seminars and through
responsibilities for the legal department or function:
on-the-job training, ,
0 monitor changes in the law through
understand the businss processes of the
legislation, regulation and court cases that may
institution, so as to provide appropriate
affect the information security program of the
security protection,
institution.
0 apply management and organizational
0 review contracts concerning employees,
skills, knowledge of the business, and where
customers, service providers, contractors, and
appropriate, professional society recognition,
vendors to ensure that legal issues relating to
in the execution of their duties,
information security are addressed adequately.
encourage the participation of managers,
render advice with respect to security
auditors, insurance staff, legal staff, and other
incidents.
disciplines that can contribute to information
protection programs,
0 develop and maintain procedures for
handling follow-up to security incidents, such
review audit and examination reports
as preservation of evidence.
O IS0
ISO/TR 13569: 1997(E)
manager whenever employees terminate,
dealing with information security issues, and
transfer, take a leave of absence, or when job
ensure that they are understood by
responsibilities change,
management. The officer should be involved in
the formulation of management's response to
O monitor closely users with high-level
the audit findings and follow-up periodically to
privileges and remove privileges immediately
ensure that controls and procedures required
when no longer required,
are implemented within the stipulated time
frames.
O monitor daily access activity to determine
O if any unusual activity has taken place, such as
confirm that the key threats to information
repeated invalid access attempts, that may
assets have been defined and understood by
threaten the integrity, confidentiality, or
management,
availability of the system. These unusual
activities, whether intentional or accidental in
O assume responsibility or assist in the
origin, must be brought to the attention of the
preparation and distribution of an appropriate
information resource owner for investigation
warning of potentially serious and imminent
and resolution,
threats to an organization's information assets,
e.g., computer virus outbreak. See clause A.6
O ensure that each system user be identified
for a sample warning,
by a unique identification sequence (USERID)
O associated only with that user. The process
coordinate or assist in the investigation of
should require that the user identity be
threats or other attacks on information assets,
authenticated prior to gaining access to the
O information resource by utilizing a properly
assist in the recovery from attacks,
chosen authentication method,
O
assist in responding to customer security
O make periodic reports on access activity to
issues, including letters of assurance and
the appropriate information owner,
questions on security. Although a letter of
assurance is sent from the institution to the
O ensure that audit trail information is
customer, it will often reflect the customer's
collected, protected, and available.
desires rather than the institution's security
policy.
The activities of the ISSA should be reviewed by an
independent party on a routine basis.
6.1.7 Information Systems Security
Administration
6.2 Risk acceptance
Each business unit and system manager must
Business Managers are expected to follow the
determine the need-to-know access privileges for
institution's information security policy, standards
users within their business sectors and communicate
and directives whenever possible. If the manager
these documented privileges to the administrator.
believes that circumstances of his particular
These access privileges should be reviewed
situation prevent him from operating within that
periodically and changes should be made when
guidance, he should either:
appropriate.
0 undertake a plan to come into compliance
Each information access control system should
as soon as possible, or
have one or more Information Systems Security
Administrator(s) appointed to ensure that access
O seek an exception based upon a risk
control procedures are being monitored and
assessment of the special circumstances
enforced. Administrators should operate under dual
involved.
control, especially for higher level privileges.
These access control procedures are described in
The Information Security Officer should participate
detail in 7.2.
in the preparation of the compliance plan or
exception request for presentation to appropriate
The Information System Security Administration
levels of management for decision.
should:
be responsible for maintaining accurate
The Information Security Officer should consider
and complete access control privileges based
changes to the information security program
on instructions from the information resource
whenever the exception procedure reveals
owner and in accordance with any applicable
situations not previously addressed.
internal policies, directives, and standards,
While a complete treatment of risk management is
remain informed by the appropriate
far beyond the scope of this Technical Report,
O IS0 ISO/TR 13569:1997(E)
clause A.7 provides a sample risk acceptance form reports on the condition of the control
environment and recommend improvements
that identifies relevant factors in making risk
acceptance decisions. that can be justified by need and cost benefit.
specify retention and review of audit trail
See clause 9 for a risk evaluation methodology.
information.
6.3 Insurance
Where the audit review function is combined with
In planning the information security program, the
other functions, management attention is required to
Information Security Officer and business manager
minimize conflict of interest potential.
should consult with the insurance department and,
if possible, the insurance carrier. Doing so can
result in a more effective information security 6.5 Regulatory compliance
Regulatory authorities concern themselves
program and better use of insurance premiums.
principally with issues of safety, soundness, and
Insurance carriers may require that certain controls, compliance with laws and regulations. One element
of safety and soundness is the institution's system of
called Conditions Prior to Liability or conditions
control that protect information from unavailability,
precedent, be met before a claim is honored.
Conditions Prior to Liability often deal with and unauthorized modification, disclosure, and
information security controls. Since these controls destruction.
must be in place for insurance purposes, they
Regulatory Compliance Officers should work with
should be incorporated into the institution's
the Information Security Officer, business
information security program. Some controls may
also be required to be warranted, i.e., shown to managers, risk managers, and auditors to ensure
that information security requirements of
have been in place continuously since inception of
the policy. regulations are understood and implemented.
Regulatory Compliance Officers should also remain
current on new technologies or methodologies
Business Interruption coverage and Errors and
which may become subject of regulation. For
Omissions coverage, in particular, should be
integrated with information security planning. example, compliance with pre-defined functionality
classes for Information Technology products.
6.4 Audit
6.6 Disaster recovery planning
The following quotation from the Institute of
Internal Auditors Standards for the Professional An important part of an Information Security
Program is a plan to continue critical business in
Practice of Internal Auditing defines the auditor's
the event of a disruption. A disaster recovery plan
role as follows:
outlines roles and responsibilities under those
"Internal auditing is an independent appraisal conditions.
function established within an organization to
Disaster recovery is that part of business
examine and evaluate its activities as a service
resumption planning that ensures information and
to the organization. The objective of internal
auditing is to assist members of the information processing facilities are restored as
soon as possible after interruption.
organization in the effective discharge of their
responsibilities. To this end, internal auditing
furnishes them with analyses, appraisals, The disaster recovery plan should include the
recommendations, counsel, and information following:
concerning the activities reviewed.''
listing of business activities considered
More specifically, in the area of information critical, preferably with priority rankings,
including time frames adequate to meet
security, auditors should:
business commitments,
0 evaluate and test controls over the
information assets of a financial institution. identification of the range of disasters that
must be protected against,
engage in an on-going dialogue with
identification of processing resources and
Information Security Officers and others to
bring appropriate perspectives to the locations available to replace those supporting
critical activities,
identification of threats, risks, and the
adequacy of controls for both existing and new
0 identification of personnel available to
products.
operate processing resources or to replace
0 provide management with objective personnel unable to report to the institution,
O IS0
The Information Security Program must support the
identification of information to be backed work environment in which it exists. The
Information Security staff must not operate in a
up and the location for storage, as well as the
vacuum. They must understand the business
requirement that the information will be saved
objectives as well as the internal operation and
for back-up on a stated schedule,
organization of the institution to better protect and
0 advise the institution. By acting in concert with
information back-up systems capable of
other groups within the organization, a cooperative
locating and retrieving critical information in a
spirit can evolve that will benefit everyone. In this
timely fashion,
way, security awareness will be promoted daily.
0 agreements with service suppliers for
Lastly, to promote goodwill and support for the
priority resumption of services, when possible.
program, Information Security staff members must
be available to assist at all times.
The disaster recovery plan should be tested as
frequently as necessary to find problems and to
keep personnel trained in its operation. A periodic
6.8 External Service Providers
of the recovery plan to ascertain that
re-evaluation
Financial institutions require that externally
it is still appropriate for its purposes should be
provided critical services, such as data processing,
undertaken periodically. A minimal frequency for
transaction handling, network service, and software
both tests and reevaluations should be specified by
generation, receive the same levels of control and
the institution.
information protection as those activities processed
within the institution itself. The contract should
include the elements necessary to satisfy the
6.7 Information security awareness
The goal of a Security Awareness Program is to financial institution that:
promote information security. The program is
external service provider should in all cases
meant to influence, in a positive way, employees'
of
attitudes towards Information Security. Security abide by the security policies and standards
the financial institution.
awareness should be addressed on an on-going
basis.
third party reports, i.e., the reports prepared by
the service provider's own public accounting
The success of any Information Security Program is
directly related to the Information Security Officer's firm are made available.
ability to gain support and commitment from all
internal auditors from the financial institution
levels of staff within the organization. Failure to
gain this support reduces the program's be accorded the right to conduct an audit at the
effectiveness. service provider relating to procedures and
controls specific to the financial institution.
Without Management support, the information
security program cannot survive. Different levels the external service provider should be subject
of management and staff have different concerns. to Escrow agreements of delivered systems,
These concerns should be emphasized when products or services.
addressing those various levels. Furthermore,
presentations must be made in such a way that In addition to the above, an independent financial
people of all levels and skills will be able to review of the provider should be conducted by
understand. specialists within the financial institution before
engaging in a contract with a service provider.
Managers should be made aware of the exposure,
risks and loss potential, as well as regulatory and No business should be transacted with a service
audit requirements. This should be presented both provider unless a letter of assurance is obtained
in business terms and with examples pertinent to the stating information security controls are in place.
manager's area of responsibility; positive messages The Information Security Officer should examine
being the most effective. Subclause 7.8 of this the service provider's security program to determine
Technical Report examines these areas in more
if it is in concert with the institution's. Any
detail. shortfall should be resolved either by negotiations
with the provider or by the risk acceptance process
To function properly, the Information Security within the institution.
Program must achieve a balance of control and
accessibility. Both staff and management must be In addition to information security requirements,
made aware of this. Users must be given access contracts with service providers should include a
sufficient to perform their required job functions. non-disclosure clause and clear assignment of
They should never be given unrestricted access.
liability for losses resulting from information
security lapses.
O IS0
provide the greatest risk to your internal networks
6.8.1 Internet Service Providers
because they provide a peer to peer connection. In
A new emerging networking environment is rapidly
other words, they are now part of the institution’s
introducing new risks to the financial world. The
network and have access to any of the institution’s
Internet is the world-wide collection of
network resources. For more information on how
interconnected networks that use
...