Page 36 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 36
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
Identification and authentication
• Verify the identities of users, processes, or devices before allowing access to the organization’s information
systems.
• Use multifactor authentication for local and network access to privileged accounts.
4.2 Systems development
Recommendation summary
Maintain systems to reflect patches to firmware and software and use integrity monitoring tools for information.
Develop policy to prevent the use of unauthorized software. Use defensive software such as firewalls and
intrusion detection systems to protect network perimeters. Implement cryptographic mechanisms and ensure
they are using updated libraries to protect data in transit, and ensure appropriately strong cipher suites are in
use. Migrate away from communication paradigms that do not support end-to-end security such as SMS and
USSD in favour of SIM toolkit and smartphone apps.
System development, configuration and change management
• Establish and maintain baseline configurations and inventories of organization’s information systems
(including hardware, software, firmware, and documentation) throughout the respective system
development life cycles.
• Establish and enforce security configuration settings for information technology products employed in
organization’s information systems.
• Track, review, approve, or disapprove as consistent with organizational policy, and audit changes to
information systems.
• Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
• Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-
by-exception (whitelisting) policy to allow the execution of authorized software.
• Identify, report, and correct information system flaws in a timely manner.
• Apply firmware, software, and operating system patches when new releases are available.
• Ensure anti-virus software is installed, configured, and running on all DFS information systems. In addition,
ensure antivirus definitions are regularly updated, periodic system scans are performed, and real-time
files scans are performed on external sources as files are downloaded, opened, or executed.
• Deploy a change detection mechanism, such as file integrity monitoring tools, to detect and alert
personnel to unauthorized changes, additions, or deletion of critical files, such as those associated with
consumer accounts or financial data.
• Employ architectural designs, software development techniques, and systems engineering principles
that promote effective information security within the organization’s information systems.
Communication channel protection
• Protect the trusted network perimeter from untrusted sources through the use of network and application
firewalls, intrusion detection, and protection devices.
• Authorize and protect wireless access allowing limited connections and using authentication and
encryption methods. Limit or, preferably, eliminate the use of wireless connections to data centres and
segregate data centres from office LANs.
• Monitor, control, and protect the organization’s communications (i.e., information transmitted or received
by the organization’s information systems) at the external boundaries and key internal boundaries.
• Segment publicly accessible system components from internal networks.
22
