Page 38 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 38

ITU-T Focus Group Digital Financial Services
                                              Technology, Innovation and Competition



               Provide security awareness, training, and screening

               •    Ensure all personnel are made aware of the security risks associated with their activities and of the
                    applicable policies, standards, and procedures related to the security of the information systems.
               •    Ensure that personnel are adequately trained to carry out their assigned information security-related
                    duties and responsibilities.
               •    Screen individuals in high risk positions (e.g., DFS managers, finance teams, etc.) prior to authorizing
                    sensitive access to information systems in accordance with the appropriate Y.2740 security levels.

               Risk and security assessment

               •    Periodically assess the risk to the organization’s operations, assets, individuals, and the associated
                    processing, storage, or transmission of critical data.

               •    Periodically assess the security controls applied to the information systems to determine if the controls
                    are operating effectively.

               •    Develop and implement plans of action designed to correct deficiencies and reduce or eliminate
                    vulnerabilities.
               •    Monitor information system security controls on an ongoing basis to ensure the continued effectiveness
                    of the controls.
               Incident response

               •    Establish an operational incident-handling capability for the organization’s information systems that
                    includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
               •    Track, document, and report incidents to appropriate officials and/or authorities both internal and
                    external to the organization.
               •    Periodically test the organization’s incident response capability.

               Network scanning and penetration testing

               •    Periodically perform network scanning to detect system and application vulnerabilities.
               •    Periodically conduct penetration testing in order to identify vulnerabilities.

               •    Remediate vulnerabilities in accordance with assessment of risk.
               External/third party service providers

               •    Maintain and implement policies and procedures to manage service providers with whom data is shared,
                    or that could affect the security of the organization’s data.

               •    Maintain a list of service providers and which services they are managing.
               •    Maintain  a  written  agreement  that  includes  an  acknowledgement  that  the  service  provider(s)  is
                    responsible for the security of the organization’s data that the service provider(s) possess or otherwise
                    store, process, or transmit on behalf of the customer, or to the extent that they could impact the security
                    of the customer’s data environment.
               •    Ensure there is an established process for engaging service providers including proper due diligence prior
                    to engagement.
               •    Maintain a program to monitor service providers’ performance at least annually.











                24
   33   34   35   36   37   38   39   40   41   42   43