ISO/TR 13569:1996

TECH N ICAL
ISO/TR
REPORT
13569
First edition
1 996-1 1-1 5
Banking, securities and other financial
services - Information security guidelines
Banque, valeurs mobilières et autres services financiers - Lignes
directrices pour la sécurité de l'information
Reference number
lSO/TR 13569:1996(E)

---------------------- Page: 1 ----------------------
ISO/TR 13569: 1996(E)
Contents
1 I~TRODUCTION . 1
2 REFERENCES . 1
3 EXECUTIVE SUMMARY . 1
4 HOW TO USE THIS TECHNICAL REPORT . 2
5 REQUIREMENTS . 3
6 INFORMATION SECURITY PROGRAMME COMPONENTS . .3
6.1 GENERAL DUTIES . 3
6.1.1 Directors .
6.1.2 Chief Executive Oflcer .
6.1.3 Managers .
6.1.4 Employees, vendors, and contractors should: .
6. I. 5 Legal function. .
6.1.6 Information Security OfJicers .
6.1.7 Information Systems Security Administration .
6.2 RISK ACCEPTANCE . 6
6.3 INSURANCE . 6
6.4 AUDIT . 6
6.5 REGULATORY COMPLIANCE . 7
6.6 DISASTER RECOVERY PLANNING . 7
6.7 INFORMATION SECURITY AWARENESS . 7
6.8 EXTERNAL SERVICE PROVIDERS . 8
6.9 CRYPTOGRAPHIC OPERATIONS . 8
6.10 PRIVACY . 9
7 CONTROL OBJECTIVES AND SUGGESTED SOLUTIONS. . 9
7.1 INFORMATION CLASSIFICATION . 10
7.2 LOGICAL ACCESS CONTROL . 10
7.2. I Identification of users .
7.2.2 Authentication of users. .
7.2.3 Limiting sign-on attempts. .
7.2.4 Unattended terminals . .
7.2.5 Operating system access control features . . 12
7.2.6 Warning .
..............................
7.3 AUDIT TRAILS . 12
7.4 CHANGE CONTROL . 13
7.4.1 Emergency problems .
7.5 COMPUTERS . . 13
7.5,1 Physical protection. .
7.5.2 Logical access control .
7.5.3 Change .
7.5.4 Equipment maintenance . . .
7.5.5 Casual viewing . .
7.5.6 Emulation concerns. . . 14
7.5.7 Business continuity .
O IS0 1996
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or
utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm, without permission in writing from the publisher.
International Organization for Standardization
Case postale 56 CH-121 1 Genève 20 Switzerland
Printed in Switzerland
ii

---------------------- Page: 2 ----------------------
O IS0 ISO/TR 13569:1996(E)
............................................................. 15
7.5.8 Audit trails .
7.5.9 Disposal of equipment . . 15
7.5. I O Distributed Computing . . .
7.6 NETWORKS . 15
.................................................................................................. 15
7.6. I Network inregri@ .
7.6.2 Access control . 15
7.6.5 Change . . 16
7.6,6 Connection with ot
7.6.7 Network mo . 16
............................... 16
7.6. I O Audit trails .
............................................................ 17
........................................................ 17
...................................................................................... 18
.................................................................................................. 18
................................................................... 18
a
.................................... 18
7.7.1 O Proper@ rights. .
7.7. I I Viruses .
7.7.13 Remote control .
7.7.14 Software provided to customers. .
7.8.2 Management . .
............................................... .20
7.8.3 Unauthorized use of
...............................................................
.................................................................
.................................... .20
.................................................................................................... 21
.............................................................
....................................................................
O
...................................... .22
7. I O. 2 Repudiation. . .
7.10.3 Misdirection of
............................................ .23
II. 1 Authorized users . . .23
7.
............................................ .24
7.11.4 Disclosure. . . .24
7. II. 6 Message retention. .
7. I I. 7 Message Reception .

---------------------- Page: 3 ----------------------
ISOiTR 13569:1996(E) O IS0
7.12 PAPER DOCUMENTS . 24
7.12. I Modification . 24
7.12.2 Viewing . 25
7.12.3 Storage facilities . 25
7.12.4 Destruction .
7.12.5 Business continuity . 25
......................................................................................................................
7.12.6 Preservation of evidence 25
................................................................................................................................................
7.12.7 Labeling 25
7.12.8 Forgeddocuments .
7.12.9 Output distribution schemes . 25
7.13
MICROFORM AND OTHER MEDIA STORAGE . 25
7.13.1 Disclosure .
7.13.2 Destruction .
7.13.3 Business continuity .
......................................................................................................................................
7.13.4 Environmental 26
7.14 FINANCIAL TRANSACTION CARDS . 26
...................................................................................................................................
7.14.1 Physical securig 26
7.14.2 Insider abuse . 26
.........................................................................................................................
7.14.3 Transportation of PINS 26
..............................................................................................................................................
7.14.4 Personnel 26
7.14.5 Audit . 26
7.14.6 Enforcement .
7.14.7 Counterfeit card prevention . .
7.15 AUTOMATED TELLER MACHINES . 27
7.15. I User i&ntification .
27
7.15.2 Authenticity of information . 27
7.15.3 Disclosure of information . 27
7.15.4 Fraud prevention . .
7.15.5 Maintenance and service . . 27
7.16 ELECTRONIC FUND TRANSFERS . 28
7.16.1 Unauthorized source . . 28
...............................
..............................................................................
7.16.2 Unauthorized changes
...................................... 28
......................................................................................................................
7.16.3 Replay ofmessages
...................................................................................................................................
7.16.4 Record retention 28
......................................................................................................................
7.16.5 Legal basis for payments 28
7.17 CHEQUES . 28
8 SOURCES OF FURTHER HELP . 28
8.1 FINANCIAL SERVICES INSTITUTIONS . 28
8.2 STANDARDS BODIES . 28
8.3 BUILDING, FIRE, AND ELECTRICAL CODES . 29
8.4 GOVERNMENT REGULATORS . 29
GLOSSARY OF TERMS . 30
ANNEX A SAMPLE DOCUMENTS . 34
A.l Sample Board of Directors Resolution on Information Security . 34
A.2 Sample Information Security Policy (High Level) . 35
A.3 Sample Employee Awareness Form . 36
A.4 Sample Sign-On Warning Screens . 37
A.5 Sample Facsimile Warnings . 37
A.6 Sample Information Security Bulletin . 38
A.1 Sample Risk Acceptance Form . 39
ANNEX B BASIC PRINCIPLES FOR DATA PROTECTION . 41
ANNEX C NAMES AND ADDRESSES OF NATIONAL ORGANISATIONS . 43
INDEX . 56
iv

---------------------- Page: 4 ----------------------
O IS0
ISO/TR 13569:1996(E)
Foreword
IS0 (the International Organization for Standardization) is a worldwide federation of national standards
bodies (IS0 member bodies). The work of preparing International Standards is normally carried out
through IS0 technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. IS0
collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The main task of technical committees is to prepare International Standards, but in exceptional
circumstances a technical committee may propose the publication of a Technical Report of one of the
following types:
-
type 1, when the required support cannot be obtained for the publication of an International
Standard, despite repeated efforts;
-
type 2, when the subject is still under technical development or where for any other reason there is
the future but not immediate possibility of an agreement on an International Standard;
-
type 3, when a technical committee has collected data of a different kind from that which is
normally published as an International Standard ("state of the art", for example).
Technical reports of types 1 and 2 are subject to review within three years of publication, to decide
whether they can be transformed into International Standards. Technical Reports of type 3 do not
necessarily have to be reviewed until the data they provide are considered to be no longer valid or useful.
ISO/TR 13569, which is a Technical Report of type 3, was prepared by Technical Committee ISO/TC 68,
Banking, securities and other financial services, Subcommittee SC 2, Strategy, security and general
operations.

---------------------- Page: 5 ----------------------
a
e

---------------------- Page: 6 ----------------------
TECHNICAL REPORT O IS0 ISO/TR 13569: 1996(E)
Banking, securities and other financial
services - Information security guidelines
IS0 9564-1 : 1991, Personal Ident$cation Number
1 Introduction
management and security - Part I: PIN protection
Financial institutions increasingly rely on Information
principles and techniques.
Technology (IT) for the efficient conduct of business.
IS0 9564-2: 1991, Personal Ident$cation Number
Management of risk is central to the financial service
management and security - Part 2: Approved
sector. Financial institutions manage risk through
algorithm(s) for PIN encipherment.
prudent business practice, careful contracting,
insurance, and use of appropriate security
IS0 1 O 126- 1 : 199 1 , Banking - Procedures for
mechanisms.
message encipherment (wholesale) - Part I: General
principles.
There is a need to manage information security within
financial institutions in a comprehensive manner.
IS0 10126-2:1991, Banking - Procedures for
message encipherment (wholesale) - Part 2: DEA
This Technical Report is not intended to provide a
algorithm.
generic solution for all situations. Each case must be
examined on its own merits and appropriate actions
IS0 10202: 199 1 - 1996, Financial transaction cards -
selected. This Technical Report is to provide
Security architecture offinancial transaction systems
guidance, not solutions.
using integrated circuit cards (all parts).
The objectives of this Technical Report are:
National Standards:
ANSI X9lTG-2, Understanding and Designing
0
to present an information security programme
Checks (USA).
structure.
Regulations:
0
to present a selection guide to security controls
US Ofice of the Comptroller of the Currency,
that represent accepted prudent business practice.
Banking Circular BC-226 Policy Statement.
0
to be consistent with existing standards, as well
Other documents:
as emerging work in objective and accreditable
Institute of Internal Auditors Standards for the
security criteria.
Professional Practice of Internal Auditing.
This Technical Report is intended for use by financial
Code of Practice for Information Security
institutions of all sizes and types that wish to employ
Management.
a prudent and commercially reasonable information
I)
security programme. It is also useful to providers of
service to financial institutions. This Technical
3 Executive summary
Report may also serve as a source document for
educators and publishers serving the financial
Financial institutions and their senior management
industry.
have always been accountable for the implementation
of effective controls for protecting information assets.
The confidentiality, integrity, authenticity, and
2 References availability of that information are paramount to the
business. As such, it is imperative that these assets be
NOTE - Annex C contains references to national regulations,
available and protected from disclosure, modification,
standards and codes. The list below includes only those
documents referenced in the main body of this Technical Report.
fabrication, replication, and destruction, whether
accidental or intentional. It is imperative for a
International Standards:
financial institution to protect the transfer of its assets
IS0 8730: 1990, Banking - Requirements for message
which are encoded in the form of trusted information.
authentication (wholesale).
Business depends more and more on computerized
IS0 8732:1988, Banking - Key management
information systems. It is becoming impossible to
(wholesale).
separate technology from the business of finance.
There is increasing use of personal computers and
networks, and a greater need than ever for these to
work together. In many institutions, more work is
1

---------------------- Page: 7 ----------------------
ISO/TR 13569: 1996(E) O IS0
done on personal computers and local area networks
4 How to use this Technical Report
than on the large mainframes. Security controls for
This Technical Report was designed to serve many
these local computers are not as well developed as
purposes. This clause provides a "road map" to the
controls over mainframes. The security needed for
remainder of the Technical Report.
all information systems is growing dramatically.
Image systems, digital voice/data systems, distributed
Clause 5: Requirements: This clause defines a
processing systems, and other new technologies are
starting point in building a security programme. It
being used increasingly by financial institutions, This
sets out minimum requirements for an adequate
makes information security even more important to
information security programme. It may also serve as
the commercial success or even the survival of an
a measure against which an institution can evaluate
institution.
the state of its information security programme.
Security controls are required to limit the
Clause 6: Information security programme
vulnerability of information and information
components: This clause contains more specific
processing systems. The level of protective control
information on how an Information Security
must be cost effective, i.e., consistent with the degree
Programme should operate. Specific responsibilities
of exposure and the impact of loss to the institution.
are suggested for various officers and functions of an
Exposures include financial loss, competitive
institution. Lines of communication between
disadvantage, damaged reputation, improper
fwictions, that are considered helpful for sound
disclosure, lawsuit, or regulator sanctions. Well
security practice are identified. This clause can be
thought out security standards, policies and guidelines
used by senior officials to ensure that structural
are the foundation for good information security.
impediments to sound security practice are
minimized. Information security personnel may also
Work is ongoing within the US, Canada and the
use this clause to evaluate the effectiveness of the
European Community to establish a Common Criteria
information security programme.
for the evaluation of information technology
products. These criteria coupled with financial sector
Clause 7: Control Objectives and Suggested
pre-defined functionality classes will enable financial
Solutions: This clause is the heart of this Technical
institutions to achieve uniform, trusted, security
Report. It discusses threats to information in terms
facilities. This guideline should be used as an input
specific enough to enable financial personnel to
to that process.
ascertain if a problem exists at their institution,
without educating criminals. The first four
With the continuing expansion of distributed
subclauses address controls common to many
information there is growing interest and pressure to
delivery platforms: classification, logical access
provide reasonable assurance that financial
control, change control, and audit trails. Subsequent
institutions have adequate controls in place.
This
subclauses address security concerns for information
inlerest is demonstrated in laws and regulations. An
processing equipment, human resources, and those
excerpt from the US Office of the Comptroller of the
specific to the delivery platform used. Electronic
Currency, Banking Circular BC-226 Policy Statement
fund transfers and cheque processing subclauses
illustrates this concern.
finish this clause.
"It is the responsibility of the Board of Directors
Clause 8: Sources of further help:
This clause lists
to ensure that appropriate corporate policies,
the types of organisations which may be of assistance
which identiQ management responsibilities and
to information security professionals. It is intended
control practices for all areas of information
that this clause be used with Annex C.
processing activities, have been established. The
existence of such a 'corporate information
Annex A: Sample Documents: This Annex is a
security policy,' the adequacy of its standards,
collection of ready-to-use sample forms for a variety
and the management supervision of such
of information security related purposes.
activities will be evaluated by the examiners
during the regular supervisory reviews of the
Annex B: Privacy Principles:
This Annex presents a
institution."
sample set of Privacy Principles.
This Technical Report includes a guideline for
Annex C: Sources of Further Assistance: This annex
building a comprehensive information security
lists the names and contact information for national
programme.
organisations which can be of assistance to
Information Security personnel.
2

---------------------- Page: 8 ----------------------
O IS0
ISO/TR 13569:1996(E)
assets and the specification of appropriate
5 Requirements
levels of security,
At the highest level, the acceptance of ethical values
and control imperatives must be communicated and
d. includes an awareness or education
periodically reinforced with management and staff.
programme to ensure that employees and
Information is an asset that requires a system of
contractors are aware of their information
control, just as do other assets more readily reducible
security responsibilities,
to monetary terms. Prudent control over the
information assets of the institution is good business
e. provides for the resolution and reporting
practice.
of information security incidents,
The protection of information should be centred
f. establishes written plans for business
around the protection of key business processes. The
resumption following disasters,
notion of information and its attributes change within
the context of a business process and security
g. provides identification of, and procedures
requirements should be examined at each stage of that
for addressing exceptions or deviations from
process.
the information security policy or derivative
documents,
Developing, maintaining, and monitoring of an
information security programme requires
h. encourages coordination with appropriate
participation by multiple disciplines in the
parties, such as audit, insurance, and
organisation. Close coordination is required between
regulatory compliance officers,
the business manager and the information security
staff. Disciplines such as audit, insurance, regulatory
i. establishes responsibility to measure
compliance, physical security, training, personnel,
compliance with, and soundness of, the
legal, and others should be used to support the
security programme,
information
...