ISO/TR 13569:1997
(Main)Banking and related financial services — Information security guidelines
Banking and related financial services — Information security guidelines
Banque et services financiers liés aux opérations bancaires — Lignes directrices pour la sécurité de l'information
General Information
Relations
Buy Standard
Standards Content (Sample)
TECHNICAL ISOKR
REPORT 13569
Second edition
1997-1 0-01
Banking and related financial services -
Information security guidelines
Banque et services financiers liés aux opérations bancaires - Lignes
directrices pour la sécurité de l’information
Reference number
ISOflR 13569:1997(E)
---------------------- Page: 1 ----------------------
ISO/TR 13569: 1997(E)
Con tents
6.9 Cryptographic operations
10
1 INTRODUCTION 1
6.10 Privacy
10
2 REFERENCES 1
7 CONTROL OBJECTIVES AND
3 EXECUTIVE SUMMARY 1
SUGGESTED SOLUTIONS
11
7.1 Information classification
12
NOTE ON SECOND EDITION 2
7.2 Logical access control
12
7.2.1 Identification of users
13
4 HOW TO USE THIS TECHNICAL
7.2.2 Authentication of users
13
2
REPORT
7.2.3 Limiting sign-on attempts 14
7.2.4 Unattended terminals
14
7.2.5 Operating system access control
5 ENSURING SECURITY
3
features
14
7.2.6 Warning
15
7.2.7 External Users 15
6 INFORMATION SECURITY
4
PROGRAM COMPONENTS
7.3 Audit trails
15
6.1 General duties 4
7.4 Change control 15
6.1.1 Directors 4
7.4.1 Emergency problems 16
6.1.2 Chief Executive Officer 4
6.1.3 Managers 4
7.5 Computers
16
6.1.4 Employees, vendors, and contractors
7.5.1 Physical protection
16
should: 5
7.5.2
Logical access control 17
6.1.5 Legal fbnction
5
7.5.3 Change 17
6.1.6 Information Security Officers
5
7.5.4 Equipment maintenance 17
6.1.7 Information Systems Security
7.5.5 Casual viewing 17
Administration 6
7.5.6
Emulation concerns 17
7.5.7 Business continuity 17
6.2 Risk acceptance 6
7.5.8 Audit trails 17
7.5.9 Disposal of equipment 17
6.3 Insurance 7
7.6 Networks
17
6.4 Audit 7
7.6.1 Network integrity
18
7.6.2 Access control
18
6.5 Regulatory compliance 7
7.6.3 Dial-in 18
7.6.4 Network equipment 18
6.6 Disaster recovery planning 7
7.6.5 Change 18
7.6.6 Connection with other networks 18
6.7 Information security awareness
8
7.6.7 Network monitoring 18
7.6.8 Protection during transmission 19
6.8 External Service Providers
8
7.6.9 Network availability
19
6.8.1 Internet Service Providers
9
7.6.10 Audit trails 19
6.8.2 Red-Teams
9
7.6.1 1 Firewalls 19
6.8.3 Electronic Money 10
O IS0 1997
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any
means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the publisher.
International Organization for Standardization
Case postale 56 CH-121 1 Genève 20 Switzerland
Internet central Oiso.ch
X.400 c=ch; a400net; p=iso; o=isocs; s=central
Printed in Switzerland
..
11
---------------------- Page: 2 ----------------------
ISO/TR 13569:1997(E)
O IS0
29
20 7.12 Paper documents
7.7 Software
29
20 7.12.1 Modification
7.7.1 Applications
21 7.12.2 Viewing 30
7.7.2 Databases
7.12.3 Storage facilities 30
7.7.3 Artificial Intelligence(A1) 21
30
21 7.12.4 Destruction
7.7.4 System software
30
7.12.5 Business continuity
7.7.5 Application testing 21
22 7.12.6 Preservation of evidence 30
7.7.6 Defective software
30
7.7.7 Change 22 7.12.7 Labelling
30
22 7.12.8 Forged documents
7.7.8 Availability of software code
30
22 7.12.9 Output distribution schemes
7.7.9 Unlicensed software
22
7.7.1 O Property rights
22 7.13 Microform and other media storage 30
7.7.1 1 Viruses
23 7.13.1 Disclosure 30
7.7.12 Memory resident programs
23 7.13.2 Destruction 31
7.7.13 Telecommuting
23 7.13.3 Business continuity 31
7.7.14 Software provided to customers
7.7.15 Software used to contact customers 23 7.13.4 Environmental 31
7.7.16 Applets, JAVA, and Software lî-om
24
External Sources 7.14 Financial transaction cards 31
7.14.1 Physical security 31
24 7.14.2 Insider abuse 31
7.8 Human factors
24 7.14.3 Transportation of PINS 31
7.8.1 Awareness
24 7.14.4 Personnel 31
7.8.2 Management
7.14.5 Audit 31
7.8.3 Unauthorized use of information
25 7.14.6 Enforcement 31
resources
25 7.14.7 Counterfeit card prevention 32
7.8.4 Hiring practices
25
7.8.5 Ethics policy
7.8.6 Disciplinary Policy 25
7.15 Automated Teller Machines 32
25 7.15.1 User identification 32
7.8.7 Fraud detection
25
7.8.8 Know your employee 7.15.2 Authenticity of information 32
25
7.8.9 Former employees 7.15.3 Disclosure of information 32
7.8.10 Telecommuting 25 7.15.4 Fraud prevention 32
7.15.5 Maintenance and service 32
7.9 Voice, telephone, and related equipment 26
7.9.1 Access to VoiceMail system 26 7.16 Electronic Fund Transfers 33
7.9.2 Private Branch Exchange (PBX) 26
7.16.1 Unauthorized source 33
7.9.3 Spoken word 26 7.16.2 Unauthorized changes 33
7.9.4 Intercept 27 7.16.3 Replay of messages 33
7.9.5 Business continuity 27 7.16.4 Record retention 33
7.9.6 Documentation 27 33
7.16.5 Legal basis for payments
7.9.7 Voice Response Units (VRU) 27
7.17 Checks 33
27
7.10 Facsimile and image
27
7.1 O. 1 Modification
7.18 Electronic Commerce 33
28
7.10.2 Repudiation
7.18.1 New Customers 33
7.10.3 Misdirection of messages 28
7.18.2 Integrity Issues 33
28
7.10.4 Disclosure
7.10.5 Business continuity 28
7.19 Electronic Money 34
28
7.10.6 Denial of service
7.19.1 Duplication of Devices 34
28
7.10.7 Retention of documents
7.19.2 Alteration or duplication of data or
software 34
7.1 1 Electronic Mail 28 7.19.3 Alteration of messages 35
7.1 1.1 Authorized users 28 35
7.19.4 Replay or duplication of transactions
7.1 1.2 Physical protection 29
7.19.5 Theft of devices 35
7.1 1.3 Integrity of transactions 29
7.19.6 Repudiation 35
7.1 1.4 Disclosure 29
7.19.7 Malfunction 35
7.1 1.5 Business continuity 29
7.19.8 Cryptographic Issues 35
7.1 1.6 Message retention 29
7.19.9 Criminal Activity 35
7.11.7 Message Reception 29
7.20 Miscellaneous 36
7.20.1 Year 2000 36
7.20.2 Steganography - Covert Channels 36
...
111
---------------------- Page: 3 ----------------------
ISO/TR 13569:1997(E)
O IS0
8 IMPLEMENTING
GLOSSARY OF TERMS 44
CRYPTOGRAPHIC CONTROLS 36
ANNEX A 49
8.1 Applying Encryption 37
8.1.1 What To Encrypt
37
Sample Documents 49
8.1.2 How To Encrypt 37
A.l Sample Board of Directors Resolution on
8.2 Implementing Message Authentication
Information Security 49
Codes (MAC) 38
8.2.2 Control of MAC 38
A.2 Sample Information Security Policy
to Apply MAC 38
8.2.3 When
(High Level) 50
8.2.4 Selection of Algorithm
38
A.3 Sample Employee Awareness Form
51
8.3 Implementing Digital Signatures 38
8.3.1 How to generate digital signatures 39
A.4 Sample Sign-On Warning Screens 52
8.3.2 Certification 39
8.3.3 Legal standing of digital signatures
39
A.5 Sample Facsimile Warnings 53
8.3.4 Certificate (Key) management 39
8.3.5 Choice of algorithm 40
A.6 Sample Information Security Bulletin 54
8.4 Key Management
40
A.7 Sample Risk Acceptance Form
8.4.1 Generation 40 56
8.4.2 Distribution
40
8.4.3 Storage A.8 Telecommuter Agreement & Work
40
8.4.4 Public-Key Certification And Standards 40 Assignment 58
8.5 Trusted Third Parties 41
ANNEX B 63
8.5.1 Assurance 41
8.5.2 Services of a TTP
41
Basic Principles For Data Protection 63
8.5.3 Network of TTPs
41
8.5.4 Legal Issues
41
ANNEX C 66
8.6. Disaster Cryptography and
Cryptographic Disasters 42
Names and Addresses of National
8.6.1 Disaster cryptography 42
Organisations 66
8.6.2 Cryptographic disasters
42
ANNEX D 76
9 SOURCES OF FURTHER
ASSISTANCE
42
Other security standards
76
Cryptographic Standards
76
9.1 Financial Services institutions
42
Secure Session Protocols 76
Secure Message Formats
77
9.2 Standards bodies
42
Key Management
78
Payment Protocols
78
9.3 Building, fire, and electrical codes.
43
9.4 Government regulators
43 ANNEX E 80
Information Security Risk Assessment 80
INDEX
96
iv
---------------------- Page: 4 ----------------------
O IS0 ISO/TR 13569: 1997(E)
Foreword
IS0 (the International Organization for Standardization) is a worldwide federation of national standards bodies
(IS0 member bodies). The work of preparing International Standards is normally carried out through IS0
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. IS0 collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The main task of technical committees is to prepare International Standards, but in exceptional circumstances a
technical committee may propose the publication of a Technical Report of one of the following types:
- type 1, when the required support cannot be obtained for the publication of an International Standard, despite
repeated efforts;
- type 2, when the subject is still under technical development or where for any other reason there is the future
but not immediate possibility of an agreement on an International Standard;
- type 3, when a technical committee has collected data of a different kind from that which is normally
published as an International Standard ("state of the art", for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether
they can be transformed into Intemational Standards. Technical Reports of type 3 do not necessarily have to be
reviewed until the data they provide are considered to be no longer valid or useful.
ISO/TR 13569, which is a Technical Report of type 3, was prepared by IS0 Technical Committee ISO/TC 68,
Banking, securities and otherjinancial services, Subcommittee SC 2, Security management and general
banking operations.
This second edition cancels and replaces the first edition (ISO/TR 13569: 1996), of which it constitutes a
technical revision.
V
---------------------- Page: 5 ----------------------
TECHNICAL REPORT O IS0 ISO/TR 13569: 1997(E)
Banking and related financial services -
Information security guidelines
IS0 8732, Banking - Key management
1 INTRODUCTION
(wholesale).
Financial institutions increasingly rely on
Information Technology (IT) for the efficient
IS0 9564 (all parts), Personal Identlfication
conduct of business.
Number (PIN) management and security.
Management of risk is central to the financial
IS0 10126 (all parts), Banking - Procedures for
service sector. Financial institutions manage risk
message encipherment (wholesale).
through prudent business practice, careful
contracting, insurance, and use of appropriate
IS0 10202 (all parts), Financial transaction cards
security mechanisms.
- Security architecture offlnancial transaction
systems using integrated circuit cards.
There is a need to manage information security
within financial institutions in a comprehensive
National Standards:
manner.
ANSI X9/TG-2, Understanding and Designing
Checks (USA).
This Technical Report is not intended to provide a
generic solution for all situations. Each case must
ANSI X9/TG-8, Check Security Guideline (USA).
be examined on its own merits and appropriate
actions selected. This Technical Report is to
Regulations:
provide guidance, not solutions.
US Ofice of the Comptroller of the Currency,
Banking Circular BC-226 Policy Statement.
The objectives of this Technical Report are:
Other documents:
to present an information security programme
Institute of Internal Auditors Standards for the
structure.
Professional Practice of Internal Auditing.
to present a selection guide to security controls
Code of Practice for Information Security
that represent accepted prudent business
Management.
practice.
Federal Information Protection Standard (FIPS)
to be consistent with existing standards, as well
PUB 140- 1, Security Requirements for
as emerging work in objective and accreditable
Cryptographic Modules, National Institute for
security criteria.
Standards and Technology (USA).
This Technical Report is intended for use by
Security of Electronic Money, published by the
financial institutions of all sizes and types that wish
Bank of International Settlement, Basle, August
to employ a prudent and commercially reasonable
1996.
information security programme. It is also useful to
providers of service to financial institutions. This
3 EXECUTIVE SUMMARY
Technical Report may also serve as a source
document for educators and publishers serving the Financial institutions and their senior management
financial industry. have always been accountable for the
implementation of effective controls for protecting
information assets. The confidentiality, integrity,
2 REFERENCES
authenticity, and availability of that information are
NOTE - Annex C contains references to national
paramount to the business. As such, it is imperative
regulations, standards, and codes. The list below
includes only those documents referenced in the main that these assets be available and protected from
body of this Technical Report.
disclosure, modification, fabrication, replication,
and destruction, whether accidental or intentional.
International Standards:
It is imperative for a financial institution to protect
IS0 8730, Banking - Requirements for message
the transfer of its assets which are encoded in the
authentication (wholesale).
form of trusted information.
---------------------- Page: 6 ----------------------
O IS0
ISO/TR 13569:1997(E)
This Technical Report includes a guideline for
Business depends more and more on computerized
building a comprehensive information security
information systems. It is becoming impossible to
program.
separate technology from the business of finance.
There is increasing use of personal computers and
networks, and a greater need than ever for these to NOTE ON SECOND EDITION
work together. In many institutions, more work is
done on personal computers and local area
Since the publication of the first edition of this
networks than on the large mainframes. Security
Technical Report, much has changed. Change has
controls for these local computers are not as well not simplified matters. Virtually no threat or
developed as controls over mainframes. The control listed in the first edition has been made
security needed for all information systems is
obsolete. New threats have surfaced, along with
growing dramatically. Image systems, digital
new opportunities for improving delivery of
voice/data systems, distributed processing systems, service to customers. Banking over the Internet,
and other new technologies, such as the Internet,
electronic money, revolutionary information
are being used increasingly by financial institutions.
technology discoveries and rediscoveries make
This makes information security even more these exciting times. Wherever possible this
important to the commercial success or even the
Technical Report addresses the environment as it is
survival of an institution.
known. Our experience over the last four years
dictate that constant vigilance is the minimum
Security controls are required to limit the requirement for sound security.
vulnerability of information and information
processing systems. The level of protective control
4 HOW TO USE THIS TECHNICAL
must be cost effective, i.e., consistent with the
REPORT
degree of exposure and the impact of loss to the
This Technical Report was designed to serve many
institution. Exposures include financial loss,
purposes. This clause provides a "road map" to the
competitive disadvantage, damaged reputation,
remainder of the Technical Report.
improper disclosure, lawsuit, or regulator sanctions.
Well thought out security standards, policies and
Clause 5: Requirements: This clause defines a
guidelines are the foundation for good information
starting point in building a security program. It sets
security.
out minimum requirements for an adequate
information security program. It may also serve as
Work is ongoing within the US, Canada and the
a measure against which an institution can evaluate
European Community to establish a Common
the state of its information security program.
Criteria for the evaluation of information
technology products. These criteria coupled with
Clause 6: Information security program
financial sector pre-defined functionality classes
components: This clause contains more specific
will enable financial institutions to achieve uniform,
information on how an Information Security
trusted, security facilities. This Technical Report
Program should operate. Specific responsibilities
should be used as an input to that process.
are suggested for various officers and functions of
an institution. Lines of communication between
With the continuing expansion of distributed
functions, that are considered helpful for sound
information there is growing interest and pressure
security practice are identified. This clause can be
to provide reasonable assurance that financial
used by senior officials to ensure that structural
institutions have adequate controls in place. This
impediments to sound security practice are
interest is demonstrated in laws and regulations.
minimized. Information security personnel may
Examples in the form of excerpts are as follows:
also use this clause to evaluate the effectiveness of
the information security program.
1. Office of the Comptroller of the Currency,
Banking Circular BC-226 Policy Statement
Clause 7: Control Objectives and Suggested
(Joint issuance of the Federal Financial
Solutions: This clause is the heart of this Technical
Institutions Examination Council)
Report. It discusses threats to information in terms
specific enough to enable financial personnel to
"It is the responsibility of the Board of Directors to
ascertain if a problem exists at their institution,
ensure that appropriate corporate policies, which
without educating criminals. The first four
identify management responsibilities and control
subclauses address controls common to many
practices for all areas of information processing
delivery platforms: classification, logical access
activities, have been established. The existence of
control, change control, and audit trails.
such a 'corporate information security policy,' the
Subsequent subclauses address security concerns
adequacy of its standards, and the management
for information processing equipment, human
supervision of such activities will be evaluated by
resources, and those specific to the delivery
the examiners during the regular supervisory
platform used. Electronic fund transfers and check
reviews of the institution."
processing subclauses finish this clause.
2
---------------------- Page: 7 ----------------------
O IS0 ISO/TR 13569:1997(E)
Clause 8: Implementing Cryptographic Controls: The basic recommendation of this Technical Report
is the establishment of an information security
This clause provides information helpful in assuring
program that:
that cryptographic controls are implemented in an
effective fashion.
a. includes an institution-wide information
Clause 9: Sources of further assistance: This clause security policy and statement, containing:
lists the types of organizations which may be of i. a statement that the institution
assistance eo information security professionals. It considers information in any form
to be an asset of the institution.
is intended that this clause be used with Annex C.
Annex A: Sample Documents: This Annex is a ii. an identification of risks and
the requirement for
collection of ready-to-use sample forms for a
variety of information security related purposes. implementation of controls to
provide assurance that
Annex B: Privacy Principles: This Annex presents information assets are protected.
Clause 7 of this Technical Report
a sample set of Privacy Principles.
discusses suitable controls.
Annex C: Names and Addresses of National
iii. a definition of information
Organizations: This annex lists the names and
contact information for national organizations security position responsibilities
which can be of assistance to Information Security for each manager, employee and
personnel. contractor. Clause 6 of this
Technical Report lists suggested
responsibilities.
Annex D: Security Standards Outside the Financial
Community: A comprehensive list of security
iv. a commitment to security
standards developed by standards groups other than
ASC X9 (US) or IS0 TC68. awareness and education.
Annex E: Risk and Vulnerability Assessment b. establishes one or more officer(s)
provides a methodology for identification of risk in responsible for the information security
an institution. program,
c. provides for the designation of
5 ENSURING SECURITY
individuals responsible for the protection
At the highest level, the acceptance of ethical
of information assets and the specification
values and control imperatives must be
of appropriate levels of security,
communicated and periodically reinforced with
management and staff. Information is an asset that
d. includes an awareness or education
requires a system of control, just as do other assets
program to ensure that employees and
more readily reducible to monetary terms. Prudent
contractors are aware of their information
control over the information assets of the institution
security responsibilities,
is good business practice.
e. provides for the resolution and reporting
The protection of information should be centered
of information security incidents,
around the protection of key business processes.
The notion of information and its attributes change
f. establishes written plans for business
within the context of a business process and
resumption following disasters,
security requirements should be examined at each
stage of that process.
g. provides identification of, and
procedures for addressing exceptions or
Developing, maintaining, and monitoring of an
deviations from the information security
information security program requires participation
policy or derivative documents,
by multiple disciplines in the organization. Close
coordination is required between the business
h. encourages coordination with
manager and the information security staff.
appropriate parties, such as audit,
Disciplines such as audit, insurance, regulatory
insurance, and regulatory compliance
compliance, physical security, training, personnel,
officers,
legal, and others should be used to support the
information security program. Information security
i. establishes responsibility to measure
is a team effort and an individual responsibility.
compliance with, and soundness of, the
security program,
3
---------------------- Page: 8 ----------------------
O IS0
ISO/TR 13569:1997(E)
ensure that employees, vendors, and
j. provides for the review and update of
contractors also understand, support and abide
the program in light of new threats and
by information security policy, standards, and
technology. For example, the emergence
directives, for example, the Code of Practice
of IT evaluation criteria should assist
for Information Security Management,
security professionals in the selection and
implementation of standardized security
implement information security controls
controls.
consistent with the requirements of business
k. provides for the production of audit and prudent business practice,
records where necessary and the
create a positive atmosphere that encourages
monitoring of audit trails.
employees, vendors, and contractors to report
information security concerns,
6 INFORMATION SECURITY
PROGRAM COMPONENTS
report any information security concerns to the
Subclause 6.1 addresses the information security
Information Security Officer immediately,
responsibilities within the institution. Subclauses
6.2 and beyond addresses hnctions related to
participate in the information security
information security. The controls suggested in this
communication and awareness program,
Technical Report are those which enforce or
support protection of information and information
apply sound business and security principles in
processing resources. While some of these controls
preparing exception requests,
may address other areas of bank governance, this
Technical Report should not be viewed as a
define realistic business "need-to-know" or
complete checklist of management controls.
"need-to-restrict'' criteria to implement and
maintain appropriate access control,
6.1 General duties
Identify and obtain resources necessary to
6.1.1 Directors
implement these tasks.
Directors of financial institutions have a duty to the
institution and its shareholders to oversee the
ensure that information security reviews are
management of the institution. Effective
performed whenever required by internal
information security practices constitute prudent
policy, regulations, or information security
business practice, and demonstrates a concern for
concerns. Examples of circumstances that
establishing the public trust. Directors should
should trigger such a review include:
communicate the idea that information security is
an important objective and support an information
large loss from a security failure,
security program.
preparation of an annual report to the
Board of Directors and Audit
6.1.2 Chief Executive Officer
Committee,
The Chief Executive Officer, or Managing
Director, as the most senior officer of the
acquisition of a financial institution,
institution, has ultimate responsibility for the
operation of the institution. The CEO should
purchase or upgrade of computer
authorize the establishment of, and provide support
systems or software,
for, an information security program consistent with
recognized standards, oversee major risk
acquisition of new communications
assessment decisions, and participate in
services,
communicating the importance of information
security.
introduction of a new financial
product,
6.1.3 Managers
Managers serve as supervisory and monitoring
introduction of new out-source
agents for the institution and the employees. This
processing vendor,
makes them key players in information security
programs. Each manager should:
discovery of a new threat, or a change
in a threat's direction, scope, or intent.
0
understand, support, and abide by institution's
information security policy, standards, and
Additionally, managers who are "owners' of
directives,
information should:
4
---------------------- Page: 9 ----------------------
ISO/TR 13569:1997(E)
O IS0
0
be responsible for the classification of
6.1.6 Information Security Officers
information or information processing systems For the purpose of this Technical Report, we define
under their control.
an Information Security Officer as the senior
0
define the security requirements for his
official or group of officials charged with
information or information processing systems.
developing, implementing, and maintaining the
program for protecting the information assets of the
0
authorize access to information or information
institution.
processing systems under his control.
The Information Security Officers should:
0
inform the Information System Security Officer manage the overall information security
of access rights and keep such access
program,
information up-to-date.
0 have responsibility for developing
NOTE - All business information should have an
Information Security Policies and Standards
identified "owner." A procedure for establishing
for use throughout the organization. These
ownership is required to ensure that all business
policies and standards should be kept
information will receive appropriate protection.
up-to-date, reflecting changes in technology,
business direction, and potential threats,
whether accidental or intentional,
6.1.4 Employees, vendors, and contractors
should:
assist business units in the development of
0 understand, support, and abide by
specific standards or guidelines that meet
organizational and business unit information
information security policies for specific
security policies, standards and directives,
products within the business unit. This includes
working with business managers to ensure that
0
be aware of the security implications of
an effective process for implementing and
their actions,
maintaining controls is in place,
0 promptly report any suspicious behavior or
ensure that when exceptions to policy are
circumstance that may threaten the integrity of
required, the risk acceptance process is
information assets or processing resources,
completed, and the exception is reviewed and
reassessed periodically,
0 keep each institution's information
confidential. This especially applies to
0
remain current on threats against financial
contractors and vendors with several
information assets. Attending information
institutions as customers. This includes
security meetings, reading trade publications,
internal confidentiality requirements, e.g.
and participation in work groups are some
compartmentalization.
ways of staying current with new
developments,
NOTE - Security program components should be
incorporated into service agreements and employees'
employment contracts. understand the current information
processing technologies and the most current
information protection methods and controls by
6.1.5 Legal function
receiving internal education, attending
Institutions may wish to include the following
information security seminars and through
responsibilities for the legal department or function:
on-the-job training, ,
0 monitor changes in the law through
0
understand the businss processes of the
legislation, regulation and court cases
...
RAPPORT ISO/TR
TECHNIQUE 13569
Deuxième édition
1997-10-01
Banques et services financiers liés aux
opérations bancaires — Lignes directrices
pour la sécurité de l'information
Banking and related financial services — Information security guidelines
A
Numéro de référence
ISO/TR 13569:1997(F)
---------------------- Page: 1 ----------------------
ISO/TR 13569:1997(F)
Sommaire
1 Introduction.1
2 Références.1
3 Résumé cadre .2
4 Comment utiliser ce rapport technique.3
5 Assurance de la sécurité.4
6 Composants du programme de sécurité de l'information.5
6.1 Responsabilités générales.5
6.1.1 Administrateurs .5
6.1.2 Président directeur général .5
6.1.3 Directeurs .5
6.1.4 Employés, fournisseurs et sous-traitants.6
6.1.5 Fonction juridique .7
6.1.6 Responsables de la sécurité des informations .7
6.1.7 Administration de la sécurité des systèmes d'informations.8
6.2 Acceptation du risque .8
6.3 Assurance.9
6.4 Audit.9
6.5 Conformité à la réglementation.10
6.6 Plan de reprise après sinistre.10
6.7 Sensibilisation à la sécurité de l'information.10
6.8 Fournisseurs de services externes.11
6.8.1 Prestataires de services Internet.11
© ISO 1997
Droits de reproduction réservés. Sauf prescription différente, aucune partie de cette publication ne peut être reproduite ni utilisée sous quelque
forme que ce soit et par aucun procédé, électronique ou mécanique, y compris la photocopie et les microfilms, sans l'accord écrit de l'éditeur.
Organisation internationale de normalisation
Case postale 56 • CH-1211 Genève 20 • Suisse
Internet iso@iso.ch
Version française parue en 1999
Imprimé en Suisse
ii
---------------------- Page: 2 ----------------------
© ISO
ISO/TR 13569:1997(F)
6.8.2 Testeurs de sécurité. 13
6.8.3 Argent électronique. 13
6.9 Opérations cryptographiques . 14
6.10 Respect de la vie privée . 14
7 Objectifs de contrôle et solutions suggérées. 15
7.1 Classification des informations . 16
7.2 Contrôle d'accès logique . 17
7.2.1 Identification des utilisateurs. 17
7.2.2 Authentification des utilisateurs. 18
7.2.3 Limitation des tentatives de connexion . 19
7.2.4 Terminaux non surveillés . 19
7.2.5 Fonctions de contrôle d'accès au système d'exploitation. 20
7.2.6 Avertissement . 20
7.2.7 Utilisateurs externes . 20
7.3 Pistes d'audit. 20
7.4 Contrôle de changement. 21
7.4.1 Problèmes liés aux urgences . 21
7.5 Ordinateurs . 22
7.5.1 Protection physique . 22
7.5.2 Contrôle d'accès logique . 23
7.5.3 Changement. 23
7.5.4 Maintenance de l'équipement. 23
7.5.5 Visualisation intermittente. 23
7.5.6 Problèmes d'émulation . 24
7.5.7 Continuité de l'activité . 24
7.5.8 Pistes d'audit. 24
7.5.9 Destruction de l'équipement . 24
7.6 Réseaux . 24
7.6.1 Intégrité du réseau. 24
7.6.2 Contrôle d'accès. 25
iii
---------------------- Page: 3 ----------------------
© ISO
ISO/TR 13569:1997(F)
7.6.3 Connexion par numérotation.25
7.6.4 Équipement du réseau .25
7.6.5 Changement .25
7.6.6 Connexion avec d'autres réseaux.26
7.6.7 Surveillance de réseau.26
7.6.8 Protection durant la transmission .26
7.6.9 Disponibilité du réseau .26
7.6.10 Pistes d'audit.27
7.6.11 Pare-feu.27
7.7 Logiciels .29
7.7.1 Applications .29
7.7.2 Bases de données .30
7.7.3 Intelligence artificielle (IA) .30
7.7.4 Logiciel système.30
7.7.5 Test des applications .30
7.7.6 Logiciel défectueux .31
7.7.7 Changement .31
7.7.8 Disponibilité du code logiciel .31
7.7.9 Logiciels non protégés par une licence .31
7.7.10 Droits de propriété.32
7.7.11 Virus .32
7.7.12 Programmes résidant en mémoire.32
7.7.13 Télétravail .32
7.7.14 Logiciels fournis aux clients .33
7.7.15 Logiciels utilisés pour contacter la clientèle .33
7.7.16 Applets, Java et logiciels provenant de sources externes.33
7.8 Facteurs humains .34
7.8.1 Sensibilisation.34
7.8.2 Gestion.35
7.8.3 Utilisation non autorisée des ressources d’information .35
iv
---------------------- Page: 4 ----------------------
© ISO
ISO/TR 13569:1997(F)
7.8.4 Pratiques d'embauche. 35
7.8.5 Politique d'éthique. 35
7.8.6 Politique disciplinaire. 35
7.8.7 Détection des fraudes . 36
7.8.8 Connaissance de l'employé. 36
7.8.9 Anciens employés . 36
7.8.10 Télétravail . 36
7.9 Voix, téléphone et autres équipements. 37
7.9.1 Accès au système de messagerie vocale . 37
7.9.2 PBX (Autocommutateur privé) . 37
7.9.3 Parole. 38
7.9.4 Interception . 38
7.9.5 Continuité de l'activité . 38
7.9.6 Documentation. 38
7.9.7 Unités de réponse vocales (VRU) (Audiotel) . 38
7.10 Fac-similé et image. 39
7.10.1 Modification. 39
7.10.2 Rejet . 39
7.10.3 Erreur d'acheminement de messages . 39
7.10.4 Divulgation . 40
7.10.5 Continuité de l'activité . 40
7.10.6 Refus de service . 40
7.10.7 Conservation de documents . 40
7.11 Courrier électronique . 40
7.11.1 Utilisateurs autorisés . 41
7.11.2 Protection physique . 41
7.11.3 Intégrité des transactions. 41
7.11.4 Divulgation . 41
7.11.5 Continuité de l'activité . 41
7.11.6 Conservation de messages . 41
v
---------------------- Page: 5 ----------------------
© ISO
ISO/TR 13569:1997(F)
7.11.7 Réception de messages.42
7.12 Documents papier.42
7.12.1 Modification.42
7.12.2 Visualisation.42
7.12.3 Installations de stockage .42
7.12.4 Destruction.42
7.12.5 Continuité de l'activité.43
7.12.6 Conservation des preuves.43
7.12.7 Étiquetage.43
7.12.8 Documents faux.43
7.12.9 Procédés de distribution des sorties.43
7.13 Stockage sur microforme et autres supports.43
7.13.1 Divulgation .44
7.13.2 Destruction.44
7.13.3 Continuité de l'activité.44
7.13.4 Environnement.44
7.14 Cartes de transaction financière .44
7.14.1 Sécurité physique.45
7.14.2 Abus interne.45
7.14.3 Transport des PIN.45
7.14.4 Personnel.45
7.14.5 Audit.45
7.14.6 Mise en application.45
7.14.7 Prévention contre la contrefaçon de cartes.45
7.15 Guichets automatiques .46
7.15.1 Identification de l'utilisateur .46
7.15.2 Authenticité des informations.46
7.15.3 Divulgation d'informations .46
7.15.4 Prévention contre les fraudes .46
7.15.5 Maintenance et service.47
vi
---------------------- Page: 6 ----------------------
© ISO
ISO/TR 13569:1997(F)
7.16 Transferts de fonds électroniques. 47
7.16.1 Source non autorisée. 47
7.16.2 Modifications non autorisées. 47
7.16.3 Répétition des messages. 47
7.16.4 Conservation des enregistrements. 48
7.16.5 Base légale des paiements. 48
7.17 Chèques. 48
7.18 Commerce électronique. 48
7.18.1 Nouveaux clients . 48
7.18.2 Intégrité. 48
7.19 Argent électronique. 49
7.19.1 Duplication de dispositifs (clonage). 49
7.19.2 Altération ou duplication de données ou de logiciels . 50
7.19.3 Altération des messages . 51
7.19.4 Réémission ou duplication de transactions . 51
7.19.5 Détournement de dispositifs . 51
7.19.6 Refus. 52
7.19.7 Dysfonctionnement . 52
7.19.8 Problèmes liés à la cryptographie . 52
7.19.9 Activités criminelles . 53
7.20 Divers. 53
7.20.1 L’an 2000 . 53
7.20.2 Stéganographie – Canaux cachés . 53
8 Mise en œuvre des contrôles cryptographiques. 54
8.1 Mise en application du chiffrement . 54
8.1.1 Que faut-il chiffrer? . 54
8.1.2 Comment chiffrer?. 54
8.2 Mise en œuvre des codes d’authentification des messages (MAC). 57
8.2.1 Contrôle du MAC . 57
8.2.2 Quand appliquer le MAC?. 57
vii
---------------------- Page: 7 ----------------------
© ISO
ISO/TR 13569:1997(F)
8.2.3 Sélection des algorithmes .57
8.3 Mise en application des signatures numériques.57
8.3.1 Méthode de création des signatures numériques.58
8.3.2 Certification.58
8.3.3
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.