INFORMATION SECURITY MANAGEMENT

SECURITY & ADMINISTRATION COMPLIANCE REQUIRMENTS

For ECC (Electronic Checks Clearance system )

Template Date Prepared by

Ala ZayadeenInformation Security Officer

Version

Change reference

Reviewers

Name

Position
Information Security Manager

Distribution and storage

Copy No.

In Custody of
Information Security Management

location
*Documentation Server Of Group Risk Management. *Hard Copies were distributed to the related Dept.

Approval to issue Head of Group Risk Management

TABLE OF CONTENTS
1. AUTHENTICATION & PASSWORD RULES. 2. ACCESS CONTROL 3. AUDIT TRAIL & LOGGING 4. AUDITING REPORTS 5. ON REQUEST REPORTS 6. SEGREGATION OF DUTIES & ENTITLEMENTS 7. ENCRYPTION

1. AUTHENTICATION & PASSWORD RULES Requirement questions

1. User must be forced to change password for the first login to the system? 2. User must be forced to change password regularly every 30 days? 3. The minimum password length setting must be (8) digits. It has to have both alphanumeric & complicated? 4. The user must be locked automatically if incorrect password was tried for three times? 5. Passwords must never be stored in clear text it must be encrypted by the system and nobody can know passwords even system administrators? 6. The users must be able to change their password at any time? 7. The user ID must be blocked automatically if not used for a period that exceeds 40 days ; this applies to normal user not system or administrators IDs 8. The user must be locked automatically the next day if he doesnt log in to the system on the same day of granting or resetting the password. 9. The system must give alert message seven days prior the password to expiration date to remind the user to change his/her password. 10. The system must reject passwords that have been used for the last six changes. 11. Transmission of password across network must be encrypted format. 12. The system has to be integrated with a standard LDAP server, such as IBM Tivoli Directory.

Comply

Clarification No one can know his/her password No one can know his/her password Password bust be complex Protect against failed logins . unauthorized Attempts No one can know password (Confidentiality ) Flexibility and level of protection If admin Forgot to disable or delete user ID. Another Protection Level.

Alerting Procedure and awareness. not to use the same passwords again To avoid sniffing cleared password. to ensure authentication

2. ACCESS CONTROL Requirement questions

1. User ID must be unique 2. Preferred user ID for bank staff format must include staff employee ID, which contains five digits begin with alpha then numeric.

Comply

Clarification Non Repudiation Fully unified.

3. Users should not be allowed to access more than one terminal at the same time.

Non Repudiation

4. Login screens for productions and for developments must be different, the login screen for a production system or application must include a notification that it is a production environment.

3. AUDIT TRAIL & LOGGING Requirement questions

1. All security relevant events must be logged on, login failures, data modification, use of privileged accounts, change to access modules or file permissions, change to users permissions, use of any privileged system functions, (all security administrator activities). 2. Event log should be in relational database format. 3. Security logs must be retained for a minimum of 3 months (operation controls). 4. Log should have a specified formats as to what should and should not be included, it should have data, time, terminal or workstation/node, IP address, user ID, who do the action (admin ID) ) type of the action, data changed etc. 5. The system ability to keep a history of amendments transaction for each user ID record done by security administrator. 6. All actions taken by the users should be recorded in the comprehensive audit trail in the system.

Comply

Clarification Traceability

Easy to Follow up.

4. AUDITING REPORTS

Requirement questions
1. System Administrator changes (all activities add, modify, delete) showing time, date, terminal, type of action, changed data before and after, and user ID. 2. Security operation changes (all activities add, modify, delete) showing time, date, terminal, type of action, changed data before and after, and user ID. 3. Failed login attempt report showing: user ID, user name, data, time, terminal No. and IP address. 4.

Comply

Clarification Non Repudiation

unauthorized Attempts

5. ON REQUEST REPORTS

Requirement questions
1. All users and their authorities or privileges and limits if any which able to request, and according to each branch or department if any also. 2. All groups / profile and their functions and their transactions and privilege or entitlements. 3. All essential information on the users and their sorted by branch number (if the system within branches) & serial user ID.

Comply

Clarification

6. SEGREGATION OF DUTIES & ENTITLEMENT

Requirement questions
1. It should be segregated authorities & duties between system administrator & security administrator of the effect that system administrator must not be able to maintain any users authorities/entitlements or passwords. 2. Auditing reports must available for all type of users (Security admin, system admin, users etc) 3. Double control and supervision must exist in a system.

Comply

Clarification

Availability

Double Check

4. Dual authorizations have to be existing in security administration, Maker & Checker

Double Check

5. ENCRYPTION

Requirement questions
1. Encryption has to be used to ensure the confidentiality and integrity of its data during all phases of use. Encrypted must be available when transferring all transactions from clients to application servers. Passwords must be encrypted and in cipher text in the application servers and when transferring passwords, passwords must not be known by any staff even the administrator and must be encrypted in the database.

Comply

Clarification Confidentiality and Integrity