These Directions aim to improve safety and security of the payment systems operated by PSOs by providing a framework for overall information security preparedness with an emphasis on cyber resilience.
a. Policies, procedures and controls that address access privileges as well as administration of access rights must be established.
b. All individuals having access to the IT environment of the PSO shall be assigned a digital identity, which shall be maintained and monitored till termination.
c. Default authentication settings in systems / software / services shall be deactivated and changed before they are rolled out to live environment.
d. Access to systems and different environments (development, test, production, etc.) shall be based on need-to-have, need-to-know and based on the principle of least privilege.
e. The use of privileged accounts shall be with multi-factor authentication and tightly monitored. Appropriate controls, including rotation policy, shall be implemented.
f. Necessary security controls, including centralised mechanism to whitelist / blacklist, shall be put in place to ensure secure use of removable media and portable devices (eg. smartphones, laptops, etc.).
g. In case of remote / work from home situations, adequate precautions, including multi-factor authentication mechanism, shall be in place.
h. The PSO shall define and implement procedures that limit, lock and terminate system and remote sessions after a pre-defined period of inactivity.
i. PSO shall have physical and environmental safeguards, with periodic testing, to protect access to its information assets from natural disasters and other threats.
Study Notes
Category
