Digital financial services (DFS) involves a complex ecosystem with the participation of different stakeholders such as banks, DFS providers, mobile network operators (MNOs), DFS platform providers, regulators, agents, merchants, payment service providers, device manufacturers, application developers, token service providers, original equipment manufacturers (OEMs), and clients. The interconnectedness of these entities and reliance on several parties in the ecosystem extends the security boundaries beyond the DFS provider to customers, network providers, mobile phone manufacturers, and other third-party providers in the ecosystem.
A DFS security assurance framework identifies the security threats and vulnerabilities facing the applicable DFS stakeholders. Regulators including telecom authorities, banking, and payment regulators could also make use of the DFS security assurance framework to establish security baselines for the DFS providers as well.
The framework, when implemented, would complement established risk and information security management practices of the stakeholders involved in the DFS ecosystem. For example, the security controls in this Recommendation can be included as part of the information and communication technology (ICT) security programme of the DFS provider.
Recommendation ITU-T X.1150 describes a DFS security assurance framework which provides a systematic security risk management process to assess threats and vulnerabilities and identifies appropriate security controls to be implemented by the DFS stakeholders. Threats related to merchants, payment service providers and other financial services organizations and the specific mitigations for addressing the threats that they face are out of scope for this Recommendation.
The DFS security assurance framework consists of the following components:
a)A security risk management process based on ISO/IEC 27005.
b)Assessment of threats and vulnerabilities to the underlying infrastructure of the mobile network operator and DFS provider, DFS applications, services, network operations and third-party providers involved in the ecosystem for DFS delivery.
c)Mitigation strategies based on the outcome of (b) above. The mitigation measures identify 119 security controls requirements for security threats which are outlined in clause 13 of this Recommendation.
|